By Paul Meyer
The evolving risk of a coordinated, catastrophic, cyberattack on U.S. energy delivery systems (collectively known as “the power grid”) via vulnerable Industrial Control Systems (ICS), resulting in wide spread, prolonged power outages, is not a new concern to energy industry executives or government policy makers.
Owners and operators of energy sector assets understand the possible impacts of coordinated physical and cyber-attacks which threaten reliability and resilience of U.S. energy delivery systems. They experienced havoc and disruptive economic and social impacts from the prolonged power outages over wide-spread areas resulting from the 2003 North East Blackout and the 2011 Southwest Blackout events.
However, with an industry-standing focus on grid reliability, a lack of qualified cyber security experts, and reliance on the fact that a hypothetical cyberattack event resulting in wide spread outages has not yet occurred on the U.S. power grid, energy sector utilities have become complacent in their cyber protection strategies.
A continued reliance on legacy systems and protocols designed decades ago without modern-day cyber security in mind, coupled with the growth of networks and communication protocols, has left the energy sector vulnerable and behind the eight ball.
The increase in sophisticated cyber-attacks ,and the use of bolt on in-line devices as protection ,contributes to the loss of necessary awareness and cyber risk management intelligence that can proactively address vulnerabilities and threats facing ICS platforms and networks, serving the most significant critical infrastructure in society. Without an ever-shifting and proactive approach the energy industry loses the ability to resiliently respond to sophisticated intrusions.
On December 23, 2016, this emerging risk went from hypothetical to executed when a regional electricity distribution company in the Ukraine experienced a coordinated cyber-attack and illegal breach of the company’s IDS controlling more than 30 substations (110 KV – 23 KV), ultimately affecting 225,000 customers over three different distribution service territories for several hours.
This attack brought into focus real-time vulnerabilities and impacts for aging, legacy, ICS’s responsible for controlling U.S. energy delivery systems. As the complexity of the power grid evolves and security around critical systems and assets escalates, the consequences of cyber security risk that has escaped the focus of the electric industry can be catastrophic.
‘Chess Master’ to the rescue
Driven by the escalating fear of a Ukraine-style attack on U.S. soil, and the need to proactively address the holistic cyber security issue centrally from the network level, the Department of Energy (DOE) recently granted 4 million dollars to a team of emerging technology conscience companies to inspire the creative development of technology to address security more effectively and not rely on outdated and vulnerable mechanisms that currently lag evolving cyber intrusion technology.
The “Chess Master Project” a nickname bestowed on this effort is driven by a development team of emerging leaders – Veracity Industrial Networks, Schweitzer Engineering Laboratories, Sempra Energy and Ameren Corporation. The focus of the project is to address security and resiliency with autonomous scanning and cyberthreat intelligence that create intelligent “operational networks that deny-by-default unexpected cyber activity to help prevent an intrusion and have pre-engineered response to adapt and survive should an intrusion occur.”
The technology coming out of Chess Master will be designed to ensure critical energy delivery functions are not impeded, that asset owners will have full visibility of the cybersecurity state of the energy delivery control systems and, independently demonstrate that the technology autonomously and continually reduces the cyber-attack surface of modern energy delivery control systems.This program was funded by the “Cybersecurity for Energy Delivery Systems Program Initiative” announced in January of 2016.
The project was purposely designed to build on and complement the efforts of previous watchdog and SDN projects that addressed secure communications and sustainability of critical operations while responding to cyber intrusions. The DOE’s approach to inspire emerging technology and break down complacency and technology barriers to face the issues head on by changing the art of cyber security is refreshing. It’s about time we take this issue to heart and address the risk and vulnerabilities with creativity and logic.
About the essayist: Paul D. Myer, CEO of Veracity Industrial Networks, served as SVP of corporate development at M86 Security, and also served as its president and COO. Mr. Myer is a technology industry veteran who has held management positions with leading technology companies, including NEC Technologies and Compaq Computer Corporation. He holds a B. A. degree in International Relations from Brigham Young University and an MBA from Pepperdine University.