1 / 15

Dependency of Electric Power on Information Technology and Cybersecurity

Dependency of Electric Power on Information Technology and Cybersecurity. Rae Zimmerman Professor of Planning and Public Administration New York University, Wagner Graduate School of Public Service Advanced Energy 2013 Energy Cybersecurity II Track I Session V

Download Presentation

Dependency of Electric Power on Information Technology and Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dependency of Electric Power on Information Technology and Cybersecurity Rae Zimmerman Professor of Planning and Public Administration New York University, Wagner Graduate School of Public Service Advanced Energy 2013 Energy Cybersecurity II Track I Session V Jacob Javits Convention Center, New York, NY May 1, 2013 NOT FOR DISTRIBUTION, USE, OR PUBLICATION

  2. Highlights • Energy systems are highly dependent on information technology (communication and control systems) • These technologies provide important services for energy production and consumption • Dependencies of energy systems on information technologies occur all across the energy production, distribution and consumption chain • That dependency is growing with the “smart grid” • Cyber attacks are growing in general • It may be just a matter of time before these attacks become a major threat to electric power systems • Some cases are already pointing in that direction

  3. Use and Benefits of Information Technology for Energy Needs: Production • Oil and Gas • Avoid accidents from production or distribution • Convey products between concentrated production points to highly dispersed destinations • Electricity Production • Link production and use of electric power, and reroute electricity in response to supply and demand • Identify and reduce causes of power outages and duration

  4. Use and Benefits of Information Technology for Energy Needs: Transmission and Distribution (Smart Grid) and Emergency Functions • Overall support of smart grid infrastructure: A “Smart Grid is a transformed electricity transmission and distribution network or "grid" that uses robust two-way communications, advanced sensors, and distributed computers to improve the efficiency, reliability and safety of power delivery and use.” http://en.wikipedia.org/wiki/Smart_grid • Emergency Functions • Identify anomalies or upsets in the system to prevent them from spreading • Shut down equipment in emergencies to avoid equipment damage

  5. Use and Benefits of Information Technology for Energy Needs: Renewable Resources (U.S. Department of Energy) • Help overcome the increased transmission distances and storage capacity from the use of renewable energy resources and intermittent resource availability • Maximize the efficiency of technologies such as photovoltaic cells by enabling the location and intensity of sunlight to be tracked • Facilitate the connection of renewable power generation (photovoltaic arrays, small wind turbines, micro hydro) to the grid

  6. Communication and Control Systems for Petroleum Delivery Energy Sector Control Systems Working Group (ESCSWG) September 2011 Roadmap to Achieve Energy Delivery Systems Cyber Security, p. 65 http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalweb.pdf

  7. Communication and Control Systems for Electric Power Transmission and Distribution Energy Sector Control Systems Working Group (ESCSWG) September 2011 Roadmap to Achieve Energy Delivery Systems Cyber Security, p. 62. http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalweb.pdf

  8. Types of Adversaries for Information Systems NIST (August 2010) Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements The Smart Grid Interoperability Panel – Cyber Security Working Group, p. 9. http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf

  9. Cyber Attacks are Increasing in General • Symantec’s trends reports for 2009 through 2012* generally note increases in • attacks on web sites and data (from hacking) • vulnerabilities, for example, from mobile operating units and security systems • numbers of new malware signatures since 2002 • Recovery times vary depending on type of attack *Symantec (April 2010) Symantec Global Internet Security Threat Report, Trends for 2009, Mountainview, CA: Symantec, p. 13 and 49; Symantec Corporation (2013) Internet Security Threat Report 2013 : Volume 18, Mountainview, CA: Symantec.

  10. Cyber Attacks are Increasing or are Significant in the Electric Power Sector • The U.S. Department of Homeland Security noted an increase in cyber incidents from “3 in 2009 to 25 in 2011” in the electricity sector.* • Symantec noted that the energy and utilities sectors accounted for about ten percent of the attacks in 2012 in the industry sector.** *U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO, p. 10. **Symantec Corporation (2013) Internet Security Threat Report 2013 : Volume 18, p. 15.

  11. IT Failures: Oil and Gas Pipelines Accidents Provide Insights for the Consequences of Deliberate Acts of Terrorism • A dozen or more oil and gas pipeline failures were reported during the 1990s due to deficiencies in information system displays and lack of adequate worker training to understand the displays. Improvements were made in information visualization (NTSB 2005). • Olympic’s Bellingham Pipeline failure occurred in June 1999 after an overloaded SCADA system prevented operators from detecting a problem in the pipeline, resulting in a spill of 277,000 gallons of gasoline (Sunde June 1999).

  12. IT Failures: Electric Power Production Accidents Provide Insights for the Consequences of Deliberate Acts of Terrorism • August 2003 Blackout. First Energy control room operators were unaware visually and audibly that an alarm had gone off, since their computer system was impaired. This delayed their ability to detect that something was wrong with the electrical system. Subsequently, computer control servers became disabled. (U.S.-Canada Power System Outage Task Force April 2004). • A false oil flow alarm shut an electricity transmission line down, causing a widespread blackout in Southern California affecting 500,000 people (Veiga September 1, 2005).

  13. Reported Cyber Attacks on Electric Power • “Smart meter attacks. In April 2012, it was reported that sometime in 2009 an electric utility asked the FBI to help it investigate widespread incidents of power thefts through its smart meter deployment. The report indicated that the miscreants hacked into the smart meters to change the power consumption recording settings using software available on the Internet. • Phishing attacks directed at energy sector. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team reported that, in 2011, it deployed incident response teams to an electric bulk provider and an electric utility that had been victims of broader phishing attacks. The team found three malware samples and detected evidence of a sophisticated threat actor. • Stuxnet. In July 2010, a sophisticated computer attack known as Stuxnet was discovered. It targeted control systems used to operate industrial processes in the energy, nuclear, and other critical sectors. It is designed to exploit a combination of vulnerabilities to gain access to its target and modify code to change the process.” U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO, pp. 10-11.

  14. Reported Cyber Attacks on Nuclear Power Plants • “Browns Ferry power plant. In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device.” • “Davis-Besse power plant. The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant’s process computer failed, and it took about 6 hours for it to become available again.” U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO.

  15. Summary of Cybersecurity Vulnerabilities in the Electric Power Sector • “an increased number of entry points and paths that can be exploited by potential adversaries and other unauthorized users; • use of new system and network technologies; • wider access to systems and networks due to increased connectivity; and • an increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use.” U.S. GAO (July 17, 2012) Testimony. Cybersecurity. Challenges in Securing the Electricity Grid Statement of Gregory C. Wilshusen, Director Information Security Issues, Washington, DC: U.S. GAO.

More Related