Dr. Rae Zimmerman, New York University - NYS SmartGrid ...

whirrtarragonElectronics - Devices

Nov 21, 2013 (3 years and 6 months ago)

49 views

Dependency of Electric Power on
Information Technology and
Cybersecurity

Rae Zimmerman

Professor of Planning and Public Administration

New York University, Wagner Graduate School of Public
Service


Advanced Energy 2013

Energy Cybersecurity II

Track I Session V

Jacob Javits Convention Center, New York, NY

May 1, 2013


NOT FOR DISTRIBUTION, USE, OR PUBLICATION


Highlights


Energy systems are highly dependent on information
technology (communication and control systems)


These technologies provide important services for
energy production and consumption


Dependencies of energy systems on information
technologies occur all across the energy production,
distribution and consumption chain


That dependency is growing with the “smart grid”


Cyber attacks are growing in general


It may be just a matter of time before these attacks
become a major threat to electric power systems


Some cases are already pointing in that direction


Use and Benefits of Information Technology
for Energy Needs: Production


Oil and Gas


Avoid accidents from production or
distribution


Convey products between concentrated
production points to highly dispersed
destinations


Electricity Production


Link production and use of electric power, and
reroute electricity in response to supply and
demand


Identify and reduce causes of power outages
and duration

Use and Benefits of Information Technology for
Energy Needs: Transmission and Distribution (Smart
Grid) and Emergency Functions


Overall support of smart grid infrastructure: A “Smart
Grid is a transformed electricity transmission and
distribution network or "grid" that uses robust two
-
way communications, advanced sensors, and
distributed computers to improve the efficiency,
reliability and safety of power delivery and use.”
http://en.wikipedia.org/wiki/Smart_grid



Emergency Functions


Identify anomalies or upsets in the system to prevent them
from spreading


Shut down equipment in emergencies to avoid equipment
damage


Use and Benefits of Information
Technology for Energy Needs: Renewable
Resources (U.S. Department of Energy)


Help overcome the increased transmission
distances and storage capacity from the use
of renewable energy resources and
intermittent resource availability


Maximize the efficiency of technologies such
as photovoltaic cells by enabling the location
and intensity of sunlight to be tracked


Facilitate the connection of renewable power
generation (photovoltaic arrays, small wind
turbines, micro hydro) to the grid

Communication and Control Systems for
Petroleum Delivery

Energy Sector Control Systems Working Group (ESCSWG) September 2011 Roadmap to Achieve
Energy Delivery Systems Cyber Security, p. 65

http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalw
eb.pdf

Communication and Control Systems for
Electric Power
Transmission and Distribution

Energy Sector Control Systems Working Group (ESCSWG) September 2011 Roadmap to Achieve
Energy Delivery Systems Cyber Security, p. 62.

http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalw
eb.pdf

Types of Adversaries for Information Systems

NIST (August 2010) Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture,
and High
-
Level Requirements The Smart Grid Interoperability Panel


Cyber Security Working Group, p. 9.

http://csrc.nist.gov/publications/nistir/ir7628/nistir
-
7628_vol1.pdf


Cyber Attacks are Increasing in General



Symantec’s trends reports for 2009 through
2012* generally note increases in


attacks on web sites and data (from hacking)


vulnerabilities, for example, from mobile operating
units and security systems


numbers of new malware signatures since 2002



Recovery times vary depending on type of attack


*Symantec (April 2010) Symantec Global Internet Security Threat Report, Trends for 2009, Mountainview, CA:
Symantec, p. 13 and 49; Symantec Corporation (2013) Internet Security Threat Report 2013 : Volume 18,
Mountainview, CA: Symantec.


Cyber Attacks are Increasing or are
Significant in the Electric Power Sector



The U.S. Department of Homeland Security
noted an increase in cyber incidents from “3 in
2009 to 25 in 2011” in the electricity sector.*



Symantec noted that the energy and utilities
sectors accounted for about ten percent of the
attacks in 2012 in the industry sector.**


*U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of
Gregory C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO, p. 10.


**Symantec Corporation (2013) Internet Security Threat Report 2013 : Volume 18, p. 15.


IT Failures: Oil and Gas Pipelines

Accidents Provide Insights for the Consequences of
Deliberate Acts of Terrorism



A dozen or more oil and gas pipeline failures were
reported during the 1990s due to deficiencies in
information system displays and lack of adequate
worker training to understand the displays.
Improvements were made in information
visualization (NTSB 2005).


Olympic’s

Bellingham Pipeline failure occurred in
June 1999 after an overloaded SCADA system
prevented operators from detecting a problem in the
pipeline, resulting in a spill of 277,000 gallons of
gasoline (
Sunde

June 1999).



IT Failures: Electric Power Production

Accidents Provide Insights for the Consequences of
Deliberate Acts of Terrorism



August 2003 Blackout. First Energy control room
operators were unaware visually and audibly that
an alarm had gone off, since their computer system
was impaired. This delayed their ability to detect
that something was wrong with the electrical
system. Subsequently, computer control servers
became disabled. (U.S.
-
Canada Power System
Outage Task Force April 2004).


A false oil flow alarm shut an electricity
transmission line down, causing a widespread
blackout in Southern California affecting 500,000
people (
Veiga

September 1, 2005).


Reported Cyber Attacks on Electric
Power



Smart meter attacks
. In April 2012, it was reported that sometime
in 2009 an electric utility asked the FBI to help it investigate
widespread incidents of power thefts through its smart meter
deployment. The report indicated that the miscreants hacked into
the smart meters to
change the power consumption recording
settings

using software available on the Internet.


Phishing attacks directed at energy sector
. The Department of
Homeland Security’s Industrial Control Systems Cyber Emergency
Response Team reported that, in 2011, it deployed incident
response teams to an electric bulk provider and an electric utility
that had been victims of broader phishing attacks. The team found
three malware samples
and detected evidence of a sophisticated
threat actor.


Stuxnet
. In July 2010, a sophisticated computer attack known as
Stuxnet was discovered. It
targeted control sys
tems used to
operate industrial processes in the energy, nuclear, and other
critical sectors. It is designed to exploit a combination of
vulnerabilities to gain access to its
target and modify code to
change the process
.”

U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory
C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO, pp. 10
-
11.

Reported Cyber Attacks on Nuclear
Power Plants



Browns Ferry power plant
. In August 2006, two
circulation pumps at Unit 3 of the Browns Ferry,
Alabama, nuclear power plant failed, forcing the unit to
be shut down manually. The failure of the pumps was
traced to
excessive traffic on the control system
network
, possibly caused by the failure of another
control system device.”



Davis
-
Besse power plant
. The Nuclear Regulatory
Commission confirmed that in January 2003, the
Microsoft SQL Server worm known as Slammer infected
a private computer network at the idled Davis
-
Besse
nuclear power plant in Oak Harbor, Ohio,
disabling a
safety monitoring system

for nearly 5 hours. In addition,
the plant’s
process computer failed
, and it took about 6
hours for it to become available again.”

U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory
C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO.

Summary of Cybersecurity Vulnerabilities in
the Electric Power Sector


“an increased number of entry points and paths that
can be exploited by potential adversaries and other
unauthorized users;



use of new system and network technologies;



wider access to systems and networks due to
increased connectivity; and



an increased amount of customer information being
collected and transmitted, providing incentives for
adversaries to attack these systems and potentially
putting private information at risk of unauthorized
disclosure and use.”

U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory
C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO.