The following activity is designed to prompt expression of your knowledge of and ability to apply engineering professional skills. Its purpose is to determine how well your engineering program has taught you these skills. By participating, you are giving your consent to have your posts used for academic research purposes. When your posts are evaluated by the program assessment committee, your names will be removed. In order to post, click on the Sign In button in the upper right hand corner of the blog page, then sign in using your gmail account and password.
Time line: You will have 2 weeks to complete the on-line discussion as a team. Use this blog to capture your thoughts, perspectives, ideas, and revisions as you work together on this problem. This activity is discussion-based, meaning you will participate through a collaborative exchange and critique of each other’s ideas and work. The goal is to challenge and support one another as a team to tap your collective resources and experiences to dig more deeply into the issue(s) raised in the scenario. Since the idea is that everyone in the discussion will refine his/her ideas through the discussion that develops, you should try to respond well before the activity ends so that the discussion has time to mature. It is important to make your initial posts and subsequent responses in a timely manner. You are expected to make multiple posts during each stage of this on-going discussion. The timeline below suggests how to pace your discussion. This is just a suggestion. Feel free to pace the discussion as you see fit.
Tuesday Week 1 Initial Posts: All participants post initial responses to these instructions (see below) and the scenario.
Thursday Week 1 Response Posts: Participants respond by tying together information and perspectives on important points and possible approaches. Participants identify gaps in information and seek to fill those gaps.
Tuesday Week 2 Refine Posts: Participants work toward agreement on what is most important, determine what they still need to find out, & evaluate one or more approaches from the previous week’s discussion.
Thursday Week 2 Polish Final Posts: Participants come to an agreement on what is most important, and propose one or more approaches to address the issue/s.
Discussion Instructions
Imagine that you are a team of engineers working together for a company or organization to address the issue raised in the scenario. Discuss what your team would need to take into consideration to begin to address the issue. You do not need to suggest specific technical solutions but identify the most important factors suggest one or more viable approaches.
Suggestions for discussion topics
• Identify the primary and secondary problems raised in the scenario.
• Who are the major stakeholders and what are their perspectives?
• What outside resources (people, literature/references, and technologies) could be engaged in developing viable approaches?
• Identify related contemporary issues.
• Brainstorm a number of feasible approaches to address the issue.
• Consider the following contexts: economic, environmental, cultural/societal, and global. What impacts would the approaches you brainstormed have on these contexts?
• Come to agreement on one or more viable approaches and state the rationale.
Power Grid Vulnerabilities
In 2010, the US power industry received $3.4 billion as part of the recent economic stimulus package to help modernize the country's electric power system and increase energy efficiency.
The nation’s security experts are concerned about the increased vulnerability of the operational systems used to manage and monitor the smart grid infrastructure. Supervisory Control and Data Acquisition (SCADA) systems are one of the primary energy management systems used to control the power grid. SCADA systems are susceptible to cyber attacks because many are built around dated technologies with weaker protocols. To increase access to management and operational data, these systems and their underlying networks have been progressively more interconnected.
Contemporary hackers may circumvent technical controls by targeting a specific user within the utility instead of hacking directly into the grid. For example, a person with intention to launch cyber attacks could be employed by a business that sells products or services to a company, allowing regular e-mail interactions with the internal procurement office. The hacker could circumvent the company’s firewall by sending emails with a Trojan horse or advanced malware, thus creating a virtual tunnel to the procurement office’s computers. This would give the hacker undetected direct access to the company's network which could be used to launch further attacks.
Since 2000, successful cyber attacks to the SCADA systems of a number of US power generation, petroleum production, water treatment facilities, and nuclear plants have increased by tenfold. In April 2010, a Texas electric utility was attacked from Internet address ranges outside the US. In late 2010 and early 2011, Iranian nuclear power plants and German-headquartered industrial giant Siemens witnessed the powers of Stuxnet, the sophisticated malware designed to penetrate industrial control systems. Experts warn that Stuxnet or next-generation worms could incapacitate machines critical to US infrastructure, such as electric power grids, gas pipelines, power plants, and dams. The worm circumvents digital data systems and thwarts human operators by indicating that all systems are normal, when they are actually being destroyed.
Official US governmental standards for power grid cyber security are not robust enough to ensure against such threats. According to a January 2011 Department of Energy audit, the current standards are not “adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
Sources
Audit Report: Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security. (January 26, 2011). U.S. Department of Energy, Office of Inspector General, Office of Audits and Inspections.
Computer Expert Says US Behind the Stuxnet Worm. (March 3, 2011). Agence France-Presse.
Cyberwar: In Digital Combat, U.S. Finds No Easy Deterrent. (January 25, 2010). New York Times.
Hacking the Smart Grid. (April 5, 2010) Technology Review.
New Breed of Hacker Targeting the Smart Grid. (June 1, 2010). Coal Power Magazine.
Obviously, the issue of power grid vulnerability is a huge topic to cover. Firstly, I would like to know where the $3.4 billion stimulus package was appropriated. I think some of that money should go to forming an IT team to directly combat hackers.
ReplyDeleteThe impacts we're facing with this issue are:
1.) Globally, the efficiency and effectiveness of the power system has to be virtually 99.9% running at all times. This means it must have a high reliability factor. This new problem with SCADA hackers could be a potential threat to this reliability.
2.) Economically, money will need to be directly appropriated for this issue. Not only that, but proper training and programming will need to be implemented to effectively handle this issue.
3.) Environmentally, hackers could cause great harm if they moved their targets from individuals to power substation control (as just an example). If they could hack into the controls for a dam, for instance, the consequences could be catastrophic to the environment (dam destruction, etc.).
4.) As a society, we have a certain trust for our utilities and the power system to always supply power without blackouts or power loss at virtually any time. Hackers affecting the power grid could shake this trust and cause wide distaste for utilities worldwide.
From my experience working as an IT Tech on WSU's campus, I firmly believe that there is either software or people out there that can detect Trojans and worms for almost any instance. What the power industry lacks, however, is the impetus to implement such resources (at least at this current time). The initial solution I propose to this problem is that each utility (including our "company") must be responsible for their own system protection against hackers by creating their own anti-virus/malware/spyware group in their IT department to directly counter such destructive efforts. Also, they must be responsible for paying for this directly since it is entirely on their end, and not on the consumer's or government's end.
Primary problem:
ReplyDeleteOutdated equipment on the power system is leaving the control system power operators vulnerable to cyber attacks.
Secondary problems:
1) Lack of funding to replace old equipment.
2) Software is needed to prevent sabotage.
3) Lack of regulation in the security protocol of power system operation.
Impacts:
1) Environmental - Fish and wildlife are affected by a failing system due to sabotage.
2) Global - Attackers from other countries can target one another for sabotage.
3) Societal - Rate payers will be affected by power outages and other damages to the power system from cyber attacks.
4) Ethical - Power companies are obligated to provide a reliable and secure power system to customers. Thus power companies need to invest in more secure networks.
Stakeholders:
1) Power company employees - An increase in network security means a decrease in computer related freedom and an increase in yearly security protocols etc.
2) Power Companies - They are being attacked indirectly. Power Companies need to update equipment, but it's a matter of funding and balancing political issues with rate payers etc.
3) Rate Payers - They will likely see an increase in their rates as power companies are devoting more money to implement more security and replace retired equipment.
4) Governments - There are political impacts when other countries are attacking one another through the internet. This can lead to wars, decrease in trade and increased tensions between countries.
5) IT and Power Electronics companies - They will likely see an increase demand for products that will make the power system more secure.
Conclusion:
This is a highly sensitive political and societal issue facing the power industry. Because money runs the world, many politicians and rate payers won't see eye-to-eye about increasing rates in order to make the system more secure. I suggest power companies holding meetings with rate payers and politicians about the issue and how power companies want to face it. Then with rate payer feedback, power companies can make the most optimal decision. Maybe power companies can agree to increase rates until for a certain amount of years in which they can replace equipment and make the system more secure. Also, power companies need to have their control system isolated from the public. Lastly, I think this is a great need for the US such that the government could issue more grants. It's much more important for power companies to focus on security issues to a certain degree than reaching a certain percentage of renewable resources.
The primary problem in this scenario seems to be infrastructure security. Some secondary problems include a fall behind of security protocols in power industry systems, aspects of the new smart grid, and the interconnectedness of the modern power system. The two main issues causing these problems seem to be employee computers connected to important control modules and the internet, and the new wireless monitors. The greatest stakeholders are power companies. Following closely behind that, however, are power consumers, which is virtually every American. In addition to this, people who interact with worldwide companies that are based in the US could also be potentially affected. It would be highly useful to contact companies that deal with cyber defense. Also, the US government has a vested interest in a reliable power system, so US agencies that deal will cyber terrorism could also be great resources. In addition, there is literature on cyber security that could be used to gain more insight on the situation.
ReplyDeleteThis is clearly related to the controversial smart metering. This is the idea that power would be charged at different rates during different parts of the day through personal metering devices. Also, this is closely related to the increased number of government backed cyber attacks we have seen around the world. A great way to utilize cyber attacks is by using it to take out a countries power system. These are two issues that are closely related to this problem.
I would initially propose isolating the system as much as possible. People cannot hack into a system that is not connected to the outside world. However, this means that these smart meters would have to be wired so that people cannot access them easily. There aren’t a lot of group who would try and hack into a little box that is thirty feet in the air on a power pole. Also, this means that employees’ laptops cannot be interconnected with the internet and the system at the same time.
Economic consequences of this are the increased cost to power companies using wired smart meters instead of wireless one and possibly having multiple laptops for employees that work on the system. There would be minimal environmental consequences, other than having another box or two on the power lines and more wire for communications. This solution would have minimal societal and cultural consequences because it does not affect current situations. However, it does allow the smart metering to still be a viable option which has a wide variety of impacts. Lastly, this could have global impacts on how other countries implement security on their power systems.
Austin Roskamp
For this scenario, one of the primary problems is the security of the US Power System. The power grid is vulnerable to cyber intrusion, both by home grown vandals and foreign attackers, and there is realistic reasons to fear such attacks.
ReplyDeleteIt is amazing how easy it can sometimes be for someone in operations to connect a plant computer to office LAN, and inadvertently to the internet. Also, since most of the SCADA packages run under Microsoft Windows, this increases the chances of success for cyber attackers.
This is just not acceptable because a disruption of our critical infrastructure would be life threatening and would drastic effect on the economy. U.S. utilities are doing their best to ensure the safety of their networks and system, but we have to make sure that whatever we are doing is enough.
As mentioned, the number if cyber attacks on utilities has doubled in the past couple of years. It is crucial to keep up with the latest trends in all types of attacks using technology and policies. However, no one technology is perfect, therefore it is important to employ in depth strategy.
Another problem regarding this issue is that some utilities take it very seriously while other do not. This depends on their understanding of the risk and the repercussions. Some tend to take proper pre-cautions and spend more money while others continue with the risk.
This makes things much easier for cyber attackers because miscommunications between groups in a company can create gaps, and with just one linkage, hackers can jump across networks. One suggestion is to employ a special chief security department that minimize these gaps.
Austin-
ReplyDeleteI like how you pointed out that employees have their computers directly connected to the system. I can see the idea behind that: as an example, an engineer can change a wind turbine's settings or operations just by logging in from any computer. There's an increases ease of operating the power system, which means more of an ease to disrupt it. (aka hacking). That's why we have to take security as a top priority even more.
Shelvin-
I like your input on how different utilities have different standards. We can only work within our own company to make changes (and that takes forever anyways), but there really should be a department to look over every utilities' security policies. I don't know if that should be ran by the government or by a conglomerate of utilities, but that would be a good start.
Shelvin -
ReplyDeleteInteresting perspective on the issue. From my internship with BPA, I know that they use a completely remote network for their control system. This is both good and annoying because the security protocols can make life frustrating. Are you saying that a standard for security of the system should be instilled and by whom?
Austin -
Keeping someone honest is always a good preliminary solution. I do that with my car by making sure not to leave anything that will give someone the incentive to break into it. That's a good idea, but I don't think it's a long-term solution. What needs to be done in the long term is having equipment replaced. Older technologies leave the system completely vulnerable.
Seth -
I have to disagree with your solution to force utilities to pay for their own IT. From the consumer's perspective I would say that not many would disagree. But from an economic perspective and a business sense perspective I wouldn't agree. Utilities provide a service to customers. Thus when upgrades and new additions to the system come, then prices need to increase because the demand is high. The other problem here is that there isn't a huge incentive for utilities to do this. Unless something bad happens, a utility has other stuff to worry about like meeting the renewable energy criteria for 2014. Without government aid, consumer rate increases and incentive from organizations like IEEE and NERC and FERC etc, I hardly doubt that utilities will do this. Because BPA is government owned, they have their own IT. With all the political watch over BPA, they are constantly being regulated. Private utilities on the other hand aren't necessarily unless it's regulated by the NERC or FERC. Just a thought!
The complexity of this topic is more than one man, or one design team, or one utility, or even one government. Security and sustainability of the power system is one of the most important facets of this country's infrastructure. Although I still agree with Daniel's view that rate payers should pay for the security (since they're paying for power, not how it gets to them), I do agree with him that power companies should hold meetings with rate payers and politicians about the issues and determine how power companies want to face it. Then with rate payer feedback, power companies can make the most optimal decision. To further dissect this issue, Daniel brought out a key point in his economical impact: instead of hurting the economy, this lack of security could effectively stimulate the economy. With an expanding market for power system security, this could bring in new products and creative ideas in order to solve this problem besides "more money, more money, more money." A big problem is that all of these issues are hidden from the public by politicians and other activists in power, which makes a clear and controlling decision nearly impossible in the "fog" of political manipulation.
ReplyDeleteSeth- I thought that your solution was quite useful if in essentially every attack can be detected with updated security. However, I thought that the only way to detect an intrusion right away was to have someone already have been hacked into before. This is why new definitions need to be installed for new viruses. I am not an expert on hacking, so do you know if this is the case? If so, it would be worthwhile for hackers to come up with a virus that has never been used for any other purpose. Therefore, it cannot be detected quickly. If this is the case, then there needs to be physical protections in place. I do think it is important for the power industry to integrate tighter security protocols to prevent individual hackers from attacking. It could be that if you pooled the resources of all companies that you could form one extremely responsive cyber security unit for all systems and this might be good enough. But this much power in one team could be dangerous as well.
ReplyDeleteDaniel – I think that your solution could be the best because then you have industry experts coming together to solve the problem. They have many more years of experience than us to decyfer this matter. You did not mention any cyber security companies in these meetings. I think that it is of paramount importance to include them in the discussion because power companies are clearly behind the curve on security.
Shelvin - I agree that there should probably be some security standards implemented for the cyber world, just like there is NERC requirements. There are small power companies that might not spend as much money on proactive security that, as you said, could be weak links. While these companies are relatively small in the power world, they are often large enough to cause widespread blackouts in our interconnected power system.
Daniel - I think you misunderstood my point. One of the articles mentions specifically the vulnerability of local "smart" meters. I was coming up with a solution to these specifically. If you hack into enough local smart meters at once then you can topple a power grid. That was why I mentioned the thing on the pole. However, my idea of forcing them to all be hard wired could possibly be an excessive expenditure. The only other option is to make sure these meters have strong electronic security.
ReplyDeleteOn a different note, it seems that you are implying that the government pay for and take over this. I would say that total government control of any industry is a bad idea. Also, the power industry should pay for itself, so I disagree that government monetary aid should be given to this. I think having pockets of government owned and private companies is the best for competition reasons.
However, I think your idea of holding meetings between all affected parties is best.
To the whole group- It seems that having a meeting with the power industry, government entities, consumers, and cyber security companies is the best solution to me. The goal would be to come up with some effective security protocols and standards that work for the multitude of complex issues in this
accidentally bumped my mouse pad an it posted to soon. Continued below:
ReplyDeleteproblem. Also, this would allow for all parties to have a voice and not feel like they were forced to do another set of ridiculous and not well thought out set of government regulations.
Team -
ReplyDeleteThe reason why I pushed for government investment is because there is no incentive for a unified security protocol otherwise. Something that is of national security crisis means that the government needs to have a part. Austin, you have to think deeper than just the issues about the utilities being under attack. The problem at hand encompasses the whole nation at risk. One cyber security issue could lead to an attack on the whole system - which is a direct attack on national security.
My point is that there needs to be communication between all parties: general public, IT, utilities, national security and IEEE or NERC or FERC whichever oversees this problem. This cannot be a decision that is only decided on by utilities and I highly disagree that utilities are 100% responsible for paying for all of this.
Without government incentives like a tax break or direct funding, utilities will have their own standards for security. The problem with that is the security of the system will then depend on the weakest link. Even if company X pays millions of dollars to update their security but company Y doesn't spend as much, then the whole system is still at risk depending on the level of security that company Y invested in.
The government needs to relent on the push for renewable resources if our national security is at risk. That's why I feel that the government MUST be involved - and there's no other alternative. We need utilities united under one standard for security in order to reduce the number of vulnerabilities to the system as a whole.
My final conclusions follow my initial argument.
ReplyDeleteOur national security is at risk. Therefore, there needs to be communication between the government and utilities. Also, there needs to be meetings and discussions by IT, utilities, the government, the general public and power industry regulating firms like NERC and FERC.
I still hold that the government should help with this problem because it is a national security issue. Whether that means pushing back the deadlines for renewable resources or issuing tax breaks or subsidies to utilities will depend on industry experts and politicians.
In the short term, I think Austin is correct in utilities taking active measures to keep their equipment out of reach or less vulnerable to external hacking. Also, internal networks that govern the control of the system need to be remote and self-standing in order to prevent any kind of breach.
However, these solutions are not long-term. Utilities need to work with other agencies and the government to come up with a security standard. That standard then needs to be regulated by an agreement from all agencies involved. Lastly, older equipment needs to be replaced. I think that there needs to be some standard that is enforced to help utilities invest in replacing equipment now. The biggest foreseeable problems will be communication, money and time. A plan is desperately needed to fund, replace and update vulnerable equipment and networks.
From Seth (the blog isn't working for him):
ReplyDeleteI think the team can all agree on the first initiative to be holding a meeting with company reps, a few government officials, cyber-security professionals, and public reps. Even though most know "holding meetings" just wastes time, we feel this is the most effective way to get this concern out in the open and under people's responsibility.
The second solution we want to implement, though are still a bit hazy as how to most effectively go about it, is to set up an IT team specifically to counteract cyber-security breaches. Furthermore, an updated security system is a must for each utility expediently.