As President Obama weighs the decision to issue an executive order following the failed Cyber Security Act of 2012, a security alert issued by an arm of the Department of Homeland Security (DHS) earlier this week cast a spotlight on the vulnerabilities of networking and other gear that make up the U.S. electric grid.
DHS warned that security researcher Justin Clarke of Cylance had discovered a vulnerability in Siemens-owned RuggedCom’s Rugged Operating System (ROS) which could decrypt secure traffic between RuggedCom networking equipment and end-users. Reuters, which broke the news of Clarke's finding (his second discovery of a flaw in RuggedCom gear this year), characterized the flaw as "one that could enable hackers to attack power plants and other critical systems."
Although that contention is likely an overstatement, RuggedCom's networking gear, designed to withstand harsh environments, is indeed widely used by the nation's electric utilities to support communications to remote power stations and other mission-critical functions. And RuggedCom's faulty security could be the tip of the iceberg when it comes to vulnerable equipment deployed by utilities.
What other vendors sell vulnerable gear to the energy industry and which vendor is likely to pop up next in a DHS alert? "You could throw a dart at a dartboard with a list of a vendors and come up with the next one," according to Patrick Miller, President and CEO of EnergySec, an industry body focused on cyber security.
"But it's like a bell curve. Some are on the front end and are doing good things, there is a bunch in the middle and a lot of bad ones at the end," Miller said.
In fact, there is less security testing of the components that make up the electric grid than there is for the switches, routers and other devices that make up the Internet. "If it's intended to go into a substation, depending on the type of device, there is a higher likelihood that it hasn't gone through the same security measures as have the devices that go on the Internet," according to Miller, who is also the Principal Investigator for the National Electric Cybersecurity Organization (NESCO).
Two big factors foster energy industry use of vulnerable gear. First, secure devices are very expensive, requiring secure coding, secure supply chain procedures and other costly steps. And state public utility commissions keep a tight rein on utility expenses, forcing utilities to cut costs at every corner.
Utility "profits are regulated. Every step along the way in terms of expenses is regulated. Are ratepayers going to want to pay that?" Miller said. "The commissioners pride themselves on making sure the expenditures are prudent. If it looks like you're gold-plating," they won't approve utility expenditures.
Even if utilities were able to persuade regulators to sanction more expensive, more secure gear, any technology upgrade could trigger a chain reaction of additional costs, which would also have to be passed onto ratepayers. "If you can economically support that kind of technology refresh, they may end up voiding the warranty on their multimillion dollar management system," because other components in the system won't have been tested and warranted for compatibility with the new gear.
If energy industry gear is so widely considered to be vulnerable (which several industry cyber security technologists have confirmed) and regulators won't allow utilities to raise rates to pay for better gear, what's the solution?
"The solution is basically better architectures," Miller said. "You have to get past the mindset that the system is 100% secure" and instead work on ideas that teach utilities how to operate through an attack, how to operate through a vulnerable state.
Because no matter how secure or new the devices, energy sector companies will have to constantly battle device breaches from here on out. "It's almost whack-a-mole," Miller said. Technology breaches happen so regularly and so frequently that "there's another problem with the next device, another problem with the next device, another problem with the next device."
Image credit: Siemens.