What are some of the misconceptions about threats and defenses concerning the energy sector?Parker: There is a tendency in the media to portray threats against the bulk electric system as being imminent. Although an attack could be attempted at any time, the concern is really in the long term rather than the immediate future. Current computer crime is almost exclusively financially motivated. Attacks against the electric sector will not be so motivated, since there is no easy path to monetization, and an attack against critical energy infrastructure would likely be met with an extremely aggressive government response. Security in this sector is critical over the long term to protect against possible terrorist or state-sponsored attacks, not petty crimes.
On the defense side, the actual vulnerability of the bulk electric system is often mischaracterized. It is not true that most control systems are connected to the Internet. It is now standard practice for control centers to reside on protected networks within a larger internal corporate network. This places the most critical systems behind two distinct perimeters. This is not to say that such systems are impenetrable, or that there are no electric sector cyber systems with exposure to the Internet or unsecured modems, but the situation is not as dire as sometimes portrayed.
What are some of the more overlooked aspects?Parker: The insider threat is underappreciated. The electric industry, as a cooperative endeavor, necessarily relies on mutual trust. This creates a culture where the possibility of malfeasance by insiders is discounted.
The potential threats are underestimated. Because cyber crime garners so much media attention, many people simply gauge electric sector security against commonly reported attack scenarios. The reality is that any eventual attack against the electric infrastructure is likely to be much more sophisticated than what is commonly seen. Protections need to be designed with this in mind. For example, it is likely that private communication infrastructure (sub IP-level, non-Internet) would be a target. Blended attacks, part cyber, part physical, are also quite possible. Security protections need to consider the sophistication, motivation, and resources of potential attackers.
Confidentiality isn't much of an issue in the electric sector. Whereas current financial crimes all revolve around the acquisition and misuse of confidential information, most attack scenarios in the electric sector revolve around loss of control or loss of data integrity. Although there are legal and economic drivers for the confidentiality of some information, primarily market related, the actual operation of the bulk electric system depends on the integrity of the control systems used to operate it, and the data used in decision making processes.