Richard B. Andres
At a time when electric companies are witnessing an unprecedented rise in cyber-attacks against their industrial control systems (ICS) and supervisory control and acquisition systems (SCADA) that monitor and regulate power grids, the response of industry executives has ranged from paralysis to indifference. This stance is indefensible because it is not attributable to ignorance: According to recent surveys, executives understand that they face significant threats in cyberspace, but still choose not to act to shore up their companies' vulnerabilities.
The 2010 discovery of Stuxnet malware, the 2012 Shamoon virus, and the February 2013 unmasking of the Chinese military's Unit 61398 have all highlighted the dangers facing energy providers in cyberspace. However, as one board member of the U.S. National Cyber Council has observed, these incidents represent only a few of the shots fired in a "cyber war [that] has been under way in the private sector for the past year." Empirical evidence bears out the extent of the threat: ICS-CERT, the Department of Homeland Security's industrial control system cyber emergency response team, responded to 198 cyber incidents across all critical infrastructure sectors in 2012, of which 41% were in the energy sector. An NSS Labs report paints an even more sobering picture: ICS/SCADA vulnerability disclosures have increased more than 600% since 2010.
The highest-ranking executives and managers at the largest power companies are well-aware of the persistence and magnitude of the threat they face. A recent study prepared by the Center for Strategic and International Studies (CSIS) and McAfee, which surveyed 200 industry executives from critical electricity infrastructure enterprises in 14 countries, received alarming responses: 80% of respondents claimed that they had faced a large-scale denial-of-service attack, and 85% had experienced network infiltrations. Two-thirds claimed that they had frequently found malware designed for sabotage on their system. A sizeable number of attacks were cyber extortion attempts, in which criminal enterprises threaten to shut off power unless a ransom is paid. Most utility executives (30%) also regard the People's Republic of China as the most threatening state actor in cyberspace.
Given the growth of the cyber threats to utilities, and their awareness of the threat, one might expect that executives are pulling out all the stops to secure their ICS/SCADA systems. Unfortunately, the aforementioned CSIS/McAfee study's disturbing conclusion was that the industry's collective reaction is best characterized as paralysis: It recognizes the threat, but it is not acting. While 40% of the study's respondents acknowledged that their industry's vulnerabilities had grown over the last year, between a fifth and a third said that their company was "not at all prepared" or "poorly prepared" for cyber-attacks. All of these companies cited compliance with mandatory North American Energy Reliability Corporation (NERC) cyber security standards, but most also acknowledged that they did not comply with NERC's voluntary measures. Many industry executives are also failing to provide adequate cooperation to the federal government, even though Presidential Policy Directive (PPD) - 21 suggests that it is the government's responsibility to both defend and respond to critical infrastructure threats. More than a third of executives in the CSIS/McAfee study said that they had no contact at all with the government on cybersecurity, and most of the remainder said that they had "informal exchanges" on the topic. The industry's reaction is most aptly illustrated by its cavalier attitude towards smart grid adoption: Even though smart grids will increase the number of "secondary access" points in SCADA networks that can be exploited by hackers, the implementation of smart grid technology remains the single largest priority for utilities, with global spending set to exceed $45 billion by 2015.
The CSIS/McAfee survey is eye opening in terms of how it differs from most companies' public statements about their SCADA vulnerabilities. The survey begs the question: Why aren't utility companies doing more to protect themselves? The most significant reason is that the market does not adequately punish companies that cost their customers money and lives. The Northeast Blackout, for instance, which affected 55 million people in the U.S. and Canada, began with a software bug in a SCADA system. FirstEnergy, the company operating the system, saw its share price drop from $31 to $25 in the week after the blackout, but within two and a half weeks, share prices had climbed back up to the pre-blackout price.
Former Secretary of Defense Leon Panetta once warned that inadequate protection of cyber infrastructure risks the possibility of a "cyber Pearl Harbor," but Hurricane Katrina might be the better analogy. The National Science Foundation study that investigated the levee failures found that the design flaws, poor maintenance standards, and inadequate government supervision and regulation of maintenance led to the catastrophe that befell New Orleans in 2005. The parallels between New Orleans's lack of preparation for Katrina and the power industry's failure to improve its cyber security posture are stark. Energy executives' lack of willingness to respond to the threat of cyber-attacks on their SCADA infrastructure could easily lead to an outcome far worse than what New Orleans faced as a result of its leaders' lack of preparation for a known threat.
Richard B. Andres is a Senior Fellow at the Institute for National Strategic Studies at National Defense University and a Professor of National Security Strategy at the National War College.
Matthew Thomas is a researcher at the Institute for National Strategic Studies at the National Defense University.
The opinions expressed in this article are those of the authors alone and do not necessarily represent those of National Defense University, the Department of Defense, or the U.S. Government.