Security through obscurity: an electricity grid hiding in plain sight
An exercise will soon be underway to see how ready the North American electricity industry is to respond to a “major security incident.” A physical attack on hard-to-replace components could result in a widespread, sustained electrical blackout, interrupting water, gasoline and food supplies, experts say. Even a cyber attack could lead to sustained component damage, if, for example, a hijacked SCADA system was told to do what it oughtn’t.
Given the distributed nature of the electric grid, the vulnerabilities are many, accountability difficult and authority murky. There are more than 1,900 bulk-power system owners and operators, says NERC, the North American Electric Reliability Corp., a not-for-profit entity whose mission is to ensure bulk-power reliability.
Two planning conferences have already taken place for GridEX II, the grid-security exercise NERC will run in November. The GridEx II hybrid operational and discussion exercise format will combine a geographically distributed operator environment and a tabletop exercise for executive leadership. For one and a half days, players will receive sequenced email messages detailing plausible scenarios. For example, a substation break-in turns out not to be for purposes of stealing copper. Instead, the intruder uploads a virus onto the network from a USB drive.
Players will engage in both internal response measures and external information sharing activities. A control cell in Washington, D.C., will coordinate.
Organizations can be “full players” or “monitor/respond players” engaged in a more passive, less resource intensive manner. The original goal was to have utilities, regional entities and others to a total of 100 participants, but registration is already near 150. Deadline for registration is Nov. 1 with the exercise conducted the 13th and 14th. There will not be in-depth technical discussions on firewall settings or other sensitive information.
A recent article in the New York Times says the U.S. electricity grid is mostly controlled by the investor-owned companies or municipal or regional agencies. The Edison Electric Institute, the trade association of investor-owned utilities, told the newspaper that it has the expertise to run 5,800 major power plants and 450,000 miles of high-voltage transmission lines.
The article further points out that many utilities use such “antique computer protocols” that they are safe from hacking. This is called “security through obscurity.” Others, it goes on to say, rely on Windows-based control systems common to many industries and are of continuing concern. There’s an irony here, and for all its benefits, you would have to say that Microsoft’s success on industrial plant floors has been a mixed blessing.