The U.S. Congress is considering new cybersecurity legislation following numerous attempts by foreign actors to launch cyberattacks on critical national infrastructure (CNI) in recent years. The proposed legislation will establish a pilot program to identify security vulnerabilities of certain entities in the energy sector and evaluate technologies and standards to isolate and defend against these vulnerabilities and exploits. Because many of the networked industrial control systems that compose CNI have an asset life decades-long and were developed years ago, they lack sophisticated security features and are vulnerable to evolving cyberthreats. The legislation aims to secure general purpose control systems as well as purpose-built electrical equipment.
Rather than deploying modern security technologies to protect these systems, the proposed Securing Energy Infrastructure Act (SEIA) “will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators,” according to the bill’s sponsors, Senators Angus King (I-Maine) and Jim Risch (R-Idaho).
While manual operations have the potential to reduce the risk of a fast-spreading digital contagion affecting large areas of the grid without human intervention, “this approach is costly in terms of manpower and requires access to suitably qualified and experienced staff to take over the system if it fails,” said Nigel Stanley, CTO at TUV Rheinland.
In addition to Stanley’s labor concerns, there are other major cybersecurity problems with the approach proposed by SEIA:
- Connected operations. While it may be relatively easy to isolate grid operations from the public Internet, if the grid continues to rely on its own internal communications network, then it will remain vulnerable to attack. Attacks can originate on a technician’s individual laptop or phone, during a software upgrade, or through a variety of other sources. Network isolation alone is almost never enough to ensure modern cybersecurity.
- Automated digital and connected control. The use of some manual, un-networked control systems may work for some very sensitive systems, even in the 21st century. However, for most of the utility infrastructure, it would be regressive to deploy purely manual, analog systems to guard against cyberattack, greatly reducing the grid’s efficiency.
- Human error. If the grid did try to move back to isolated manual systems, a great deal of automated decision-making would be lost – introducing more human error, slower correction of issues such as outages, and lowering overall grid reliability.
- Safety improvement. Grid automation delivered by networked digital systems is required for continued grid safety improvements. For instance, automatically cutting power to downed power lines to avoid wildfires would be impossible in a manually operated world. As would removing staff from hazardous environments and enabling them to work remotely using sophisticated grid-management applications.
SEIA legislation is well-intentioned but misguided because digital, connected control is desirable, and in fact, inevitable for most utility infrastructures. Instead, while many previous government and utility measures have focused on incident detection and response to properly secure these vital systems, the industry needs to focus on next-generation technologies that prevent and quarantine threats at the source.
Keeping bad actors off of a network can never be guaranteed, so grid operations need a granular security system that first and foremost protects access and controls each interaction between individual machines, people, and applications across the operation. A system that then detects unauthorized access attempts with the ability to quarantine them before they can infect the wider operation leading to possibilities of power outages and dangerous electrical interference.