http://www.hartfordbusiness.com/news10467.html

New Security Paradigm Needed

By Joel N. Gordes and Michael Mylrea

10/05/09

---

With the eighth anniversary week of 9/11 behind us, the U.S. remains vulnerable to a devastating cyber attack directed at its critical infrastructure. Despite warning signs of this threat, policy makers continue to prepare for the last war, ignoring the major lesson of both 9/11 and Pearl Harbor — not to “be prepared,” but to understand the changing nature of warfare. U.S. policy makers need to adopt a new security paradigm to defend critical asset, especially energy infrastructure, from a devastating cyber strike.

Several years ago the California Independent System Operator reported: “For at least 17 days at the height of the energy crisis, hackers mounted an attack on a computer system that is integral to the movement of electricity throughout California.” A more recent public report by a CIA analyst says this is a global problem and criminals have launched cyber attacks against foreign power utilities with the goal of extorting money.

One call to action came with the release of a CNN video showing how a software attack quickly destroyed a generator. A similar attack on key electric facilities could take out power to major geographic areas and if incapacitated for three months, the economic price tag would be about $700 billion, according to Scott Borg, chief economist at the U.S. Cyber Consequences Unit, a private nonprofit think tank. While the North American Electric Reliability Corporation (NERC) approved new standards to improve cyber security, the grid remains vulnerable as regulations require further refinement, focus and effective enforcement.

In preparing for the future, it might be useful to look back at other grim prophecies that, had they been heeded, could have prevented catastrophes. One example was Brigadier General Billy Mitchell who warned in April 1926 that there would be “a surprise aerial attack on Pearl Harbor;” or just as Richard Clarke, former top US counterterrorism official and “Cyber Czar” warned White House officials of the threat of al Qaeda prior to 9-11.

The Obama administration’s prioritization of energy security is a start as energy and telecom are the two primary critical infrastructures upon which all others are dependent. All modern infrastructures including banking, hospitals, water, and defense depend on these interrelated infrastructures for their operation and “the power grid is the foundation of it all,” noted cyber war expert Winn Schwartau.

One bright spot is the government’s allocation of $4.1 billion of stimulus funds to invest in the new “Smart Grid.” “Smart” implies a move away from totally centralized generation and control to two-way communications between the utility and end users.

However, unless security is part of the design criteria, the smart grid will not live up to its name; done poorly, increased communications will be accompanied by increase cyber vulnerabilities. First and foremost, a new paradigm must include security into the design and operational criteria as something more than merely an afterthought. More specifically, adaptive islanding or physically dispersing small, modular generators allows for some continued operation if the overall transmission system has been disrupted either physically or by cyber attack. Locating the distributed sources closer to the place of use minimize the vulnerability of transmission lines.

Another one of the challenges is the private sector owns and operates the majority of the country’s critical energy infrastructure. A leading advocate of building a private-public partnership, Richard Clarke, commented: “The owners and operators of electric power grids, banks and railroads; they’re the ones who have to defend our infrastructure.”

Until these improvements are made, the current electrical grid will continue to operate with inefficiencies; physical and cyber vulnerabilities that could potentially cripple our economy. Current economic inefficiencies cost billions of dollars in losses each year and present a major challenge as increases in the world’s energy demand will require supply to triple by 2050. Combined with the new cyber threats, we must quickly employ public-private partnerships that engage entrepreneurs to incorporate comprehensive security into any future “smart grid” design in ways that also minimize loses in operational efficiency. Moreover, building a stronger and smarter electrical energy infrastructure will transform the country, mitigate risk, create jobs, and slow destruction of the environment.

Joel Gordes is an energy security consultant and President of Environmental Energy Solutions in West Hartford. Michael Mylrea is a security consultant.