PROTECTING CRITICAL INFRASTRUCTURE: A Shared Responsibility

Dec 1, 2007 12:00 PM

“[If] this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty,” says Jim Langevin, D-R.I. “For a society whose very function depends on reliable power, the disruption of electricity to chemical plants, banks, refineries, hospitals, water systems and military installations presents a terrifying scenario.”

Responding to the chairmens' requests to get DHS involved was Gregory Garcia, DHS assistant secretary of cybersecurity and telecommunication. Because the nation's power generation facilities are not the property of the government, Garcia says that it is hard for DHS to develop standards. “Because the private sector owns and operates 90 percent or so of the critical infrastructure that we need to protect, responsibility for protecting our nation's control systems lies heavily with the private sector,” Garcia says.

Jim Woolsey, vice president of Booz Allen & Hamilton for Global Strategic Security and former director of the U.S. Central Intelligence Agency (CIA), agrees with Garcia about the lack of responsibility across the board.

“Authority for security of the grid is not clear in federal legislation. Right now, most security responsibility is under the state level, and at that level, a lot of the people thinking about security are not thinking about things like an attack to the grid. They are thinking about guards and gates at headquarters,” Woolsey says. “We need a federal role. We need to give authority to FERC energy experts.”

Woolsey has his own concerns about the grid's vulnerabilities, which center in two areas. The first is the aforementioned cyber threat to the Supervisory Control and Data Acquisition (SCADA) systems, which are the electronic controls for the grid. Terrorists could study these systems that distribute electricity and plan attacks to create system collapses. Although he says that there are some good fixes for this vulnerability out there, he hasn't seen any investments in them. “It costs money and there is no incentive under the current system for the grid to be maintained in a secure and redundant way,” Woolsey says. “Because SCADA is being increasingly hooked up over the Internet using standardized software products, we've reduced the resilience of the grid, and we really need to take steps to make it more resistant against these hacks.”

The second major vulnerability is the physical threat to transformers, which Woolsey says are not even protected by a covering. “Transformers just need a simple bulletproof protection. They sit out in electric substations and can take a substantial amount of time to replace. Also, there are hardly any spares, and for some reason, which I don't understand, the spares are stored right next to the ones being used.”

Destroying a transformer (and its closely located spare) is an especially potent thought since the release of a video produced by the DHS. The video shows the results of a simulated attack on a power network, including a turbine that dramatically overheats and shuts down. It is known as the Aurora Generator Test.

“It's so graphic,” says Amit Yoran, former U.S. cybersecurity chief for the Bush administration. “Talking about bits and bytes doesn't have the same impact as seeing something catch fire.”

Even McClelland addressed the threat to equipment in his testimony, claiming that the prevalence in the industry of “legacy equipment” may not be readily adaptable for purposes of cybersecurity protection. His testimony states that if this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid, and that replacing this equipment or retrofitting it to incorporate cybersecurity protection could be costly. But a successful cyber attack could damage the bulk-power system and economy in ways that cost far more.

And according to an NERC survey of 236 industry executives, 65 percent of respondents believe it is highly likely that that aging infrastructure will impact reliability, and 53 percent believe that could be at a “high severity” level.

Bringing together his concerns for the grid, Woolsey says, “Those two things together, or a simultaneous attack on both, could be extremely serious.”

He says that another vulnerability is the fact that so many people rely on one central source of electricity, and that it is a good idea for hospitals, government buildings, police stations and even homes to have as much ability as they can to carry on critical functions, even if all electrical needs cannot be met.

“Generating electricity locally can help isolate failures, and can take a load off the grid,” Woolsey says. “If you can slim down on electricity needs, it can have a major effect and satisfy critical parts with locally generated energy and electricity.”

Woolsey points to a 2003 blackout that left 3 million without electricity because a tree branch fell on some power lines. In just 9 seconds an entire section of the Northeast and Canada was without power.

Woolsey says that vulnerability to attack will decrease — or increase — in time, depending on what the country does. “Right now we aren't doing much to reduce it, but one bright spot is the increasing efficiency, reduced costs and improved performance of batteries, such as storage batteries and flow batteries. This all makes it feasible and affordable for buildings and homes to do their own electricity generation,” he says.

So would it just be a safer bet to have a grid that is more likely to recover after an attack rather than one that is more sustainable to what is most likely an inevitable attack? Woolsey says no. “If we make it more resilient against attack, we can make it easier to recover quickly. To do this we can stockpile spare transformers and move toward locally distributed generation.”
— Stephanie Silk

FROM ANOTHER INDUSTRY:

Four-tiered program leads the chemical and fertilizer industry's efforts to secure its products

Responsibility for security of the chemical and fertilizer industries is shared among federal, state and local governments as well as the private sector. The Department of Homeland Security (DHS) has issued Chemical Facility Anti-Terrorism Standards (CFATS) for any facility that manufactures, uses, stores or distributes certain chemicals above a specified quantity.

Appendix A of the standards, or the Chemicals of Interest (COI) list, enables DHS to identify any chemical facility that is a potentially high-risk facility. These facilities participate in the Chemical Security Program spelled out in the CFATS Interim Final Rule, which requires covered facilities to fulfill certain risk-based performance standards on security. The first step to determine a facility's risk is to complete and submit a Chemical Security Assessment Tool (CSAT) Top Screen to DHS.

“The security issues that we are most concerned with are the [intentional] release of certain chemicals, and theft and diversion of materials that could be used as direct weapons or used indirectly to create weapons. [We are also interested in] chemicals that raise the issue of sabotage, and these would be chemicals that react with water,” says Marybeth Kelliher, deputy chief of the Policy and Programs Branch for the DHS Chemical Security Compliance Division.

The requirements encompassed 4,000 public comments from the industry, of which 75 percent came from propane producers, distributors and users. Comments from the propane industry led to a revision in which DHS focuses on high-risk facilities

The Web-based CSAT, which is the IT backbone of the CFATS program, has three components. The Top Screen, the first component, is the one being used the most so far, according to Kelliher. One-thousand facilities have submitted one, and 10,000 have registered to submit one.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Story Missing Your Link?

• Innovation In The Sun
• Tackling Identity Theft
• Search And Rescue