Energy companies face costly upgrades to secure electric grid

Energy companies face costly upgrades to secure electric grid
Energy companies face costly upgrades to secure electric grid 

By Ellen Messmer
Network World

In an effort to improve security in the nations electric power grid, the 
Washington-based Federal Energy Regulatory Commission is poised to issue 
new rules to compel energy companies to use practices such as patch 
management and strong authentication to secure their industrial control 
systems against attackers, sabotage and unauthorized use.

If FERC at its Dec. 20 meeting approves the so-called Critical 
Infrastructure Protection (CIP) standards for physical and cybersecurity 
of the electric power grid, it will flip the switch on a regulatory 
regime where electric-power companies have to ensure the most critical 
parts of their system control and data-acquisition (SCADA) systems meet 
security requirements more associated with corporate computer best 

But because many SCADA systems in place today to control the bulk-power 
grid may not be readily adapted for cybersecurity protection, IT 
managers at energy companies say they face the prospect of a wholesale 
replacement of their SCADA systems to meet regulatory goals.

There are SCADA systems out there for forty or fifty years and theyre 
running fine, says Patrick Miller, chair of the electric-utility user 
group called Energy Security Northwest, whose membership hails from 20 
utilities. The energy companies across the country, he says, expect the 
upcoming FERC decision to influence whether they will need to wholly 
replace SCADA systems to meet new security regulations.

Some energy companies say it seems unavoidable. The almost 20-year-old 
control systems made by Televant Farradyne used by the Eugene Water & 
Electric Board in Oregon to throw switches and move power are going to 
be phased out, though replacements havent been selected yet, says senior 
security specialist Mark Ellister. This is ancient technology, you cant 
patch this, says Ellister.

Power struggles

To add to the anxiety, even as FERC prepares to establish new security 
rules for the electric power industry as it must under a Congressional 
law passed in 2005, its unclear whether the commission will adopt 
outright the eight CIP standards that were proposed last year by the 
organization called the North American Electric Reliability Corp. 
(NERC). FERC chose NERC to do the job of submitting standards and later 
start auditing for them and looking for possible violations, which could 
mean steep fines, over the next few years.

Joseph McClelland, director of the newly formed Office of Electric 
Reliability at FERC, recently told Congress it may ask NERC to tighten 
the proposed standards, which as now written allow for some laxness in 
following them, especially if theyre not technically feasible for legacy 
equipment which cant be upgraded to meet cybersecurity requirements.

If this equipment is left vulnerable, it could be the focal point of 
efforts to disrupt the grid, McClelland told Congress in October.

In addition, the National Institute of Standards and Technology (NIST) 
is arguing that it should be the one setting the standards. NIST has 
clear authority to set security standards for both the business and 
SCADA systems in federally operated electric utilities such as the 
Tennessee Valley Authority and Bonneville Power Authority, notes Stuart 
Katzke, senior research scientist at NIST.

The federal ones have to meet the NIST standards guidelines, says 
Katzke. They also have to meet FERCs regulations, whatever they will be.

NIST wants FERC to approve NIST security guidelines for industrial 
controls, which are out for comment until mid-December. NIST says its 
proposed standards are tougher and better than the ones proposed by 

Where is SCADA security?

Caught in the middle of this power struggle, the industrys IT managers 
say that many SCADA systems in use today, whether based on Windows, Unix 
or older proprietary operating systems, simply arent designed to 
accommodate processes like patch management in the round-the-clock 
operations of managing the nations power grid.

Plus giant SCADA systems traditionally arent just swapped out. With 
SCADA, you do it with very small pieces over a very long period of time, 
Miller says. It runs the power grid.

Miller says the older workhorse systems and even new equipment seldom 
meet the high expectations of the eight CIP standards under review by 
FERC, which may take a hard line in not allowing exceptions.

Miller adds hes seen scant evidence that SCADA manufacturers, other than 
Schweitzer Engineering Laboratories, are seeking to adapt to the new 
security requirements.

The American Public Power Association (APPA), the Washington-based trade 
association representing 2,000 publicly operated utilities, supports the 
security standards effort but hopes FERC will allow a technical 
feasibility exception for older equipment in substations and generating 
plants which is incompatible with certain cyber-security measures, 
including software updates and patches.

Utilities should be able to take advantage of the useful life of 
existing equipment from a reliability standpoint, APPA said in its 
official comments to FERC. APPA also noted there are risks with using 
vendor patches as well as using software with a known flaw.

Even NERC, whose executive vice president, David Wheatley, testified 
before Congress in October, expressed worry that promulgating standards 
for the bulk power system that draw too closely on the standards 
appropriate for secured business systems could result in a less reliable 
bulk-power system, either because of decreased operations or decreased 

Wheatleys testimony cited as examples how use of password-protected 
screen savers could block visibility of real-time operations that have 
to be constantly observed, or mistyped passwords could lock out access 
to operations controls. NERC declined to discuss this but said the 
Congressional testimony reflects its current views.

Allen Mosher, APPAs senior director of policy analysis, said the 
security standards process is likely to be one that gets updated every 
three years or so, and the NIST proposals might get adopted over time. 
Whatever the outcome of the FERC security standard rule-making, there 
will be a lot at stake as NERC starts to do audits over the next two 
years or so and reports any security violations and noncompliance to 

Fines could be up to $1 million per day per violation, Mosher concluded.

All contents copyright 1995-2007 Network World, Inc.

Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods