The following activity is designed to prompt expression of your knowledge of and ability to apply engineering professional skills. Its purpose is to determine how well your engineering program has taught you these skills. By participating, you are giving your consent to have your posts used for academic research purposes. When your posts are evaluated by the program assessment committee, your names will be removed. In order to post, click on the Sign In button in the upper right hand corner of the blog page, then sign in using your gmail account and password.
Time line: You will have 2 weeks to complete the on-line discussion as a team. Use this blog to capture your thoughts, perspectives, ideas, and revisions as you work together on this problem. This activity is discussion-based, meaning you will participate through a collaborative exchange and critique of each other’s ideas and work. The goal is to challenge and support one another as a team to tap your collective resources and experiences to dig more deeply into the issue(s) raised in the scenario. Since the idea is that everyone in the discussion will refine his/her ideas through the discussion that develops, you should try to respond well before the activity ends so that the discussion has time to mature. It is important to make your initial posts and subsequent responses in a timely manner. You are expected to make multiple posts during each stage of this on-going discussion. The timeline below suggests how to pace your discussion. This is just a suggestion. Feel free to pace the discussion as you see fit.
Tuesday Week 1 Initial Posts: All participants post initial responses to these instructions (see below) and the scenario.
Thursday Week 1 Response Posts: Participants respond by tying together information and perspectives on important points and possible approaches. Participants identify gaps in information and seek to fill those gaps.
Tuesday Week 2 Refine Posts: Participants work toward agreement on what is most important, determine what they still need to find out, & evaluate one or more approaches from the previous week’s discussion.
Thursday Week 2 Polish Final Posts: Participants come to an agreement on what is most important, and propose one or more approaches to address the issue/s.
Discussion Instructions
Imagine that you are a team of engineers working together for a company or organization to address the issue raised in the scenario. Discuss what your team would need to take into consideration to begin to address the issue. You do not need to suggest specific technical solutions but identify the most important factors suggest one or more viable approaches.
Suggestions for discussion topics
• Identify the primary and secondary problems raised in the scenario.
• Who are the major stakeholders and what are their perspectives?
• What outside resources (people, literature/references, and technologies) could be engaged in developing viable approaches?
• Identify related contemporary issues.
• Brainstorm a number of feasible approaches to address the issue.
• Consider the following contexts: economic, environmental, cultural/societal, and global. What impacts would the approaches you brainstormed have on these contexts?
• Come to agreement on one or more viable approaches and state the rationale.
Power Grid Vulnerabilities
In 2010, the US power industry received $3.4 billion as part of the recent economic stimulus package to help modernize the country's electric power system and increase energy efficiency.
The nation’s security experts are concerned about the increased vulnerability of the operational systems used to manage and monitor the smart grid infrastructure. Supervisory Control and Data Acquisition (SCADA) systems are one of the primary energy management systems used to control the power grid. SCADA systems are susceptible to cyber attacks because many are built around dated technologies with weaker protocols. To increase access to management and operational data, these systems and their underlying networks have been progressively more interconnected.
Contemporary hackers may circumvent technical controls by targeting a specific user within the utility instead of hacking directly into the grid. For example, a person with intention to launch cyber attacks could be employed by a business that sells products or services to a company, allowing regular e-mail interactions with the internal procurement office. The hacker could circumvent the company’s firewall by sending emails with a Trojan horse or advanced malware, thus creating a virtual tunnel to the procurement office’s computers. This would give the hacker undetected direct access to the company's network which could be used to launch further attacks.
Since 2000, successful cyber attacks to the SCADA systems of a number of US power generation, petroleum production, water treatment facilities, and nuclear plants have increased by tenfold. In April 2010, a Texas electric utility was attacked from Internet address ranges outside the US. In late 2010 and early 2011, Iranian nuclear power plants and German-headquartered industrial giant Siemens witnessed the powers of Stuxnet, the sophisticated malware designed to penetrate industrial control systems. Experts warn that Stuxnet or next-generation worms could incapacitate machines critical to US infrastructure, such as electric power grids, gas pipelines, power plants, and dams. The worm circumvents digital data systems and thwarts human operators by indicating that all systems are normal, when they are actually being destroyed.
Official US governmental standards for power grid cyber security are not robust enough to ensure against such threats. According to a January 2011 Department of Energy audit, the current standards are not “adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
Sources
Audit Report: Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security. (January 26, 2011). U.S. Department of Energy, Office of Inspector General, Office of Audits and Inspections.
Computer Expert Says US Behind the Stuxnet Worm. (March 3, 2011). Agence France-Presse.
Cyberwar: In Digital Combat, U.S. Finds No Easy Deterrent. (January 25, 2010). New York Times.
Hacking the Smart Grid. (April 5, 2010) Technology Review.
New Breed of Hacker Targeting the Smart Grid. (June 1, 2010). Coal Power Magazine.
The issue of this scenario is improving control and monitor system of the US power grid. In the scenario, it mentioned that security experts are concerned about SCADA system because many are built in outdated technologies. This could be serious problem in terms of cyber attacks. In order to eliminate this problem, several things can be performed. Firstly, simply upgrade or redesign SCADA system based on the most recent technologies. One of problems comes from SCADA system itself due to the fact of having outdated technologies. So by utilizing the most recent technologies, it can prevent some cyber attacks. Secondly, create a law which makes all power utility companies to have security teams. It seems like power utility companies do not own specific technologies to prevent or counterattack cyber attacks. By having security team within companies, issues like cyber attacks can be handled efficiently.
ReplyDeleteThe main issue at hand is determining a solution to stop hackers from penetrating into SCADA systems and manipulating the Power Grid. The author mentions that “a person with intention to launch cyber attacks could be employed by a business that sells products or services to a company.” The author insinuates that many of these attacks are “in house” with subcontracting companies the Power Companies do business with. One possible solution to minimizing these in house attacks are to have the power companies run background checks with all the subcontracting employees they do business with. By doing this, the Power Companies can take their business somewhere else if subcontracting employees have criminal records involving cyber crime.
ReplyDeleteThe author also mentions that the SCADA systems use “dated technologies with weaker protocols.” It is vital that the SCADA systems are state of the art and impenetrable from unwanted forces. In my opinion, the SCADA systems should be one the most safeguarded control systems in the United States since it manages and controls the power grid. If a terrorist was to hack into the SCADA and destroy the power grid, the United States would be very vulnerable to other attacks since it would be without electricity. Today we live in such an electricity dependent environment, if the power goes out many people would struggle to survive. A possible solution is for the U.S. government to create a security agency specifically in charge of watching over the SCADA systems for all power companies and for the government to require that all power companies frequently update their technology with the most current technology.
The stakeholders in this issue are the United States government and residents of the U.S. If terrorists do hack into the SCADA systems and destroy the power grid, many citizens lose power and America as a whole is vulnerable to attack. If a security agency is implemented by the government to watch over the controls systems, it would require a lot of revenue to fund such a project since it would mean hiring many agents and replacing old technology with current technology.
This comment has been removed by the author.
ReplyDeleteThere are two problems raised by the scenario that faces the security of power grid.
ReplyDeleteThere are two problems raised by the scenario that faces the security of power grid.
First, the scenario mention the vulnerabilities associated with the utility company users from a person who work with other service provider businesses that interact with the power grid company who can launch cyber attack through one of the power grid users. Such problems can be effectively dealt with by creating and enhancing strict policy from which all the utility’s users must stick to. Creating such effective policy requires hiring specialists from multidiscipline areas such as mathematicians, computer software network and hardware engineers, psychologists, business and any other areas that could help in making the policy.
The second problem with the dated technologies can be upgrading the monitoring systems and even to find and invest in research for new solutions that are more secure and stable.
Creating an effective policy and finding innovative solution that are both robust and secure will have big impact on the company's stakeholders which include the U.S government and all the residents serviced by the power grid. A reliable power grid will make the residents feel safer and more secure to stay at their homes and thus will improve the economy and all of its aspects from good education to better family. As a result, A secure and reliable power grid will have economical, environmental, social, and even a global positive impacts.
The main problem in this scenario is that the modernized system for energy efficiency has a weakness to cyber attacker. In other word, the developed system is faced with another which is security problem. Due to this unstable system, it brings disadvantages to customers or destroys the overall system. Because nowadays we are totally depend on energy like petroleum and electricity stakeholders are US department and energy customers.
ReplyDeleteTo reduce the risk, we need to approach this problem in many ways; first as an engineer, we need to find the best solution for technical problems and develop network equipment like firewall second effective policies are required for example access to technical control has to be limited to only certain related person by the law. When we interact with country and society, it will reach to the best solution.
It seems that as a whole we all agree that measures need to be taken inside power companies to reduce the risk of hackers. I agree with Steven in that the government needs to crack down on the hackers by creating some sort of law where :
ReplyDelete1) Power companies must have a security team specifically focused on protecting the controls systems.
a) The team must be certified and tested by the government to ensure that the individuals on the team are qualified and have the proper credentials to safeguard the SCADA systems.
2) Hackers who are caught by the government will face serious jail time. This will act as a scare tactic to potential hackers.
At the same time, individuals must ask how do we get the public involved, so that such laws like the one recommended can be passed.
I agree again that most of issues/problems should be handled inside of power companies because of one important reason, security. It would be better to have more resources outside of power companies, but this can result the process of empowering security system to be somewhat open to be leaked to the public. Depends on what kinds of technologies are leaked, the outcome can be crucial. So in order to prevent situations to be happening, most of works should be done inside of power companies. If for some reasons, issues/problems cannot be handled inside of power companies, they should seek assistance from the government, not from other companies.
ReplyDeleteThe stakeholders of this scenario is anyone who uses power in the U.S. In other words, all residents in the U.S including the government.
So as a group it seems that we agree that power companies need to strengthen their security within their company to safe guard the SCADA systems and also seek assistance from the government if a company needs extra assistance. Overall, I feel like this is a very reasonable approach and will definitely stop hackers from getting into the SCADA systems. Still, however, we need to ask ourselves exactly what types of assistance will the government allocate to these power companies and how much will it cost. Government assistance would be great in helping power companies strengthen their security, however if it is too expensive then power companies may look to cheaper alternatives that may not offer the better security. Also, if power companies do choose to strengthen their security within their company, shouldn’t there be a standard across the United States enforcing a requirement of how secure each security system within these power companies are?
ReplyDeleteGary pointed out important thing. It is the fact that every business has a goal of making profit. Without making profit, companies cannot operate. So power comanies might not seek assistance from the government if the price is expensive. The government should have acceptable price for assistance. Also the government can assist power comapines by providing security solutions, and/or send security specialists.
ReplyDeleteOne of the main issue that causes this security problem was its connection with the internet. So I think power companies needs to separate the control units from the internet and allow only the necessary information to be displayed on the internet with read only privileges such as the system performance and all the sensors reading. The control unit (SCADA) that control the power grid should be completely isolated from the outside world such as the internet and only people with authorized access can control it. This may prevent threats from internet hackers but it might also limit the way in which users access and update the power gird information.
ReplyDeleteI agree with Abdallahi, in that the more separated the SCADA controls are from outside sources the harder it will be for hackers to gain access. If the SCADA and any other control systems used to control the power grid are isolated and cannot be accessed via wi-fi then the power grid would be well protected from cyber crime.
ReplyDelete