MIT researchers have released a report titled The Future of the Electric Grid which examines the current state of the nation's electric power infrastructure and the challenges faced by the industry as it evolves over the next two decades.
Of particular concern is the ability to protect these critical resources as they are converted to "smart" networks with greater reliance on modern two-way information systems.
As the majority of nation's power provider authorities operate essentially as individual fiefdoms, one of the major challenges identified in the study is the integration of a smorgasbord of systems and technology to produce one unified national energy delivery system, and to avoid creating vulnerabilities in the process.
"From a cybersecurity perspective, interfacing so many different hardware and software components introduces vulnerabilities—especially when new and legacy hardware and software need to operate together... Perfect protection from cyber attacks is not possible. There will be a successful attack at some point," the MIT report concludes.
Though the individual utilities are governed by the Department of Energy (DoE), the study indicates that there is a lack of a clearly designated entity to address cyber security in the emerging smart grid system which creates a leadership gap that may amplify potential weaknesses in the network.
"Lack of a single operational entity with responsibility for grid cybersecurity preparedness as well as response and recovery creates a security vulnerability in a highly interconnected electric power system," the report states.
The report also notes that even with the most diligent of planning, the evolution of the smart grid will more than likely present vulnerabilities that can not be anticipated ahead of time - vulnerabilities we may not uncover until after they have been exploited by an attacker.
"The highly interconnected grid communications networks of the future will have vulnerabilities that may not be present in today’s grid. Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce attack vectors— paths that attackers can use to gain access to computer systems or other communicating equipment—that increase the risk of intentional and accidental communications disruptions," MIT researchers stated.
The MIT study echos a September report prepared by the Idaho National Laboratory (INL) for the Department of Energy which examined security issues for the nation's next generation electrical grid.
The report, titled Vulnerability Analysis of Energy Delivery Control Systems, underscores the need to design and implement these new energy delivery systems with security as a top priority regardless of budgetary concerns.
"Cybersecurity for energy delivery systems has emerged as one of the Nation’s most serious grid modernization and infrastructure protection issues. Cyber adversaries are becoming increasingly targeted, sophisticated, and better financed... The energy sector must research, develop and deploy new cybersecurity capabilities faster than the adversary can launch new attack tools and techniques," the report states.
While the notion that administrators will be able to deploy mitigation strategies faster than attackers can exploit them may seem somewhat optimistic - if not naive - the potential consequences of successful exploit could be devastating to the system as a whole, and the report points to the Stuxnet virus attacks in Iran as prime example.
The Stuxnet virus is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks.
"The Stuxnet worm—designed to attack a specific control system similar to those found in some energy sector applications—underscores the seriousness of targeted cyber attacks on energy control systems," the INL report notes.
The INL report also examines in great detail a myriad of vulnerabilities identified in security audits over the last seven years, noting that each of the top ten risks have been discovered in multiple systems with a wide range of deployed equipment and software configurations, many of which are attributed to the lack of secure coding practices.
"Vulnerabilities caused by less secure coding practices can be found in new and old products alike, and the introduction of Web applications into SCADA systems has created more, as well as new, types of vulnerabilities. The 10 most significant cybersecurity risks identified during NSTB software and production SCADA assessments are:"
- Unpatched published known vulnerabilities
- Web Human-Machine Interface (HMI) vulnerabilities
- Use of vulnerable remote display protocols
- Improper access control (authorization)
- Improper authentication
- Buffer overflows in SCADA services
- SCADA data and command message manipulation and injection
- SQL injection
- Use of standard IT protocols with clear-text authentication
- Unprotected transport of application credentials
Given the evidence presented, one has to wonder whether the rush to implement a smart grid system on a national level in the face of limited resources for expenditure is only inviting serious and even catastrophic events down the line.
The consensus is and always has been that there is not absolute security, and we must ask ourselves how big our risk appetite is in regards to the potential for major disruptions to commerce, communications, and national security - especially in light of the less than optimistic appraisals presented by the researchers who produced both of these studies.
"With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber events is impossible, and improving resilience to attacks and reducing the impact of attacks are important. As a joint NERC–DOE report notes, 'It is impossible to fully protect the system from every threat or threat actor. Sound management of these and all risks to the sector must take a holistic approach, with specific focus on determining the appropriate balance of resilience, restoration, and protection'," the MIT report noted.