Panel: SCADA systems at risk for intrusion attack
ORLANDO—A panel of public utility executives speaking at the Homeland Security for Networked Industries conference here agreed that remote monitoring and control systems, particularly SCADA systems, are vulnerable to intrusion attacks and should be protected more vigilantly. They also said that utilities would be well served to link disaster recovery and business continuity plans.
“I’m worried about SCADA,” said Brunson White of Energen. “It is largely misunderstood, and we don’t have as much control over it as we think we do.”
Utilities haven’t thought enough about intrusion attacks when they develop security plans, said Denny Brown of Pinnacle West, the state of Arizona’s largest energy company, which also operates the state’s largest nuclear power plant. “We have to think differently than we did before,” Brown said. “We didn’t think about the bad guys being out there wanting to get into our networks and do nasty things.”
Ray Johnson of Entergy agreed, adding that a false sense of security exists because terrorists have yet to take down a major power plant in the U.S. “A lot of people think it won’t or can’t happen,” he said. But the economic and societal impact would be enormous should such an event occur, and that’s something utility executives and public utility commissions should be thinking about, he said. “If someone takes a nuclear plant offline, that will definitely get on CNN.
It’s a legitimate threat, said David Weber of NW Natural, a small gas distribution utility serving western Oregon and southwestern Washington. “We know [terrorists] have copies of [utilities’] SCADA system designs,” he said, further suggesting that utilities invest in intrusion-detection systems if they haven’t already done so. “They provide the ability to know how they’re exploiting you. They’re not that expensive and offer the most bang for the buck,” Weber said, adding that SCADA systems only are as secure as the Windows operating systems they ride over.
According to Johnson, intrusion detection is “high on our list.” He also said that Entergy is high on network performance monitoring, which he said could raise red flags. “We try to take several tools and correlate them,” he said. “Nine out of 10 times [the notification] is benign, caused by an internal application. But you have to be concerned about the one that will end up in the newspaper.”
Terrorists always are on the lookout for opportunities, Brown said. He told of a Washington Post story that identified a specific power plant as the number one terrorist target. The next day the plant recorded 200,000 denial-of-service attacks.
Traditionally, security has taken a back seat to other more pressing matters because of budget pressures created by cost-conscious public utility commissions. That has to stop, Johnson said.
“You just can’t push certain things back any longer,” he said. “You might have to take money from other areas, and you might irritate some people by canceling projects. So what? And if you haven’t been able to make the case, scream louder or bring someone else in who can [make the case].”
Brown agreed. “It’s like health—if you have it, you don’t want to spend money on it. But once you lose it, you spend a lot of money to get it back.”
The spate of natural disasters that have afflicted the U.S.—the four major hurricanes that struck the Gulf Coast states in 2004 and Hurricane Katrina last year—along with the prospect for terrorist or hacker attacks that could take their systems down have forced utilities to rethink their recovery strategies.
“Every year, we’re threatened by hurricanes, tornadoes, floods and ice storms, and every year we go through our disaster-recovery plan. But up until now, we didn’t focus much on business recovery,” said Johnson, whose utility has the city of New Orleans in its footprint.
That all changed after Katrina. In April, Entergy conducted a mock disaster to determine what would occur if its employees were forced out of their offices for a week. In August the mock scenario became reality, but this time workers were displaced for weeks.
“Each year we do a drill that stresses our plan. Typically we try to create a worst-case scenario. This year we found out it wasn’t.”
Nevertheless, the April drill proved effective, Johnson said. “The fact we brought some of these things up sped up the response from [upper management],” after Katrina struck.
Johnson added that he “can’t stress enough,” the importance of linking disaster-recovery and business-continuity plans. “Less than 24 hours after the levees broke, we realized we would have to implement our business recovery plan,” he said.
Brown agreed. “Katrina has forced us to think outside the box. We no longer can say it can’t happen here. We can’t prevent [disasters], but we can figure out what we have to do to respond. We have to take a Boy Scouts approach—be prepared.”