The engineers who built it proudly describe the electricity grid as man’s biggest machine. And the Internet — well, it’s changing everything, or so it sometimes seems.
What happens when these two networks are brought together, say by putting in place a control system for the grid that can be accessed from the Internet? We may be about to find out.
According to counter-terrorism expert Richard A. Clarke, we are conducting a huge experiment that could have huge consequences. Earlier this year, Clarke released Cyber War: The Next Threat to National Security and What to Do About It that provoked quite a reaction. Some loved it. Glenn Harlan Reynolds wrote in the Wall Street Journal:
In some intelligence circles the threat of cyber attacks is scoffed at, but I think that Messrs. Clarke and Knake are right to sound the alarm. (Mr. Clarke, we should recall, was the head of counterterrorism security in the Clinton and George W. Bush administrations.) As Henry Fielding remarked long ago, those who lay the foundation of their own ruin find that others are apt to build upon it. By constructing, and then relying on, vulnerable systems that are now entwined with almost every aspect of American life, we have laid just such a foundation. The time has come to fix it or at least to refine the systems to avoid catastrophic failure.
Others hated it. Ryan Singel wrote in Wired:
Clarke returns over and over to the security of the power grid, focusing on the systems known as SCADA that allow utilities to remotely monitor and control electric generation and transmission equipment. Here, he starts reasonably enough: Good security practices dictate that these systems should be unreachable from the public net, and, unfortunately, that’s not always the case. But from there, he quickly moves back to fantasy. He suggests darkly throughout the book that the nation’s power and chemical plants are all shot through with secret backdoors implanted by the Russian, North Korean and Chinese governments, even though there’s never been a single publicly documented case, outside of a vague and anonymously sourced article in the Wall Street Journal.
Singel’s criticism focuses on Clarke’s hyperbole and certain of his proposals for mandating security measures by Internet service providers. Clarke himself acknowledges that Internet businesses, like most other businesses, are opposed to mandatory anything.
Singel seems to agree that the power grid is vulnerable.
More persuasively, Clarke argues the feds need to set some real, auditable and binding rules for companies that run critical infrastructure, such as the electrical grid. The current policy is driven by the rationale that private-sector companies have enough financial incentive to protect their network, and the government’s role should be limited to helping share information about threats among the stakeholders. That policy works well when it comes to companies like Google and Chase, which could lose customers if their networks are routinely hacked, but isn’t as effective for your energy company, which likely has no real competition.
As befits a long-time Washington insider, Clarke’s complaint boils down to a critique of the policy process. His core prescription probably has wide support:
The only way to secure the grid is to require encryption of commands to the devices running the system, along with authentication of the sender, and a series of completely out-of-band channels that are not connected to the companies’ intranets or the public Internet. (See page 266.)
Why isn’t it happening?
The FERC has not required that, but it did finally issue some regulations in 2008. It has not yet started to enforce them. When it does, do not expect much. That commission completely lacks the skills and personnel needed to ensure that power companies disconnect their controls from any pathway that a hacker could use. (See page 266.)
Clarke proposes a “Cyber Defense Administration” that would be charged with securing critical portions of the civilian Internet, including power grid controls.
The mission of auditing the electric companies’ compliance should also be given to the Cyber Defense Administration, where the expertise could be built and where the overly chummy relationship with the industry exhibited by the FERC would not get in the way. (See page 266.)
Clarke’s critique of “grid governance” does not go past the FERC (for which he clearly has little respect.) He would have become even grumpier had he discovered how balkanized the grid is, with important — and overlapping — roles played by NERC, state utility commissions, several federal entities (like TVA) and regional transmission organizations. Clarke is a security guy — he wants to know the chain of command — who’s in charge of what and who’s responsible for which.
Smart Grid also comes under scrutiny. The Obama Administration’s Smart Grid initiative promotes the installation of digitized and networked meters in homes and businesses to provide utilities and their customers with vastly more information about — and control over — energy use. The promises of the Smart Grid are great — cost savings for consumers, reductions in power usage and more efficient use of existing transmission and distribution assets.
Clarke does not challenge these potential benefits but his concerned about proceeding with Smart Grid absent more effective cyber security. Clarke asserts that, when it comes to Department of Energy cyber-security review of Smart Grid grant applications:
There are no publicly available standards. One idea for a standard might be that the taxpayers don’t give any of the $3.4 billion in Smart Grid money to companies that haven’t secured their current systems.
Clarke does not question the potential benefits of the Smart Grid. What he worries about it is further digitization of grid controls without putting in place what he would consider to be adequate cyber security safeguards. Gumming up the works with new federal regulations and telling businesses what to do hasn’t been the flavor of the month in Washington for quite a while, as the pessimistic Clarke acknowledges.
The author of Cyber War probably won’t take much comfort in the release of Smart Grid security guidelines by the National Institute of Standards and Technology. Some critics have already panned it as closing the barn door after the horse has left. And the question remains of who enforces any standards as well as how knowledgeably and aggressively they do so.