Third, he said, is that most utilities are privately owned and have different software, applications and system designs. That diversity makes it much more difficult to launch a coordinated attack on multiple systems.
Dr. Paul Stockton, managing director at Sonecon, made that point in a recent paper titled “Superstorm Sandy: Implications for designing a post-cyber attack power restoration system.”
He wrote that the diversity of systems would likely impede recovery efforts after a major attack, but would also have the benefit of making large-scale attacks much more difficult in the first place.
Dr. Paul Stockton, managing director, Sonecon
“The enormous diversity of ICS software and control system components among utilities greatly complicates the task of conducting a ‘single-stroke’ attack to black out an entire interconnect or the U.S. grid as a whole,” he wrote.
And according to Lee, even with all that diversity, critical infrastructure systems are relatively simple to defend. “They are among the few networks on the planet that are defensible,” he said.
Added to that, said Lila Kee, chief product officer at GlobalSign, is that utility providers are very much aware of the threats, and highly motivated to defend against them.
“Grid providers don’t want to be any more regulated than they are, and they understand if they don’t address cyber security vulnerabilities, the government will do it for them,” she said. “It’s also important to note that grid providers have a self interest around protecting generation and transmission systems.”
Lila Kee, chief product officer, GlobalSign
Berman contends that “the mundane things – like cable backhoes – cause us more problems than cyber.”
While the risks are real, “I spend a lot of time with utility people,” he said, “and they are dedicated and understand where attacks are taking place. I tend to be an optimist – I’m not so sure we’re as ill-prepared as everybody thinks.”
All this, experts hasten to add, does not mean that ICS defenses are adequate. As has been noted many times, they were not originally designed to face the Internet. And the interconnection of ICS networks to gain automation and efficiency has simply expanded the attack surface.
And, as both Lee and Stockton note, if there is a major cyber attack, responding to it will be much more complicated than to a natural disaster like Superstorm Sandy. In that case, other providers who came to assist those that had been damaged by the storm, knew they would not confront the same storm themselves.
With a cyber attack, as Lee put it, “the adversary will be fighting your responders,” in much the same way that terrorist groups sometimes detonate one bomb, wait for others to rush in to assist victims, and then detonate another one.
Sign up for CIO Asia eNewsletters.