Compliance will not protect U.S. electrical and smart grids

by Steve Ragan - Aug 6 2009, 16:15

LogLogic, a log, compliance, and security management solutions vendor, recently surveyed information security professionals from America’s energy and utilities companies, both large and small, and found that all of those surveyed agree compliance with NERC standards alone is not enough when it comes to infrastructure protection.

Recent studies, LogLogic says in its report on the survey results, show that the energy sector is deemed the most vulnerable aspect of critical infrastructure in the United States. Adding to this is a report from the CIA, which confirms that, “cyberattacks have been used to disrupt power equipment in several regions inside the United States.”

“Ever since cyberspies hacked the U.S. electrical grid earlier this year, businesses have become increasingly aware that a security breach at an energy company that results in a major blackout has the potential to wreak havoc,” said Pat Sueltz, CEO of LogLogic.

During the LogLogic survey, two-thirds of those polled said they field more than 75 serious security vulnerabilities each week, with half resolving more than 150 attacks per week.

In May 2009, the North American Electric Reliability Corporation (NERC) approved eight revised cybersecurity standards for the North American bulk power system.

The NERC cybersecurity standards are comprised of 40 “good housekeeping requirements.” Organizations violating any of these standards can be fined up to $1 million USD per day, per violation. Nationwide NERC audits started July 01 of 2009.

However, while the NERC checklist of requirements is all well and good, not a single person questioned by LogLogic agreed that following the NERC requirements equaled complete security.

When asked about challenges associated with the NERC standards, one respondent told LogLogic that:

“NERC doesn’t clearly outline the definition of roles and responsibilities, [or] what cyber security actually is. You ask 10 different people, you’ll get 15 definitions. Who owns it? What’s going on? There is still confusion around this, and we’re still managing through that.”

The challenges associated with NERC standards are exactly why many in the energy sector look beyond NERC when it comes to infrastructure protections. One manager of information security at a major natural gas and electric facility in the U.S. told LogLogic, “NERC is just one part of a larger security process here.”

So what are they using aside from NERC?

According to the report, all of those surveyed are using SOX (Sarbanes-Oxley), and 17 percent measure themselves against the National Institute of Standards and Technology (NIST).

Now, while LogLogic only talked to a small sample of IT administrators and managers in the energy sector, and those small few actually seem to understand security concepts, there is still a long way to go.

Earlier this year, The Wall Street Journal broke a story reporting that the U.S. electrical grid was the apparent victim of an attack by foreign “cyberspies”. According to the story, the alleged cyberspies came from China, Russia, and other countries. Both current and former national security officials have confirmed the attacks and the presence of related tools left behind on compromised systems.

The technological advances to the energy infrastructure currently in use are seen as a positive instead of a negative. This, say the energy companies promoting the advances (including “smart grid” systems), is because security can be added to the new connected systems from the start, instantly securing them.

On the opposite side of that point, those advances come in spurts and the patch-work grid in use today is a mix of old and new systems -- this in itself is insecure, and leads to vulnerability. A good example of research into smart grid systems comes from Mike Davis, a senior security consultant with Seattle-based IOActive.

During BlackHat, Davis demonstrated how a Worm could use the smart grid connectivity to hop between meters placed on homes or a business, resulting in power disconnects and other nefarious effects. Davis compared the security used in some of the products enabling smart-grid connections to that of the security seen in personal computers of the 1980s and 1990s.

What is interesting about the LogLogic study is not the data that points to how the energy sector is using log management, it’s that everyone who was surveyed understood that security and compliance are far from equal. Just because you can follow a security checklist, performing each function and task on said list, doesn’t mean that you are secure.

You can view the report based on the survey by clicking here.

Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Around the Web