The U.S. Department of Homeland Security takes the security of our power grid seriously and with good reason. A disruption to our power distribution systems could have devastating effects for our citizens, businesses and our economy. That is the driver behind the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) regulations; keeping our national power grids safe.
Yesterday came the latest report of how fragile our power infrastructure can be. A research scientist in China has reported that an attack on a small subnetwork could bring down the whole west coast power grid. While I have not seen all of the research, and therefore cannot comment on it directly, we do know that the grid is not equipped to handle multiple simultaneous outages – and that is exactly what malware can be used to create. The stakes couldn’t be higher and the IT infrastructure supporting our power grids should reflect this risk.
NERC CIP regulations are important, but it is important that the spirit of the regulations are what people strive for; protecting IT assets from attack. Achieving compliance isn’t the goal, but a guideline for ways to improve security in our critical infrastructure. Reactive systems that do not protect against custom, targeted attacks simply won’t cut it in this environment. Whether it is in the network or on the endpoint our systems need to be hardened to withstand an attack we have never seen before and that we don’t expect.
I have written about this numerous times and one of my articles was recently re-published in the Electric Light & Power Transmission & Distribution (T&D) newsletter. The key for people to remember is that in this environment patching and cleaning up infection simply isn’t enough.