Cybersecurity: How US utilities passed up chance to protect their networks
Cybersecurity needs are not hypothetical, as the recent DHS warning of a cyberattack on the US natural gas industry shows. Why then was a post-9/11 initiative to secure US utilities dropped?
(Page 3 of 3)
Critical infrastructure industry executives (oil, gas, electric power, water) made only modest progress over the past year in securing their networks, the survey found. In the energy sector, security technology adoption grew just one percentage point (to 51 percent) with oil and gas industries increasing by three percentage points (to 48 percent).Skip to next paragraph
Subscribe Today to the Monitor
Even back in 2006 when memories of 9/11 were sharper, the business case for spending the money to become more secure just wasn't there, says Dennis Holstein, an independent researcher who helped write the AGA-12 implementation documents.
"What I think killed AGA-12 more than anything else was the cost of it," Holstein says. "It was a success. But nobody was willing to pay $500 for a bump in the wire solution even if it radically improved security. I haven't seen any deployment of it."
Protecting hundreds of thousands of miles of interstate gas pipelines, water supplies and even the power grid with the new encryption boxes was clearly a bottom-line decision, says John Kinast, a former senior engineer at the Gas Technology Institute, now retired, who was a primary researcher developing AGA-12.
"As time went on, and we got farther from 9/11, there was just this feeling from the industry side that, 'Well, gee – nobody's attacking us, so maybe it's not such an issue,' " he says in an interview. "But it's more than complacency. When you look at the cost-benefit and try to formulate a payback for a bump in the cord – for something that hasn't happened yet – it's just tough to make the case."
The urgency has reemerged at times. After revelations in the fall of 2010 that a digital weapon called Stuxnet had homed in on and wrecked centrifuges in Iran's nuclear facilities, it was clear to many that hypothetical threats to industrial control systems were for real – and many energy industry officials were alarmed.
"There was a burst of panic in the [gas industry] executive suites, and rightly so over Stuxnet, but at this point nothing has materialized," says Rush, the retired Gas Technology Institute scientist.
Now the gas pipeline industry is experiencing a cyberattack publicly identified in April by DHS, although it's still not clear to what degree the attacks are aimed at merely stealing information on corporate systems – or at mapping the control system vulnerabilities for operating natural gas pipelines.
“To our knowledge, the ‘cyberintrusions’ reported to DHS have had no impact on deliveries or the safety of the pipeline system," Don Santa, president and CEO of the Interstate Natural Gas Association of America, said in a statement May 8. Members of his association, which has its own detailed cybersecurity guidelines, operate 223,000 miles of the 319,000 miles of natural gas transmission pipelines in the US.
Even so, some say America needs to take more direct steps to protect aging critical infrastructure including, ironically enough, something like the AGA-12 standard.
Fortunately, about two years ago, the Institute of Electrical and Electronics Engineers (IEEE), a powerful body that sets standards for industrial electrical equipment, dusted off the AGA-12 protocol and renamed it the IEEE 1711-2010 preliminary standard. It is set to be finalized soon – about 11 years after research on it began.
But even now, selling a "bump in the wire" cybersecurity box remains a tough sales pitch for vendors pitching IEEE 1711-2010 boxes to gas, electric, and water companies that have old, insecure devices slathered across the American countryside.
"The vulnerabilities are still out there, but now we have the equipment to patch it," says Tien Van, president of Sequi, Inc., a Tustin, Calif., systems provider that began building IEEE 1711 equipment. "We have sold some, but not too many of these.… Companies still don't want to spend the money to fix this."