Back in the spring, I brought to light a new regulatory compliance requirement that would affect the nation’s energy companies by the beginning of 2007. With the deadline just a few months away, it appears that energy companies are finally trying to come to grips with what they must do to achieve compliance.
To bring you up-to-speed a bit, back in August 2003, the Northeast was hit with a massive power blackout that left nearly one million people without water and 50 million without electricity, and closed down twelve airports. In response, in August 2005, Congress and the Bush administration enacted the Energy Policy Act, which mandated new security regulations for the industry.
Now, energy companies are scrambling because some of the new rules will become effective January 1, 2007. Complicating matters is the fact that most energy companies rely on massive systems control and data acquisition (SCADA) programs, which weren’t really designed with security as a consideration, to manage their resources. These programs make it challenging to work with antivirus software and are tough to patch. And, increasingly, the SCADA systems reside in the same network as other business applications, increasing the percentage of the infrastructure that must meet regulatory controls.
Securing these systems is a serious matter. In a recent article, Jay White, global architect for information protection, policies, and standards in Chevron’s IT division, said, “SCADA systems manage valves and pressures. They’re mission-critical. If you lose control over them, you could have an irreversible environmental impact.”
The problem remains the same as other current regulatory compliance laws—acceptance. Too many companies are doing everything they can to avoid having to comply, rather than embracing the value setting IT controls will add in streamlining their IT services and providing improved security, performance, and availability for their business services.
Duke Energy, a diversified energy company with a portfolio of natural gas and electric businesses, both regulated and non-regulated, and an affiliated real estate company, acknowledged in the article that they’d fought the imposition of CIP (Critical Infrastructure Protection) rules, the nine rules created and enforced by the North American Electric Reliability Council (NERC). “There’s a lot of push-back from industry on this,” said Sharon Edwards, project manager for implementing cyber security guidelines at Duke Energy.
Given the significant risk if an energy company’s SCADA systems are exposed to hackers or terrorists, wouldn’t you think they’d be more proactive about this? I’d love to hear your thoughts on why organizations aren’t taking compliance issues more seriously.
I'm not sure I would agree with the assessment that power company infrastuctures have their control systems software wide open on the network, or that these applications make it harder to use anti-virus products, etc. I'm sure there are some poorly implemented systems out there, but having worked as an integrator a few years ago, I saw the inside of a number of power plants and their respective corporate offices. It's entirely possible I was seeing the most forward thinking of the group, but they never struck me as fitting that description.
The majority of the control systems software was running on a Windows platform, with a few random Solaris boxes thrown in. The machines that the software was running on had a seperate LAN inside the building that only had process equipment and machines on it. Each plant had it's own historian server, also on the process network, and that server was the only machine with access onto the business network and process network. That access was limited to bidirectional data flow on a set of ports for data acquisition, upstream data push to the corporate historian that served as a collection point for some of the data and downstream access only from a limited number of servers to allow remote administration.
Anti-virus could and has been installed next to most of this software (the Windows software at last). The only catch is making sure your not monitoring the cache files that are holding snapshot data, since those files change contents rapidly.
Gaining access to a control system would be difficult to an extreme in this environment. You would first have to get through the corporate firewall, then you would have to find and get access to one of a few servers that were allowed to communicate to the remote site, then you would have to break another username/password to access the historian (which isn't using Domain Authentication), at that point you would then need to find some way to access a control system machine with access only to 2 TCP/IP ports that connect to an application that has no interaction with the desktop or administrative rights and in some cases will be running on the same machine and connected read-only to another system. All traffic not on those ports is filtered out.
I have skipped some other intermediary steps and difficulties, but having control systems on a network does not automatically make a plant (powr or not) a target. Every manufacturing plant, power plant, etc has control systems, the majority of which are connected to some form of Windows or Unix software (though there are still some standalone console companies, even these generally tie into a historian or database).
Plus this doesn't take into account that the hacker in question would have to seriously be interested in controlling a generator/grid because the effort it would take even to get into the historian systems forced them to pass all of the financial servers, corporate business and file servers, etc.
Posted by: Tarwn | October 26, 2006 at 06:56 AM