"Even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread," he says. He adds that SCADA networks can have many old serial protocol devices that have no hope of running any security software, let alone producing event logs for forensics.
Technical Fix for Security Risks?
"There are lots of good technologies available now but none is a silver bullet," Lockhart says. "As with any environment, security requires risk assessment, policies, and an architecture before you start specifying products."
That said, Lockhart lists five promising technologies for utility cybersecurity over the next few years:
Multi-factor authentication: This will help ensure that a stolen password is not enough to allow an attack against a grid or a control console from the other side of the world.
Control network isolation: A firewall can make sure that enterprise IT traffic does not end up on the utility's control network.
Application white-listing: White-listing prevents the execution of malware by identifying "a list of permitted actions on a host and allows nothing else," says the Pike Research report.
Data encryption at rest and in transit: This approach not only protects data confidentiality, it also helps ensure the integrity of data from devices such as smart meters, temperature sensors and flow meters.
Event correlation: This can be especially useful for identifying the source of attacks and in some cases preventing them.
People Biggest Security Problem
Perhaps the biggest security hurdle facing utilities is the cultural divide between IT teams and utility operations teams, says Lockhart.
"One side understands how enterprise IT networks operate," he says. "The other side understands how distribution and transmission grids function. There is not that much overlap between the two, but each has the opportunity to make the other's life truly miserable."
Lockhart observes that the most progressive utilities have realized that cybersecurity discussions must include both IT experts and operations experts, but other utilities are lagging in this regard.
"From my research, there are still some utilities where those two teams are not on speaking terms," he says. "Many security vendors tell me that when they visit utilities, they are only seeing the CIO or chief security officer."