Despite years of talk, utilities remain compromised, vulnerable

When utilities talk about securing their IT networks and control systems, they might want to stop first to think about how to sanitize the systems that are already infected.

“When we are engaged to investigate the IT security of utility companies, we typically find that 3 to 5 percent of systems are already compromised,” says Brad Bauch, energy and utilities and power generation principal at advisory firm PricewaterhouseCoopers LLP.

“There is a lot of talk about how to secure power generation and distribution organizations,” adds Christopher Poulin, chief security officer at IT security vendor Q1 Labs. “The reality is many of these networks are already infected. A smart attacker isn’t going to vandalize or cause a scene on the network, they’ll lay low.”

Many of the signs of compromise at utility companies look just like breached corporate networks: files are altered, there are suspicious outbound transmissions, and log entries reveal unauthorized application use.

However, when it comes to the security of the power grid, the dangers go beyond civilian and business power availability.

The Department of Defense relies on commercial electric power for nearly 99 percent of its power needs at military installations,” said Paul Stockton, assistant secretary of defense, Homeland Defense and Americas’ Security Affairs, Department of Defense at a recent Energy and Commerce Committee hearing. “On-site back-up diesel generators are often used to support installation and facility continuity during short-term outages, but these generators are typically not designed to operate for extended periods. The average diesel generator and on-site fuel reserves are designed to sustain basic installation functions and critical missions for 3-7 days using fuel stored on-site.”

The Energy and Commerce Committee hearing was held to discuss the so-called ”Grid Reliability and Infrastructure Defense Act” or ”GRID Act.” The act would give the President the authority to order rapid emergency measures to ensure the reliability of the bulk-power system in the event of a natural disaster or cyber-attack. A discussion draft of the bill is available here.

To minimize the chances of a crippling cyberattack, the power industry has been taking steps to bolster its security, says Bauch. “We’re seeing more focus in the industry on cyber security. They’re hiring more CISOs,” he says. “Just a couple of years ago that was a quite rare.”

They’re also adopting more stringent security policies, he says. “They’re segmenting connections to their business networks, and they’re conducting a lot more vulnerability assessments and doing things beyond what is required by regulations,” Bauch says. “They’re moving toward a more secured state,” he adds.

The concern among experts isn’t a one-off cyber attack against the power grid, As Gerry Cauley, president and chief executive officer, North American Electric Reliability Corporation, testified before the House committee. “I am most concerned about coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures. These threats differ from conventional risks in that they result from intentional actions by adversaries and are not simply random failures or acts of nature,” he says.

Poulin agrees. “That’s the big fear. That a successful attack on the power grid comes simultaneously as part of some other aggressive action,” he says.