EDITOR'S NOTE: Technically Speaking is a periodic e-publication targeted to GE Energy management systems users and friends. Our goal is to highlight popular and compelling technical topics. We also want to bring you news and trends from our business related to these products and services.
After the terrorist attacks of 9/11, the security of every infrastructure in the United States was called into question. When Department of Homeland Security experts evaluated supervisory control and data acquisition (SCADA) systems for the electric power grid, they were alarmed.
“If someone with ill intent were to take control of SCADA systems, they could wreak havoc on the nation’s electric power infrastructure,” says Ron Larson,
chief engineer for software architecture and design for GE Energy’s transmission and distribution business.
So far, there have been no widespread threats, but evidence shows the country is vulnerable. Since 9/11, actions by the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Council (NERC), government agencies and research firms have pointed the energy industry in one direction: security.
Led by Larson, GE Energy launched a strategic security initiative. Larson began working with Charles Engasser, security and services leader for GE Energy’s XA/21* transmission management system, to find technology that could fortify one of the industry’s most advanced SCADA systems.
State-of-the-art testing
While GE Energy and other vendors tested security upgrades, the Department of Homeland Security and the U.S. Department of Energy were initiating a test bed at Idaho National Laboratories (INL) in an attempt to mediate risk to the power grid. This real-world environment for control system security research and testing was equipped with a commercial-grade 50 MW
transmission and distribution
system, 61 miles of kV dual-fed power loop and seven major substations.
When called upon, GE jumped at the chance to partner with cyber security experts at the INL National SCADA Test Bed. In February 2005, GE signed a cooperative research and development agreement with INL that would test the vulnerability of the XA/21 system, ultimately helping its customers prevent security problems and more effectively meet NERC’s Critical Infrastructure Protection (CIP) requirements.
“It was a great partnership,” says Larson.
GE Energy was impressed by INL’s world-class experts.
“They didn’t simply use technology to penetrate the system,” says Engasser. “They found many clever ways to try to crack it, ways that someone with resources might try. These are extremely sharp individuals.”
The security level of the INL Test Bed was also impressive. “A competitor’s system was in the next room, but we weren’t allowed to go near it,” says Larson. “We felt good about keeping our trade secrets safe at INL.”
Experts weigh in
When Phase I of the testing was complete in August 2005, INL submitted a 60-page Cyber Security Test Report to GE Energy, which validated
the XA/21 application’s strengths and identified some vulnerabilities.
“It was a relief to learn that our system,
when armed with the security options we have developed,
was quite secure,” says Engasser.
The results, proprietary information protected through a Cooperative Research and Development Agreement (CRADA), showed that the following new technology initiatives had markedly improved
the XA/21 software’s security:
- System hardening: Services such as centralizing accounts and logins, installing encryption, disabling unused services, installing firewalls/intrusion protection and securing Inter-control Center Communications Protocol (ICCP).
- Security patch management: A service that tests software patches or upgrades in GE labs before customers install them.
- License management: A service that maintains upgrades with security protection for
the XA/21 product, along with third-party software.
- “Whole security health check”: A service that audits security from every aspect of an organization, including social engineering attacks.
Where vulnerabilities were shown, INL provided specific recommendations for remediation. “They gave us solutions we could act upon,” says Larson. “Some of their suggestions are being implemented today.”
Pleased with the results of the Phase I XA/21 Cyber Security Test, the GE Energy team looks forward to Phase II.
“It’s a win-win because our customers are more secure, able to meet industry mandates and better protect themselves from risk,” says Larson. “And the Department of Energy is able to use the knowledge they’ve gained to secure our national infrastructure.”
A vital starting point
Along with other efforts to create awareness, the activities of the National Test Bed serve as a starting point to uncover vulnerabilities for all EMS/SCADA vendors. The next more challenging step is to urge electric utilities to upgrade or replace their control systems.
“A small number of utilities have gone for the upgrades,” says Larson. “But many say they will wait until security upgrades are mandated, because spending capital dollars on security just doesn’t provide instant economic benefits.”
GE recognizes that it won’t happen immediately, especially because many systems now in operation are legacy systems. But the nation won’t be secure until facilities remediate the critical control systems that are managing and controlling its electric power grid.
GE Energy
www.ge.com/energy
* trademark(s) of General Electric Company
Copyright 2006, General Electric Company. ALL RIGHTS RESERVED
You are receiving this electronic newsletter as a customer of the General Electric Company. If you wish to no longer receive this newsletter, please click the unsubscribe button below.
Unsubscribe
|
