How to gear up for a grid attack – lessons from the US

393

Two recent events in the US have focused on preparing for potential threats to the grid and utilities – which “face thousands of malicious probes each day”, says Robert Weisenmiller, chairman of the California Energy Commission.

Mr Weisenmiller said: “If you’re a utility today, depending on your scale, you’re under attack at this moment.”

The North American Electric Reliability Corporation (NERC) has issued recommendations from its second grid security exercise, GridEx II, which took place in November 2013.

Meanwhile, the Washington-based Council on CyberSecurity has updated its Top 20 Critical Security Controls to Version 5.0, a list that aims to provide “tangible methods to address risks to its enterprise data and systems”.

More than 230 US organisations participated in the 2013 GridEx II exercise, including the Department of Homeland Security, the FBI and the Department of Energy.

GridEx II simulated a worst-case scenario through co-ordinated cyber and physical security attacks to give participants a chance to test command, control and communication plans.

NERC found that organisations need to enhance information sharing, improve incident response and situational awareness, and work on boosting coordination with NERC.

A round-table industry and federal agency discussion revealed that participants recommended new legislation to help deal with emergencies.

Cyber security

In Washington, the Council on CyberSecurity issued its updated report The Critical Security Controls for Effective Defense, compiled by a panel of security industry experts.

The report aims to keep pace with evolving risks and challenges related to cloud computing, mobility and the Internet of Things.

Tony Sager, Chief Technologist for the Council on CyberSecurity, said: “Organisations are well-served by community efforts to provide practical guidance that is continuously evaluated for updates and is mapped to recognized standards and policies.

“The Critical Controls apply across industries, and the mapping work produced by the Council on CyberSecurity is critical to allowing diverse organizations to make use of the recommended controls.”

The report includes sections on risks by devices and software, ‘quick wins’ that provide risk reduction without major financial input and advice on incident response and management.

To view the report, click here.

Today’s top stories
Energy sector uses 15% of world’s water, says IEA report
How to gear up for a grid attack – lessons from the US
Deal watch: Schneider and McAfee tackle cybersecurity together