Cybersecurity: How US utilities passed up chance to protect their networks
Cybersecurity needs are not hypothetical, as the recent DHS warning of a cyberattack on the US natural gas industry shows. Why then was a post-9/11 initiative to secure US utilities dropped?
With America now trying to thwart a cyberattack on its natural gas industry, it is helpful to recall the hectic days after 9/11, when industry scientists raced to shield from potential terrorist cyberattacks hundreds of thousands of vulnerable devices that control vital valves and switches on America's gas pipelines, water plants, and power grid.Skip to next paragraph
Subscribe Today to the Monitor
It was a race that seemed winnable. After five years of intense effort, a 35-member team of industrial-control-system wizards from the gas, water, and electric utilities industries had created a powerful new encryption system to shield substations, pipeline compressors, and other key infrastructure from cyberattack.
But just weeks before it was to be finalized in 2006, the federal funding plug was pulled on development of the encryption system, called AGA-12. Meanwhile vital industry backing from the American Gas Association and its partners at the electric power and water utility industries that once drove that funding had waned, say those who worked on the project. [Editor's note: The original version of this story mischaracterized the funding source for AGA-12 development.]
To this day, the cancelation of the project has called into question whether US utilities will, on their own, invest in measures necessary to protect their networks.
Tested at a Los Angeles water treatment plant, a gas utility in Chicago, and other locations, AGA-12 worked well. National labs verified it. Experts said it was good to go. Yet with 9/11 receding in memory, utility industry executives had begun worrying anew about the cost of deploying the system, former project participants say.
Today, six years after AGA-12 was aborted and 11 years after the World Trade Center attacks, the US natural gas industry is trying to thwart a real cyberattack campaign, according to the US Department of Homeland Security (DHS). Congress, meanwhile, is still debating whether voluntary or mandatory security standards are the best way to secure America's critical infrastructure.
All of which leaves researchers who helped develop AGA-12 frustrated and a little wistful about the digital shield that they say would have provided a badly needed layer of security – especially in light of a trend toward cyberattacks on critical infrastructure companies.
"Technically it was an excellent standard and we were almost done with it when the project was terminated," says William Rush, a now-retired scientist formerly with the Gas Technology Institute, who chaired the effort to create the AGA-12 standard. "One of the things I wake up in the middle of night and worry about is what to do if we've just been attacked. That's not the time to worry about it – now's the time."
AGA-12, he says, was designed to secure older industrial control system devices out in the field, many of which still today communicate by modem and phone line, radio, or even wireless signal, but were never designed with cybersecurity in mind and remain highly vulnerable today.
It's not clear that AGA-12 could have stopped the "spear-phishing" type of cyberattack now under way against the natural gas industry, experts say. But it could stop at least one kind: attacks directly on systems in the field of the kind DHS has highlighted in numerous studies and reports.
Installed in front of each vulnerable device would have been an AGA-12 gatekeeper, a sealed black box with a processor and cryptographic software inside, he explains. That "bump in the wire" would sift and decipher commands coming in from legitimate operators, but shield the vulnerable industrial control systems behind them from any false signals that might allow a hacker to take over.