A coordinated interruption in the steady supply of electric power, oil, gas, or water could have crippling effects on US national security, experts say.

And US energy supply systems are thought to be vulnerable to terrorist acts, including cyber attacks.

But what is secure?

With so many government agencies, standards bodies, utility companies, and equipment suppliers in the US and overseas involved in making, selecting, and using the equipment that controls domestic energy supply systems, arriving at a consensus, much less developing requirements and defining what constitutes adequate security of those systems, has been difficult, says Rolf Carlson of Advanced Information and Control Systems Dept. 5517.

To address this problem, DOE’s Office of Energy Assurance recently established a standards group, the Critical Infrastructure Security Standards Working Group (CISSWG), to serve as a clearinghouse for critical energy infrastructure security standards development.

Four-lab leadership

The group initially is being led by infrastructure security experts at four DOE national laboratories –"Sandia, Pacific Northwest Laboratory, Argonne National Laboratory, and Idaho National Engineering and Environmental Laboratory (INEEL) –"and is sponsored by DOE’s National SCADA Testbed (NSTB), which is co-led by Sandia and INEEL.

But CISSWG is relying on the contributions of industry, academia, government, national labs, and existing standards bodies to accomplish its objectives, says Rolf, who is serving as CISSWG’s chairperson.

The group’s goals include coordinating and influencing international and industrial standards activities, providing technical leadership, and facilitating oversight in order to improve US energy security through the adoption of beneficial technologies and security practices.

Growing need for security

While the scope of CISSWG is broad, its first priority is to help secure the command and control systems –"called SCADA for Supervisory Control and Data Acquisition –"that facilitate operation of energy infrastructures, says Rolf.

As the SCADA systems have been modernized and as business requirements have driven the need for more real-time system information, connections to corporate enterprise networks and business applications via Internet technologies have become the norm, he says.

This has introduced vulnerabilities that are common to all modern networked systems. At the same time, adversaries have become more sophisticated and have easy access to system information and attack tools via the Internet to exploit these vulnerabilities, he says. 

"There is a growing need to develop and apply technology and processes to improve the protection of these systems," says Rolf. "But in part because of competition among utilities and equipment suppliers and the small profit margins in the industry, the international energy community has not yet been able to adopt new security measures adequate for today’s security environment."

CISSWG can serve as an objective non-industry and non-government third party to bring together the needs of the various energy-related stakeholders and recommend standards that would lead to improved security, he says.

An international effort

The four labs were selected for their expertise in physical security, cyber security, and infrastructure security, and their involvement in various standards activities.

CISSWG’s effort is by necessity international in scope, says Rolf. Many of the 20 or more standards groups that help establish specifications for energy control equipment are international. A significant portion of the world’s top manufacturers of infrastructure control equipment is made up of multinational companies based in Europe.

The traditional process for adopting new standards through these bodies often takes decades to complete. CISSWG will, it is hoped, accelerate this process, he says.

 "It is important that the international standards community hears the US speaking in a clear and coherent voice," he says. "By working with national and international standards bodies and working groups to develop improved security standards, we can enhance the global market for secure technologies and systems that will in turn improve the US national security posture."

Coordinate, prioritize

The group’s first, ongoing task is to gather information about current standards efforts and share it with members of the US national lab, academic, and industrial communities to encourage participation in international standards development, Rolf says.

CISSWG also will make recommendations to various standards bodies currently developing standards and develop a business plan for how DOE can best influence the process for improving the US energy infrastructure security.

Working with other US government agencies such as the Department of Homeland Security and the Environmental Protection Agency, the group will coordinate US efforts, prioritize work, create forums for information exchange, support strategically important standards efforts, and ensure that ongoing efforts meet US requirements for security –"including confidentiality, authentication, penetration resistance, physical security, and other factors.

The four DOE labs will form the first-year core group for CISSWG. Additional members will be added in later years as funding permits.  In addition, the CISSWG is open to supporting other programs and needs around the laboratory complex that require standards for secure command and control, such as sensor networks, physical security systems, and other forms of monitoring systems. 

For additional information regarding

CISSWG, contact Rolf Carlson at 844-9476 (recarls@sandia.gov), Juan Torres at 844-0809 (jjtorre@sandia.gov), or Reynold Tamashiro at 845-9804 (rstamas@sandia.gov)