This week we heard that a virus had struck an Iranian atomic research facility, reeking havoc with the AC and blasting AC/DC's "Thunderstruck," and continued discussion on leaks about President Obama's approval of U.S. cyber warfare program. It all begs the question of how easily an adversary could retaliate.
There is no international treaty on cyber warfare. The U.S. could conceivably have opened up the proverbial can of worms. Are hacks to critical infrastructure such as utilities and power grids off limits? Several people died earlier this month when a thunderstorm knocked power out during an unusually hot night in Washington D.C. Imagine the impact of a widespread, long-term outage.
That's probably why the Senate is debating the latest iteration of a bill that's being championed by Connecticut Senator Joseph Lieberman and supported by President Obama. The Senator is stoking fear of cyber war, and he may have good reason. Iran may feel justified to strike back.
"The cyber-war genie is now fully out of the bottle, thanks to Stuxnet. It's only a matter of time before the U.S. is a target. Without reading more about the bill, though, I couldn't say whether this is a part of the solution or a compounding of the problem," said noted software security expert Rex Black.
You may be wondering what this has to do with energy. SafeNet's vice president of product management Mark Yakabuski told me thatwere a particular focal point, and that the utility industry is grappling with finding the right balance between security and reliability.
Utilities, Yakabuski explained, are anxious about new regulations that could be burdensome to implement. He argues that increased security would increase reliability by preventing potential long-term outages potentially caused by cyber attacks. SafeNet sells transaction security solutions.
"Utilities are already under tremendous pressure to comply by North America Electric Reliability Council's (NERC) critical infrastructure protection mandates. This mandate, as much as 40 and more requirements, require utilities to audit their cyber assets found in the electricity transmission business. Smart grid is not covered in these NERC guidelines," IDC senior research analyst Usman Sindhu wrote in an e-mail.
Sindhu added that utilities already share information on attempted intrusions with the Industrial Control System CERT team established by Department of Homeland Security, which also issue alerts. Industry consortiums share information as well in addition to being already regulated by existing regional entities.
"I think one of the biggest impact utilities can have due to the cybersecurity law is the clause ‘Not later than 1 year after the date of enactment of this Act, the Inspector General of the Department shall conduct an audit of the management of covered information under this title and report the findings to appropriate congressional committees'. Utilities will have to go through an additional layer of scrutiny on top of existing regional entities," Sindhu explained.
One of the main goals of the cyber warfare bill is to facilitate better information sharing. "Information sharing work is already in progress," Sindhu noted. "One utility dedicated 20 staff members overtime to look into compliance. Added scrutiny may take utility's attention away from dealing with the critical issues to just managing check-box compliance. On the other hand, if these guidelines help draft baseline, especially for smart grids, then they're helpful."
Even more security is necessary in the utility sector around the world, Yakabuski argued. However, he noted that utility security in the U.S. is relatively advanced compared to other countries, but declined to make an "overreaching statement" about the nation's vulnerability. He suggested that a good starting place would be for utilities to look toward the financial industry for guidance on how to protect consumer's data.
"Yes, there are things to be worked out - however, utilities are working on the issues gradually. Smart grid networks have introduced utility professionals with many concepts that they did not think about. Security and risk management is one of them. Today, there's better awareness about smart grid risks than 2 years ago," Sindhu said.
"Although smart grid and metering is always blamed to have lax security, there hasn't been a widespread security incident solely due its vulnerabilities. It doesn't mean, however, that incidents cannot occur in the future. Good news is that, utilities are working with vendors to rectify critical issues."
I recall reading about U.S. utility infrastructure being infected by malware some years ago before President Obama took office, but when you open up a can of worms the consequences can be unexpected. Could the smart grid have introduced a new national security risk?
(Image credit: John Solie via iStockphoto.com)
Related on SmartPlanet:
This post was originally published on Smartplanet.com