 |
![Back to [18]](../all_the_pictures/arrow_left.jpg){kind=icon}
[19]
![Forwards to [20]](../all_the_pictures/arrow_right.jpg){kind=icon}
Information Survivability in the Electric Utility Industry
John Hale Anjan BoseSchool of Electrical Engineering and Computer Science
Washington State University, Pullman, Washington 99164
{hale,bose}@eecs.wsu.edu
Abstract
The electric utility industry faces unique information survivability challenges in the face of deregulation and increased reliance on computer networking. Disgruntled employees and subverted SCADA software pose the biggest threats to electric companies. The fragmentation of the industry into cooperative but independent units makes resistance, recognition and reaction to threats more difficult. This paper calls for employee awareness programs, trusted software development methodologies, and federated information survival policy management to address these challenges.
Introduction
Electric utility companies regard information survivability as critical to ensuring the continued delivery of electric power to the nation [2]. Physical and computer attacks and accidents can cause brownouts and blackouts over large (and heavily populated) areas. The Western power grid failed twice in the summer of 1996 due to a freak accident that created a spectacular domino effect. Increased reliance upon computer networks adds a new dimension of vulnerability to electric companies.The electric utility industry is a collaborative enterprise consisting of generators, distribution centers, transmission centers and control centers [4]. Electric companies broker power and share information amongst themselves. Control center computers communicate with computers at substations and transmission centers. Deregulation is breaking the industry into even smaller independent units, driving the need for increased networking.
Electric companies (at least on the service side) are relatively resistant to external network attacks. Control center computers are not connected directly to the Internet; remote access usually implies a dedicated line or a modem callback mechanism. However, these computers rely heavily on SCADA software designed by third-party vendors. Furthermore, a great deal of trust is given to employees of electric companies. Subverted SCADA software and disgruntled employees are major threats to information survivability in electric utilities.
The fragmented nature of the industry makes information survivability a challenging cooperative venture. Independent units must agree upon a federated information survival policy and management scheme that encompasses resistance, recognition and reaction to crisis situations.
Electric Utility Information Systems
Like most corporations, electric utilities depend on computers to run their day to-day operations. Utilities were early adopters of computer technology, first on the business side, especially in customer billing, and then very quickly on the engineering side. Not only did engineering analysis and design become computerized, so did the monitoring and control of the generation-transmission grid. These supervisory control and data acquisition (SCADA) systems have become quite sophisticated and the computerized control centers of today are the nerve centers that `keep the lights on.'The electric utilities are being deregulated so that electric power producers will not have a monopoly over a geographic area of customers but will have to compete with each other in the open market. The transmission grid and distribution wires will become common carriers with open access to all producers and consumers of electricity. It is obvious that such deregulation would not be possible but for the extensive computerization of the electric power industry, which not only allows large numbers of buy-sell transactions but also can quickly analyze the effect of transactions on the transmission grid and suggest mitigative actions if these are undesirable. After restructuring, the resulting generation companies will be deregulated while the transmission and distribution companies likely will stay regulated. A new function, brokering buy-sell transactions, is spawning a new type of company called `power brokers.'
- Business Computers: Utilities used computers early on for accounting and billing. Relevant information about companies are now in company-wide databases. While this information is not used in the operation of the power grid, its integrity and availability is essential to the day-to-day operations of the companies. In the past, limited external connectivity minimized security and survivability concerns. However, the trend towards increased connectivity is raising these concerns.
- Engineering Computers: Much of the engineering data for electric utilities are publicly available. Because the transmission systems are interconnected, the planning, design and operation of the grid must be coordinated. There has always been a free flow of this data between companies. Now the data pertaining to generation cost is not readily available but the engineering data for the transmission and distribution is quite public. This makes the system vulnerable not only to internal sabotage by disgruntled employees but to external foes that have access to engineering expertise.
- Control Center Computers: The SCADA systems and their more modern counterparts, called Energy Management Systems (EMS), are the nerve centers and have large amounts of historical data as well as real-time data on the power system. Security is high relative to the other facets of the enterprise. Until recently, these were stand alone systems. However, nowadays there are several types of connections to the control center: (i) Communication lines bringing in data from the substations and generating stations; these are relatively secure as the communication lines are usually dedicated. (ii) Communication lines to control centers of other companies to exchange data for coordinating the operation of the grid; security is dependent on the minimum level of the different control centers. (iii) Connection to other engineering or business computers; care is usually taken to allow data to only flow out of the control center. (iv) Dial in facilities for control center personnel to connect from the outside; usually a strict protocol is followed for connecting and then read-only access is allowed.
- Embedded Computers: There is a large variety of control equipment on the power system, much of it microprocessor-based. The economy of this equipment is leading towards heavier automation. These embedded computers are often located at remote unmanned substations. These computers could be accessed remotely for setting control and protection parameters. The savings in cost make it very tempting to do so. However, this opens up the possibility of security breaches where sensitive control equipment can be recalibrated by remote break-ins.
Threats and Vulnerabilities
Electric companies must guard against both physical and computer disasters. Physical disasters include the destruction of generators or control, transmission and distribution centers. Man-made production of brownouts and blackouts affecting large regions requires a sophisticated attack. Such attacks require extensive knowledge of the power grid. This knowledge is often publicly available. Seven members of an IRA active service unit that recently planned to destroy six substations near London did their research in the public library. The threat of physical attack is real, as is the threat of computer attack. Computer attacks could be used to manifest brownouts and blackouts, but their goal also can be disruption of mundane day-to-day operations or destruction of company data. Disrupting electrical service via computer requires an extensive knowledge of the power grid as well as familiarity of control center software. Crashing control center computing systems is unlikely to create blackouts, but would adversely affect the operation of the power grid. Attacks mounted on trading computers and computers in the business and engineering divisions of utility companies would wreak havoc on day-to-day operations. While such attacks can be launched from a network by hackers, the most serious threats to the power grid are likely to come from the inside by disgruntled employees, or from subverted software used by electric companies but developed by third party vendors. The fragmented nature of the national power grid information infrastructure complicates matters.- Employees: Possibly the greatest threat to electric utility companies comes from disgruntled employees. Consolidation and restructuring brought about by impending deregulation may leave a lot of dissatisfied employees in its wake. An angry employee with an intimate knowledge of a control center's SCADA software is more capable of causing serious damage than an external hacker.
- SCADA Software: The control software itself also poses potential dangers to the electric utility companies. Mission critical SCADA software is produced by third-party vendors. Subverted software that contains trojan horses could render host computers and networks incapacitated. In effect, the security perimeter must include the software vendors' systems. To make matters worse, SCADA software vendors are less likely to have the same level of security awareness as are control centers, even though their software must be trusted to perform reliably and securely.
- Fragmentation: The federated nature of the electric utility industry complicates survivability issues. Control centers often share sensitive information to help them regulate the regional transmission and distribution of power. Electric companies rely on the accuracy of this information to make local adjustments to their operational units. The need for cooperation between independent distributed enterprises potentially exposes communication links to external threats, man-made and natural. Moreover, attacks can be distributed, and therefore less easily recognized if units do not communicate ostensibly isolated intrusions to each other.
An Agenda for Survivability
Information survivability entails resistance, recognition and reaction to potential threats to an enterprise's information infrastructure [1]. For federated mission-critical enterprises such as electric utilities this can only be realized with cooperative efforts that raise awareness at all levels, promote and enforce coordinated information survival policies, and embrace new technologies that help developers deploy high assurance SCADA software.- Awareness: Not all solutions are technical, and those that are technical are worthless without awareness and training. Insiders can easily prey upon a network when information survival policies only consider preventing attacks from the outside. A sound policy incorporates pervasive resistance, recognition and reaction mechanisms. Most importantly, employees should be trained to obey the prevailing policy, to recognize risks and suspicious activity, and to react accordingly.
- Federated Survival Policy Management: The impending deregulation of the electric utility industry creates a new challenge in surviving information warfare and computer attacks. The challenge is essentially one of coordination. The cooperative entities that will serve power to our nation must define a federated information survival policy to withstand distributed attacks. Data for grid coordination is already shared between regional control centers. These units will have to share information that can be used to recognize distributed attack patterns, and they will have to communicate to coordinate the implementation of a survival plan in the event of a disaster.
- Survivable SCADA Software: SCADA software presents another challenge. It must be delivered with high assurance of its performance, robustness, reliability, and security. This entails using a software engineering process that employs formal techniques to model, test and analyze software. The NIST Common Criteria (CC) addresses assurance by providing a framework for software evaluation [5]. CC protection profiles specify the security level of software. In the future, survivability profiles may be generated that specify what should happen to a collection of software in the event of a disaster. Tools that help developers build profile-compliant software will be key to the success of the Common Criteria. New technologies such as Proof Carrying Code (PCC) [3] should also be considered as possible means to raise the assurance level of SCADA software.
Conclusions
The electric utility industry faces unique information survivability challenges in the face of deregulation and increased computer networking. Disgruntled employees and subverted SCADA software pose the biggest threats to electric companies. The fragmentation of the industry into cooperative but independent units makes resistance, recognition and reaction to threats more difficult. We believe that employee training and awareness programs, trusted software development methodologies, and federated information survival policy management are essential pieces of a total solution.Bibliography
- [1]
- Ellison, R.J., Fisher, D.A., Linger, R.C., Lipson, H.F., Longstaff, T., Mead, N.R.., Survivable Network Systems: An Emerging Discipline, Technical Report CMU/SEI-97-TR-013, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, November 1997.
- [2]
- Moore, T., Tighter Security for Electronic Information, EPRI Journal, vol. 21 no. 6, November 1996.
- [3]
- Necula, G., Proof-Carrying Code, in the Proceedings of the 24th SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'97), Paris, January 1997, pp. 106-119.
- [4]
- Rules of the Road, North American Electric Reliability Council (NERC) document, 1992.
- [5]
- Summary of the Common Criteria (v1.0), http://csrc.nist.gov/cc/info/cc-summ/index.htm, Syntegra, Ltd., July 1997.
[19]
