The discovery of the Stuxnet worm in 2010 shone a harsh light on the fragility of industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, and has created a new urgency among security vendors and utility managers alike. Nearly overnight, ICS security went from being a non-issue to being critical. Because of that rapid change, ramp-up time has been non-existent, with no time for an industry to consider what is needed and how to develop a manageable approach to security. At nearly the same time, the American Recovery and Reinvestment Act of 2009 created a gold rush mentality, with utilities and vendors submitting requests quickly in order to obtain some of the funding. Many of those requests simply stated a list of infrastructure components, without adequate consideration of cyber security requirements. As a result of these two developments, the utility industry now has a large installed base of smart grid components, but little idea how to secure them. No clear or shared vision exists of what to build.
According to a recent report from Pike Research, such risks to the electrical grid will require utilities to make major new investments in cyber security for ICS in the coming years. The cleantech market intelligence firm forecasts these investments will total $4.1 billion during the years between 2011 and 2018.
“Many SCADA systems were deployed without security in the belief that SCADA would always be isolated from the Internet,” says senior analyst Bob Lockhart. “But it’s not, and even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread. And SCADA security has different objectives than IT security. The familiar ‘confidentiality, integrity, and availability’ is replaced with ‘safety, reliability, and integrity.’ This is nearly impossible to accomplish with the infrastructure-only approach taken by most information security products.”
One of Stuxnet’s more noticeable effects was to cause nearly every security vendor to create an Energy Business Unit. Security vendors have taken one of three approaches to entering the smart grid market. A few security vendors have focused on ICS security since their founding. Some of the relative newcomers to ICS security have hired long-time energy industry veterans to run their energy business. Others have simply rebranded existing products as “smart grid ready” and sell based upon the widespread adoption of their products in IT environments.