You Want Scary? “Utility Cybersecurity is in a State of Near Chaos”
Those incendiary words are courtesy of a recent Pike Research (now called Navigant Research) study. Bottom line: It suggests that a dirt cheap smartphone app could wirelessly communicate with a targeted command-and-control computer system — one that utilities rely upon — to cause unimaginable havoc.
What kind of catastrophe are we talking about? Some U.S. officials foresee cyber-attacks that could take down a utility servicing millions of people and render them powerless. For months.
The way PG&E’s Chief Information Security Officer James Sample, sees it, “We will see catastrophic outages. We are dealing with a very intelligent adversary.”
But despite the doomsday warnings, have utility companies stepped up their security measures? Not according to many security specialists.
Why not? Looking at the issue from a purely monetary standpoint, some estimates for upgrading utility security could cost upwards of $14 billion. But from a preparedness standpoint, are utilities in a serious state of denial about the realities and potential impact of cyber-terrorism?
Some vocal critics say yes. Consider what Dale Peterson, CEO of Digital Bond, a firm that evaluates the security posture of utilities and other companies, told the San Jose Mercury News: “[Utilities] just want to kind of pretend the problem doesn’t exist. So it might take some really tragic thing with some huge disruption of peoples’ lives before something gets done.”
So how many wake-up calls are needed to compel utilities to step up their security act? The U.S. Department of Homeland Security has already reported infiltrations of oil and natural gas pipelines and electric power organizations. Out of 198 cyber-incidents reported, 41% targeted energy companies, 15% were aimed at water-related firms and six included the “nuclear sector”. Yes, it is that scary.
The California Public Utilities Commission warns that utilities are increasingly vulnerable by way of smart meters and the smart grid. The same CPUC study reports: “(Eighty) to 90 percent or more of the electric infrastructure currently does not fall under any required standards and that cyber-security practices of the utilities are not monitored.”
If this doesn’t scare the hell out of you, consider the sobering findings from a survey conducted by risk management specialists nCircle who asked 104 energy security professionals if their smart meter installations were adequately protected from hackers, 61% said, “No.”
As content specialists in security, Write Angle would like to hear why security companies aren’t making more noise about the vulnerability of utilities. We’d love to hear from you.