Power plants electronic systems 'like sieves'

Power plant electronic security is just beginning to emerge as an issue within the industry, but third party liability could heighten its profile, experts said during Power-Gen International. Joe Weiss, technical manager of the enterprise security project for EPRI, and LeVord M. Burns, FBI unit chief of training and continuing education at the National Infrastructure Protection Center (NIPC), warned many systems are vulnerable to intrusion.

Nov 20th, 2000


Kate Thomas
OGJ Online

ORLANDO�Power plant electronic security is just beginning to emerge as an issue within the industry, but third party liability could heighten its profile, experts said here during Power-Gen International.

Joe Weiss, technical manager of the enterprise security project for EPRI, and LeVord M. Burns, FBI unit chief of training and continuing education at the National Infrastructure Protection Center (NIPC), warned many systems are vulnerable to intrusion. If vendors and others who have electronic access or have installed software at power plants and control centers do not take effective security measures, it could come back to haunt them.

"Deregulation has created an information security problem. This is something the industry hasn't considered," said Weiss.

Vertically integrated utilities were generally closed systems, but today every power plant is effectively a merchant plant, and that means "you are opening yourself up as never before," Weiss said. Most remotely operated facilities are controlled electronically, and "they are like sieves," he added. "Very few plants have firewalls in front of them."

If a plant manager is connected to the distributed control system (DCS) from a remote location and is able to change settings, Weiss said, others can, too. With openness to outsiders comes vulnerability to hackers whose intent could vary from curiosity to theft of proprietary data to sabotage. Weiss said such concerns are not hypothetical, noting Arizona's Salt River Project's water system had been hacked.

Hacker tools applicable to DCS and supervisory control and data acquisition (SCADA) systems are readily available from the internet, Weiss said. Problem is many companies will never know they have been hacked because they don't have detection software in place.

"This raises liability issues for third party vendors if information disappears off your system," Weiss said. He advised against a false sense of security, noting hackers had access to Microsoft for 12 days before the intrusion was detected.

Presently, there are no specifications to make a secure control system and attempting to install software on existing systems would result in "denial of service" breakdowns and other upsets, Weiss said. The industry is beginning to address the problem is working groups, but he predicted it will take a next generation of software designed from scratch to create secure systems.

Developing such a system becomes even more complicated because the more secure the more difficult it will become to use, contradicting the drive to make systems open and user friendly, Weiss said.

Often the first time a system administrator knows he's been hacked is when law enforcement officers knock on his door, Burns said.

Under Presidential Director 63, the NIPC must have a plan in place by 2003 to protect the US critical infrastructure from events that could diminish the ability of federal and state government from performing essential national security missions, maintaining order, and delivering essential public services; and the private sector from ensuring the orderly functioning of the economy and delivery of telecommunications, energy, financial, and transportation services.

Presently, the NIPC has 16 active squads in place, Burns said, and is developing its watch and warning capability in partnership with industry and other government agencies. Threats to the system can range from physical to cyber attacks.

From a commercial viewpoint, he too warned third party liability is becoming a more serious issue for the industry, if it can be shown vendors did not take appropriate steps to secure systems against intruders.

More in Production Operations