Electric Utility Reliability: Adding Cyber Security to an Already Complex Mix

by George W. Zobrist

The nation has experienced several “blackouts” in recent years, even without such outside intrusions as cyber terrorism. Many of the outages have occurred, in part, because of the complexity of our nation’s electric utility infrastructure, which has raised concerns related to reliability.

IEEE-USA outlined many such concerns in its Electric Utility Reliability position paper. They include:

• A decline in the quality of reliability will most likely have an impact on the nation’s economy

• The consequences of this decline probably result from an under-investment in meeting the growing demand

• A system’s reliability and economic efficiency can only be achieved at regional levels, because of the nature of the electric utility infrastructure

• In the past, reliability was achieved locally on a voluntary basis, but ever since the interconnected infrastructure increased complexity and industry deregulation spurred competition, this voluntary process has had limited success

• To restore reliability in the electric utility system, the American Electric Reliability Council needs to change from a voluntary process to one guided by law

When Is a System Considered Reliable?

When the electric system delivers energy to the bulk of customers within accepted standards, and in the amounts desired for a reasonable price, then it is said to be reliable. But when the potential for security breaches and even large-scale terrorism gets added to the already present weather factors and equipment failures, the reliability scenario becomes far more complex.

Reliability and Security Threats

North America’s electrical power grid is a highly complex “machine.” While the system is physically dispersed, it is coming under increasingly centralized control. Still, it only takes momentary disruptions in portions of the grid to wreak havoc. According to an article in IEEE Security & Privacy (September/October 2003), for example, a 20-minute outage at an integrated circuit fabrication facility could cost the facility $30 million.

According to Joe Weiss, a utility control expert with Kema Consulting in Cupertino, Calif., experts have suggested that the “Blaster” worm may have worsened the Northeast grid problems during the August 2003 blackout. And according to the Associated Press, the “Slammer” Internet worm took down computers at FirstEnergy’s idled Davis-Bessie plant in January 2003.

As a result of these and other cyber-related occurrences and threats, various organizations are taking action. Potomac Electric Power Company, a utility that serves the Washington, D.C. metropolitan area, is screening potential new hires with much closer scrutiny. In addition, the Northwest Public Power Association has stepped up its efforts to inform utilities that knowledgeable hackers can issue false commands to control systems that could disrupt an electric system. And, the FBI has warned electric utility companies that certain information posted on company web sites could actually aid cyber terrorists, prompting the Environmental Protection Agency, among others, to remove critical information from its site.

How Real is the Threat?

While some terrorism experts believe utilities should be concerned, they are somewhat skeptical. The likelihood of a cyber attack is small, they say, because critical components of the infrastructure control mechanism are not accessible through the Internet.

Utilities are automating the grid with digital switches and high-tech gear. These improvements are making the system more reliable, but are also making it more vulnerable to cyber attacks. Often, utilities upgrade and program these switches and monitoring gear remotely; if they do so through the Internet, the system immediately becomes more vulnerable. According to the Associated Press, researchers illustrated this vulnerability when they figured out how to access remote terminal units and command them to trip and reset breakers.

The greatest “clink” in the security armor relates to when offsite operators use dial-up access to work with the system, a practice that is becoming more prevalent. Dial-up access opens the door for password security breaches, since password security is relatively easy to break into. Password protection has been enhanced, but such enhancements are fairly sophisticated and make operator access more complex (http://members.tripod.com/opticfiber/grids.html). At least in the short term, threats will more likely be directed toward such ancillary functions as online billing, a real threat for most commercial applications (www.wired.com/news).

As IEEE-USA states in its position, policy must be consistent with sound technical and economic analysis because of the electric power system’s technological complexity. But as author Terry Costlow pointed out in a March 2003 IEEE-USA Today’s Engineer article, the Bush administration’s main thrust on cyber security seems to be to increase awareness, rather than dictate by legislation.

For More Information

• www.google.com – search on electric utility security/reliability/cyber security
• www.ieeeusa.org
• www.globalsecurity.org
• www.iappliance.com
• www.wired.com
• www.epri.com

 

---

Dr. George W. Zobrist is professor emeritus at the University of Missouri-Rolla, Department of Computer Science. He is IEEE-USA's Member Activities editor.