US Energy Dept. finds myriad challenges to building culture of network security

US DOE looks at culture of security as part of overarching energy security roadmap

When it comes to securing the nation's critical energy networks, the Department of Energy says much work remains. Key to that work are the engineers, network administrators, vendors and others behind the security technology  -- but they will be leaving the industry in droves in the next five years, according to a Department of Energy security roadmap issued this week.

"Over the next five years, energy companies will face a critical shortage of engineers and skilled craft workers. For example, about 45% of engineers-7,000 in electric utilities alone-are predicted to retire or leave for other reasons. Compounding that, two to three times more power engineers may be needed to satisfy the needs of the entire economy and future operations will require broader skill sets than those prevalent today," the report states.

More on security: What would your ultimate network security look like?

Keeping key people is just one of the many challenges to building what the DOE calls a culture of security. From the report:

  • Limited knowledge, training, understanding, and appreciation of energy delivery systems security risks inhibits security actions within the energy sector. There is also an incomplete understanding of the cost of decisions and system resilience in terms of failure modes and vulnerabilities. Current risk assessment capabilities fall short of determining the effects of each cost decision on system resilience in terms of failure modes and vulnerabilities.
  • While standards have helped to raise security to a baseline level across the energy sector, some standards remain unclear or too broad, or may have prompted utilities to use less advanced security measures to meet requirements. In addition, a rapidly changing risk environment means standards compliance today may not be sufficient tomorrow.
  • Improving security comes at a cost, and demonstrating direct line benefits to an energy organization is difficult. Without the occurrence of a catastrophic cyber incident or a strong business case, public and private partners will continue to have limited time and/or resources to invest in partnership efforts.
  • The increasing sophistication of cyber intrusion tools and complexity of energy delivery systems makes it difficult for asset owners and operators to recognize an incident once it is under way. The use of automated intrusion detection systems and applications have the potential to introduce serious operational issues.
  • Executives, the public, and even organizations within the utility still lack a full understanding of energy delivery system vulnerabilities and the potential consequences of an incident. The limited exchange of threat and incident information prevents the sector from compiling the evidence it needs to build a compelling business case to increase private investment in energy delivery systems security. Credible, actionable, and timely information is also essential to ensuring that the energy sector can adequately mitigate energy delivery system vulnerabilities before adversaries can exploit them.
  • Belief that security standard compliance is sufficient for cybersecurity of energy delivery systems inhibits adoption of additional security measures
  • Secure coding practices are not uniformly enforced
  • Incomplete understanding of the cost of decisions and system resilience in terms of failure modes and vulnerabilities
  • Patching/fixing vulnerabilities in energy delivery systems can create new cyber risks

The DOE report goes on to state building a culture of security requires security to be cost effectively built into the design, installation, operation, and maintenance of energy delivery systems. Increased executive engagement is needed to help decision makers better understand energy delivery systems security issues. This knowledge will let government and industry decision makers make important resource investment decisions for resilience that are appropriate to their organization, the DOE says.

"As many of the most experienced power systems operators begin to retire, the energy sector needs dedicated knowledge and skill transfer programs to retain the centuries of experience that these workers possess. As the energy infrastructure becomes increasingly automated and complex, information technology and security will become valuable backgrounds for system operators and engineers. Industry can work directly with universities to develop curricula that channel skilled workers into promising career paths and build a strong pipeline of energy delivery system workers knowledgeable in cybersecurity that significantly increases in the next five years," the report states.

Follow Michael Cooney on Twitter: nwwlayer8  

Layer 8 Extra

Check out these other hot stories:

Nigeria tries to quash rumor of "killer cell phone number"

NASA spots Star Wars-like "Tatooine" planet orbiting two stars

NASA's big space telescope avoids death-by-budget-cut

Cyber-attack: A big one is coming says US Cyber Command General

NASA picks five companies to study solar electric spacecraft propulsion

EPA offering $500k to rev-up nationwide auto diagnostic Web site

US plan fires up gigabit application development for ultrafast networks

US lacks serious cyber intelligence

Verizon fires workers who ran, participated in office football pool

Got acne? There's NOT an iPhone, Android app for that, FTC says

US blusters up $43M to grow off-shore wind energy

Carnegie Mellon opens competitions aimed at building slick robots

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey: The results are in