Here's a better idea for securing the nation's electric grid

To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.

Last week, Ellen Messmer wrote an article recapping NERC’s report on many potential paths to destruction of our North American Electrical Grid. In my opinion, while NERC (North American Electric Reliability Corporation ) has managed to accurately identify real security risks it has missed the main point.

Yes our energy grid is woefully in need of upgrading to mitigate the threat of a cascading failure, an example of which many of us experienced in August 2005. And yes the NERC CIP 01 – 09 security standard for the real time monitoring and management of electrical grids is an important and meaningful tool for making our grid more survival robust and secure.

However the fundamental recommendation of the report calls for better coordination between US power-grid providers and the government. To me, government coordination is an oxymoron. We can all see how well government coordination is working on the Gulf Oil Spill.

To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.

I think the path to grid deliverance is for the government to substitute coordination with costly penalties for those utilities which fail to comply with the NERC CIP standard.

Expensive penalties might get utility executives to take more seriously their security risks, and maybe start by addressing the here and now concerns expressed by their own SCADA IT security staff. We have worked with SCADA IT staff who were already aware of existing security risks, but since an event had not yet caused a costly or embarrassing outage, their executives were loathe to invest in mitigating these risks.

So perhaps the time is right to up the ante of the downside potential cost of a security event to include a serious financial penalty. Then executives can reevaluate their security ROI business cases to include the new downside penalty.

In our security auditing experience with electrical utilities, we have identified lots of security threats and vulnerabilities which could be compromised into disasters by very low tech and unsophisticated means. Terrorists, solar events, and pandemics are not even remotely required in order to compromise very commonly found weaknesses. Somebody with a six foot ladder and a laptop could potentially do just as much damage.

The solution to this problem is to sufficiently fund the security programs at the electrical utilities so their own security teams can adequately and reasonably implement the NERC standard, with emphasis on sections like Electronic Security Perimeter (CIP 005) and Sabatoge Reporting (CIP 001).

While it’s very exciting and stimulating to think how our electrical grid can be brought down by behemoths of nature and by evil people with mal intent, the reality is our grid is susceptible to the most simple of gremlins.
Maybe it’s time to think again.

Have a secure week.

• Security
• Electrical Grid Security
• Electrical Utilities Security
• NERC CIP
• SCADA