[Editor's Note: This is the first part of a two-part profile on Joe Weiss and cybersecurity. The first part tackles why the grid is vulnerable and how Iran is capable of taking out the grid; the second part will outline what a worst-case scenario could look like and what utilities should be doing to prevent it from happening.]
Joe Weiss has been working on control systems for the electric and other industries his entire career.
“But until cybersecurity came along,” he says, "the utility industry did not ignore impacts on reliability and safety like they are doing now.”
Weiss has been a subject matter expert to several government organizations, has testified before Congress and provided control system cybersecurity recommendations to the Obama Administration. For over 14 years, Weiss was the technical manager of the Electric Power Research Institute’s Enterprise Infrastructure Security program and, today, Weiss is a Managing Partner at Applied Control Solutions, a consulting firm that specializes in securing industrial control systems. He also publishes a blog, Unfettered, where he writes about cybersecurity issues and emerging threats.
“I just simply can’t explain why these really smart people are doing what they’re doing,” Weiss says about the utility industry. “The more appropriate phrase—not doing what they should be doing.”
The industry has not secured its critical infrastructure, Weiss argues. “We’ve been led down the path to believe that one—these systems are secure. And two—other countries don't have the capability to effectively attack the U.S. electric grid,” he intones. “The answer is both of those assumptions are wrong.”
WHY THE GRID IS NOT PROTECTED
“The design of the grid never addressed cybersecurity,” Weiss says. “It’s really that simple. They accounted for reliability, safety, flexibility, interoperability and physical security—but not cybersecurity.”
He explains that the U.S. power grid was originally built on an n-1 concept. The concept is as follows: the grid could lose its worst-case scenario amount of equipment plus one more and the grid would still function. “But that approach never accounted for malicious events,” Weiss says. “That’s why it’s vulnerable to cyber threats.”
The NERC Critical Infrastructure Protection Standards (CIPS) were intended to add security to the grid, but Weiss claims they are fraught with loopholes. The primary problem is that the NERC CIPS were developed by the industry itself, and the industry decided that the CIPS don’t apply to all equipment, protocols and communication media. “The idea that the utilities themselves get to decide what’s critical [makes no sense],” he says.
Weiss lists a few of the loopholes in the NERC CIPS. Non-routable communications such as point-to-point serial and telecom communications are excluded even though they are a major part of communications in substations and power plants. Power plants under 1,500 MW are excluded even though that eliminates 70%-80% of the generation in North America. The entire distribution network is excluded, as well as small transmission assets.
The problem, Weiss argues, is the electric grid depends on all of these entities. “It’s not so much losing one, but losing many,” he concludes. “Think about 9/11. Where did the hijackers get on [the planes]? They didn’t get in at Logan or at Newark or at Kennedy. They got on at the small airports and then walked into the large airports as trusted. This whole concept that if you’re not big enough, you don’t have to look, is nuts. It makes no sense and creates a back door into the big utilities.”
“Unless a piece of paper can prevent someone from hacking, the grid is pretty much open. I would use the word wide open, but pretty much open.”
In fact, he quickly adds, “the NERC CIPS are a roadmap for attacking the electric grid because they publicly state what is included and, by inference, what is not included. It basically tells the hacker where you can go because it shows them where there’s no requirement to do secure the grid, as well as the schedule for securing those assets that are considered critical.”
WHY IRAN—AND OTHERS—COULD TAKE OUT THE GRID
One year ago, Weiss says he was asked by Control Magazine to review an article. They had received an unsolicited request to publish a paper called “What’s the Best Defense Against Stuxnet?” The paper examined the technical issues of Stuxnet and analyzed how well the major anti-virus vendors’ products stood up against it. The paper reached the conclusion that none of the anti-virus vendors would either be able to detect or prevent Stuxnet.
“Here’s the punchline,” Weiss says. “The article was written by an engineer in critical infrastructure protection from one of the largest engineering companies in Iran.”
“The worst thing about Stuxnet,” he notes somberly, “is that it made Iran look like a bunch of third-world morons who were incapable of protecting their systems. Unfortunately, that’s just not true.”
Many experts write off Iran as not being capable of attacking the grid, Weiss says, but Iran is a very technologically developed country. Iran has access to all of the European anti-virus vendors and, even though U.S. anti-virus products technically aren’t sold to Iran, he says, the Iranian engineer noted in the Stuxnet article they can be easily accessed through the web.
When asked if Iran could take out the electric grid today, Weiss responds unequivocally, “Yes—and not just Iran."
“It doesn’t have to be a nation-state like Iran,” he says. “You’ve got malicious code designed to attack these critical pieces of equipment that is available on the Internet. It’s really that simple. I can’t tell you why people do what they do or don’t do. All I can tell you is what can be done.”
Would you like to see more utility and energy news like this in your inbox on a daily basis? Subscribe to our Utility Dive email newsletter! You may also want to read Utility Dive's look at why customer buy-in is essential to smart grid adoption.