There has been no shortage of industrial cybersecurity concerns in the news last month. Particularly noteworthy are the Federal Energy Regulatory Commission’s new CIP standards and the Lloyd’s of London report about the future of our critical infrastructure, including a frightening potential attack scenario. If you missed any of these stories, check out our July news roundup to quickly catch up.
GAO: Military power grid vulnerable to cyberattack (ABC News – July 27, 2015)
United States military bases’ power grids are at risk for cyberattacks according to a new Government Accounting Office report on defense infrastructure. The document concludes that these bases are vulnerable to cyberattacks that could greatly effect operations. Retired Navy captain Joe Bouchard said the problem will eventually be corrected; however, in the interim there will be a lot of opportunities for sophisticated cyberattacks on military bases.
(Business Insurance, July 21, 2015)
The Federal Energy Regulatory Commission (FERC) is offering new rules intended to improve the U.S. electric system’s cybersecurity. These standards are intended to address possible threats to communication networks and other electric system assets and will address issues ranging from personnel and training to physical security of the bulk electric system’s cyber systems and information protection.
(Computer Weekly, July 16, 2015)
A National Grid security manager notes there is a need for real cultural change in the energy sector in terms of security, especially in the U.K. He says the rate of change in technology across the world comes with increasing risks to industrial control and SCADA systems. Additionally, there is an increasing reliance on cyber tools to operate critical infrastructure systems. In combination with physical and cybersecurity concerns, the energy sector needs to mitigate these risks. FERC describes the goal as “a forward-looking, objective-driven standard that encompasses activities in the system development life cycle from research and development, design and manufacturing to acquisition, delivery, integration, operations, retirement and eventual disposal of the equipment and services.”
(SC Magazine, July 13, 2015)
According to the recent Lloyd’s “Business Blackout” report, the potential financial loss from a Stuxnet-style attack on the U.S. smart grid could be more than $1 trillion. The report provides a hypothetical scenario in which hackers use a Trojan attack to shut down electricity generation control rooms to create a blackout across 15 U.S. states. While researchers admit this attack is improbable, they do agree that it is technologically possible and would result in huge government and insurance pay-outs, as well as a rise in mortality rates, decline in trade and “general chaos on transport networks.” The Lloyd’s report suggests that these hackers would likely be engineers with the ability to write malware. While the cybersecurity market is still evolving these risks and losses are very much possible.
For a look at other industrial cybersecurity news we find noteworthy, check out our Junenews roundup.