NERC (North American Electric Reliability Corporation) held its second grid security exercise, or GridEx, over a two day span. During this exercise, nearly 10,000 electrical engineers, cybersecurity specialists, utility executives and F.B.I. agents wrestled with an unseen, virtual “enemy” trying to disrupt the electrical infrastructure in the U.S. It included simulated computer viruses, line and equipment damage and even first-responder deaths in an effort to understand and evaluate participants abilities to understand, communicate and neutralize a multitude of simultaneous threats.
This type of exercise is important for those people and organizations involved in securing our cyber infrastructure to help gain a real-world(ish) and real-time analysis of the structure and procedures in place guarding these assets. As shown in a recent Control Engineering feature article, the ability of cyber intruders to gain access to networked control systems might be easier than previously anticipated. Their cyber security experiment revealed that the lesser skilled and inexperienced hackers did not realize that this was a “honey net” or fake asset used to lure them, were able to find, access and manipulate these fake municipal water utility network control systems.
As a result of technological and geo-political changes, some industries have made changes in the form of regulations to put specific requirements in place around critical infrastructure security. Many of these industries, such as power generation, nuclear, chemical and water, are maybe obvious institutions where such focus on security is warranted. Regardless of your opinion of the likelihood of cyber and infrastructure attacks, most will agree those groups represent the likeliest of targets. With the goal of such attacks being to strike fear, disrupt everyday life and cause physical and economic damage. Especially when weighing all of those potential repercussions to the population at large, one can understand the reasoning behind these regulations. But where does that leave other industries that have similar infrastructure, technologies, and presumably, security gaps?
What are the security risks and potential consequences associated with a pudding or ibuprofen manufacturing line? Unless the process consists of superheating a vessel or something similar, the chances are probably very low that any significant physical damage or destruction might result. That leaves the most likely consequences revolving around a bad batch or amount of product based on changes that were made to things like set points and other quality-influencing parameters. The chances that such bad quality would actually leave the plant and make it’s way to the consumer is fairly low with the quality procedures most companies implement. Therefore it’s left mostly to a corporate sabotage-type motivator to cause them to create and scrap a lot of waste product (or unnecessarily consume raw materials, etc.). While the loss of a batch or materials might have some real cost significance, because that threat is solely based on strictly wanting to financially impact their target, the likelihood that someone would be skilled and motivated enough to pull off such an act, is perhaps relatively quite low.
So do those industries then not concern themselves with cyber security? Is the low potential for motivation and the ‘havok’ that can be caused reason to say that the costs of securing systems outweighs the risk they are protecting against? Or does the fact that people out there can access these systems and ‘do bad things’, justify the costs associated with keeping these assets secure?
By: Brian Fenn