Federal security rules fueling energy company anxiety
SCADA systems seen as vulnerable to cyberattack.
By
Ellen Messmer
,
NetworkWorld.com
, 09/28/2006
- Share/Email
- Tweet This
- Print
SAN FRANCISCO -- The nation’s energy companies are scrambling to meet government regulations going into effect as soon as January that in
part are designed to safeguard the computer-based control systems for electricity and gas distribution from cyberattacks.
Top energy IT officials say they are challenged to meet the new rules because the massive systems control and data acquisition
(SCADA) systems used to manage their resources increasingly are based on Windows and Unix but weren’t really designed with
network security in mind. The systems often don’t work easily with antivirus software and can be tough to patch, they say.
In addition, the SCADA systems increasingly share the same corporate network as other business applications, but the people
running the SCADA and voice/data networks are on separate teams. “In companies I’ve seen, they choose to be separate," said
Evon Salle, senior information systems auditor at OGE Energy, in Oklahoma City, and a forum participant at the IT Security
World Conference here.
Congress took up the cause of greater SCADA security after a massive power blackout in the summer of 2003, passing legislation
that has led to the creation of nine Critical Infrastructure Protection (CIP) rules.
These were devised under the aegis of the North American Electric Reliability Council (NERC), the trade group recently chosen
by the Federal Energy Regulatory Commission to set mandatory security standards for the energy sector. NERC also is expected to be in charge of rules enforcement, which
could include dishing out million-dollar fines for noncompliance.
The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls,
and doing patch updates on all critical assets, including control centers, substations and SCADA systems.
Energy companies say they’re prodding SCADA operations groups to work with the corporate IT departments to impose firewalls,
access control, encryption and antivirus controls if they weren’t there before. But technical challenges remain.
“A lot of times you won’t have virus protection in a SCADA environment," Salle said.
“Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that’s why you can’t run it."
The biggest risk is “SCADA not having a firewall, while also having Internet access," she added.
Energy companies acknowledge that their SCADA systems haven’t been immune to virus outbreaks.
“We’ve had viruses hit one of our plants," said Charles Simons, manager of firewall integrity management at BP Global. The
company immediately firewalled off its process-control networks and put corporate IT security in control of industrial systems.
Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls is proving difficult for some.
“It’s quite a culture change for us, especially for substations and generators," said Sharon Edwards, project manager for
implementing the cybersecurity guidelines at Duke Energy. So far, Duke Energy hasn’t been able to identify vendors that would
help in implementing the enormous log collection and management and other requirements dictated by CIP.
Comment