U.S. Power Infrastructure as Vulnerable as It Was in 2003, Expert Says

Cyberattacks continue to threaten the national electric grid, power plants and pipelines, and one expert says IT engineers are to blame.

by John Funk, The Plain Dealer / October 24, 2018
Shutterstock

(TNS)  — The nation's electrical grid worked well for 80 years without the Internet, but today it is as vulnerable to cyber-based missteps and attacks as it was during the Great Blackout of 2003, says a national engineering security expert.

This vulnerability cannot be protected by software engineers, Joseph Weiss, an electrical engineer and managing partner of California-based Applied Control Solutions, told a conference of security experts gathered at Cleveland's IX Center on Tuesday.

Weiss, a 40-year veteran mechanical and computer systems engineer including 15 years with the Electric Power Research Institute, has assisted congressional committees in trying to figure out how to harden the national gird and is currently helping the Nuclear Regulatory Commission develop new rules for power plant security.

He blames Information Technology, or IT, engineers for the failure to develop engineering to protect the grid as well as pipelines, power plants, water systems and chemical plants.Jose

"Before 9/11 cyber was a business problem. Following 9/11 cyber was given to IT," Weiss told his audience of engineers attending EnergyTech18. On the other side of the building, another audience listened to IT experts at the 16th Information Security Summit, a split that Weiss later said exemplified his point.

"People who operate pumps, valves, and similar equipment are not responsible for cyber," he told his audience. "It's network people who have never seen a pump, a valve or a turbine," he said. "There is no security in any sensor. How can you be safe if you cannot trust your sensors?"

In other words, trying to solve the problem of grid and pipeline vulnerability from a network point of view cannot work. A solution has to start with the valves, switches and sensors themselves, hundreds of millions of them, many manufactured years before cyber was even a concept.

"If you are monitoring something, it's KISS -- 'keep it simple, stupid,' [a cherished engineering principle]. Cyber security makes control systems more complex, and less reliable," he said.

Weiss counted off a number of incidents, including the San Bruno pipeline explosion in 2010, the San Bernardino, California, gasoline pipeline explosion of 1989, the Columbia Gas pipeline explosions in Massachusetts in September, the Homeland Security disclosures of Russian cyber agents that had invaded power plant control rooms, and the GPS hacking of Navy warships -- as examples of the network vulnerability.

The U.S./Israeli attack on Iranian centrifuges used to make bomb-grade uranium is another example of something that IT system sensors never caught he said, but that sensor technology in the centrifuges would have detected.

Weiss said technologies that monitor actual sensors in electrical or pipeline systems are now only at the "proof of concept" stage, having been tested at power plants, a gas turbine power plant, a water treatment plant and a waste water treatment plant among other systems.

In an interview Weiss explained his dramatic approach this way:

"I am saying I can bring down the grid for nine to 18 months [by damaging critical equipment]. I am saying the utilities have chosen not to put in mitigation equipment.

"This vulnerability is especially a concern because much of the grid equipment supports ... legacy communications protocols that were designed without security in mind," he said, "which means any attacker that can communicate with the device can control it and use its vulnerability to destroy it."

©2018 The Plain Dealer, Cleveland. Distributed by Tribune Content Agency, LLC.