Energy Department spends $30M to bolster utility cybersecurity tools

Tsnami of cybersecurity threats faces utility industry

The Department of Energy today awarded $30 million to a 11 security vendors to develop technology the agency says will better protect nation's electric grid, oil and gas infrastructure from cyber-attack.

The projects, which will combine power system engineering and cybersecurity, will include testing of the new products to demonstrate their effectiveness and interoperability, the DOE said. 

The 11 projects selected include:

  • ABB, Inc: ABB will develop a system that allows substation devices to work together to validate the integrity of communications, such as commands to change a protective relay's configuration, and assess the potential impact on grid operations.
  • Electric Power Research Institute, Inc.: EPRI will develop a framework that allows utilities to centrally manage the remote configuration of their energy delivery system devices – regardless of vendor or age – more securely.
  • Foxguard Solutions, Inc.: Foxguard will develop a service that allows utilities to simplify the process of keeping up-to-date with the most current firmware and software patches and updates.
  • Georgia Tech Applied Research Corporation: The company will develop a technology that evaluates energy delivery system control commands to anticipate their impact on power grid operations and, if needed, implement cybersecurity responses to prevent disruptions.
  • Grid Protection Alliance: The alliance will develop an architecture that enables more secure substation communications for data generated by legacy or modern energy delivery devices.
  • National Rural Electric Cooperative Association: NRECA will develop a network that allows utilities and small electric cooperatives with limited resources to centrally manage their networks more securely.
  • Schweitzer Engineering Laboratories, Inc.: The company will develop an integrated cyber-physical access control system that simplifies the process of managing access to energy delivery facilities.
  • Schweitzer: The company will develop a radio platform for more secure "last mile" wireless communications used with remote energy delivery infrastructure such as distribution substations.
  • Schweitzer: Schweitzer will develop software that allows utilities to centrally manage their local area networks more securely, providing real-time awareness of cyber activity and rerouting network traffic in response to cyber intrusions.
  • TT Government Solutions, Inc.: TT will develop a technology that analyzes and visualizes smart meter wireless communications to quickly detect unusual behavior that could suggest a cyber-attack.
  • Viasat, Inc.: Viasat will develop an architecture that gives utilities awareness of the status of their energy delivery systems’ cybersecurity, and allows them to automatically respond to cyber intrusions as predetermined in the utility’s cybersecurity policy.

While the DOE’s investment is welcomed, a survey of U.S. utilities in May shows what many utilities are up against. That survey called "Electric Grid Vulnerability," said more than a dozen utilities said cyberattacks were daily or constant. The survey was commissioned by U.S. Democratic Representatives Edward J. Markey and Henry A. Waxman who are members of the U.S. House Energy and Commerce Subcommittee. 

[NEWS: FBI warns “Beta Bot” malware can kill your anti-virus programs, steal data]

[RELATED: The weirdest, wackiest and coolest sci/tech stories of 2012]

According to an IDG News Service story, the survey came in response to widespread concerns that hackers could damage parts of the U.S. power grid, causing widespread outages and prolonged economic effects. Power outages and quality disturbances cost the U.S. economy upwards of $188 billion annually, with single outages costing as much as $10 billion, the report said. Replacing large transformers, for example, can take more than 20 months.

The 15-question survey was sent to more than 150 utilities owned by investors, municipalities, rural electric cooperatives and those that are part of federal government entities. About 112 responded to the survey, which was sent in January.

Many utilities were coy in their responses. None reported damage as a result of cyberattacks, and many declined to answer the question of how many attempted attacks were detected, the report said. One utility said it recorded 10,000 cyberattacks per month, while another said it saw daily probes for vulnerabilities in its systems and applications. Cyberattacks are inexpensive to execute and hard to trace, the report said.

"It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyberattacks have been conducted against critical infrastructure in other countries," the report said.

The U.S. Congress has not delegated oversight of utilities' cybersecurity to a federal agency. An industry organization, the North American Electric Reliability Corporation (NERC), publishes both mandatory and voluntary security standards, the report said. In 2010, the U.S. House of Representatives passed the GRID Act, which would have given the Federal Energy Regulatory Commission the authority to protect the electricity grid. But the legislation did not pass the Senate, and the issue remains inactive in the House, the report said.

Since 2010, the DOE said it has invested more than $100 million in cybersecurity research and development through awards and funding provided to industry, universities and national laboratories.

Earlier this year for example, the DOE spent $20 million on similar tool development. At that time the agency said it wanted to focus research and development of new tools on six critical areas including:

• Energy delivery control system software and updates: Develop techniques needed to formally verify that an update or patch will perform exactly as intended, do nothing unexpected and that the update does not compromise energy delivery system integrity, authenticity and availability. The solution must accommodate third-party and legacy components; be scalable so that updates can be securely deployed to multiple devices; provide a means for devices that require updates to communicate this status to the energy sector end-user and must not impede critical energy delivery functions. The technology and techniques must be demonstrated at an end-user site to validate a clear industry acceptance. Demonstrate technology or techniques needed to perform a comprehensive analysis of the root cause, extent, and consequence of an ongoing cyber intrusion in an energy delivery system. A comprehensive analysis often requires all cyber assets to be evaluated for possible compromise, and cyber assets to be taken offline during this process. However, energy delivery control systems are comprised of complex network architectures that may contain hundreds of specialized cyber components and may extend across wide geographic regions. This picture is becoming increasingly complex as the energy sector brings in technologies such as mobile and cloud computing, plug-in-hybrid vehicles and millions of smart meters. Also, reliable and safe energy delivery requires that energy delivery control system components remain available at all times to sustain critical functions. The technology or technique must be scalable to accommodate energy delivery system architectures of various size and configuration, must not impede critical energy delivery functions and must be demonstrated at an end-user site to validate a clear industry acceptance. Develop technology or techniques to detect the presence of undesired activity inserted upstream in the supply-chain that could compromise the integrity of energy delivery system components. The research can consider one or more of hardware, firmware or software, including third party. The technologies and techniques will be used by the vendor during component development, and may include the capability for continuous detection during operation at the energy asset end-user installation. The technology and techniques must be demonstrated at an end-user site to validate a clear industry acceptance. Build technology to provide secure remote access capability, such as but not limited to cryptographic key management offerings. Secure remote access to field devices is necessary to perform timely maintenance, retrieve data and update firmware. Legacy field devices that typically have limited bandwidth and computational resources, reside in the same architecture with modern devices that are equipped with more advanced communication and computational capabilities and that may number in the millions, such as smart meters. The technology must be scalable to energy delivery system architectures of various size and configuration; interoperate across diverse communications media and protocols in the energy sector, including legacy as well as current day devices; accommodate legacy device bandwidth and computational constraints; and not impede critical energy delivery functions. Develop technology to detect and respond, as appropriate, to adversarial cyber activity that seeks to evade detection by exploiting expected and allowed operation of power grid components. For example, malicious manipulation of energy sector communications may use an expected protocol and request an action that the recipient local power grid devices were designed to perform but that action may be undesired in the larger operational context of the bulk power grid. This technology should not impede critical energy delivery functions.

• Responding to intrusions:

• Detecting problems:

• Secure remote access:

• Responding to threats:

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.