It would seem that what spurs private and public electric grid utility operators to action with regard to cybersecurity isn’t the Chinese or Iranians attacking them, but the word “mandatory”.
A paper published yesterday by two U.S. legislators revealed that when there are mandatory cybersecurity standards put in place by the Federal Energy Regulatory Commission or the North American Electric Reliability Corporation, compliance with the standard is 80 percent or better. When it comes to voluntary measures suggested by the two governing bodies, compliance plummets to less than 25 percent in some cases. Some of those voluntary recommendations are specific to attacks such as Stuxnet, while others are general in nature to remote attacks.
The paper was written by staffers of Reps. Edward J. Market (D-MA) and Henry A. Waxman (D-CA) and the results are based on a written survey of 15 questions posed to 150 operators, from a mix of privately owned and municipally or federally owned and operated pieces of the bulk power system. More than 60 percent had replied (54 private, 47 public, 12 federal) to the survey, which asked the electric utilities a range of questions specific to compliance with standards such as FERC’s Critical Infrastructure Protection (CIP) standard, background checks, contingency plans for geomagnetic storms, whether the entity had accounted for all its assets, and even questions particular to the Aurora and Stuxnet attacks.
“Most utilities did not indicate how many of the voluntary cybersecurity measures related to Stuxnet, Aurora and remote access threat they have implemented. Of those that did respond, most indicated that they had not implemented any of these measures,” the paper said.
Critical infrastructure security awareness is getting better, experts say. While relatively few attacks are made public, more attention is being drawn to vulnerabilities in ubiquitous gear managing SCADA and industrial control systems, the increased connectivity of management interfaces and ICS equipment to the Internet, and how easy it is to find vulnerable equipment online using a number of freely available tools such as the Shodan search engine.
Yet there are a healthy number of operators who either don’t have cybersecurity expertise or simply cannot disconnect critical equipment to patch software holes or re-do processes.
For example, FERC requires five security measures to mitigate the threat posed by Stuxnet, and seven voluntary mitigations; 41 of 45 private, 25 of 30 public and 8 of 10 federal operators reported compliance with the mandatory requirements while 21 percent, 44 percent and 62 percent, respectively, met voluntary requirements. A small number of utilities, the report said, ignored the question pleading ignorance of the NERC communication.
“Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker,” the report said, citing examples of attacks such as the Wiper attack on the Saudi state-run Aramco oil company that destroyed 30,000 workstations.
The report also enumerates probes and successful attacks on electric utilities. More than a dozen reported constant attacks via system probes, phishing or malware attacks seeking access to internal systems. One utility, the report said, said it suffers approximately 10,000 monthly cyberattacks. One provider in the Midwest said attackers are constantly probing for vulnerabilities and adapt automatically to attempt to exploit those flaw.
“While some utilities reported that they had experienced no attacks that adversely impacted their operations, many failed to respond to the question about the numbers of attempted attacks, and others failed to respond to the question at all,” the report said.
Markey and Waxman were advocates of the 2010 GRID Act, which passed the House but failed to get past the Senate. The act, according to the report, would have given FERC the authority to mandate cybersecurity mitigations to protect the grid.