The following activity is designed to prompt expression of your knowledge of and ability to apply engineering professional skills. Its purpose is to determine how well your engineering program has taught you these skills. By participating, you are giving your consent to have your posts used for academic research purposes. When your posts are evaluated by the program assessment committee, your names will be removed. In order to post, click on the Sign In button in the upper right hand corner of the blog page, then sign in using your gmail account and password.
Time line: You will have 2 weeks to complete the on-line discussion as a team. Use this blog to capture your thoughts, perspectives, ideas, and revisions as you work together on this problem. This activity is discussion-based, meaning you will participate through a collaborative exchange and critique of each other’s ideas and work. The goal is to challenge and support one another as a team to tap your collective resources and experiences to dig more deeply into the issue(s) raised in the scenario. Since the idea is that everyone in the discussion will refine his/her ideas through the discussion that develops, you should try to respond well before the activity ends so that the discussion has time to mature. It is important to make your initial posts and subsequent responses in a timely manner. You are expected to make multiple posts during each stage of this on-going discussion. The timeline below suggests how to pace your discussion. This is just a suggestion. Feel free to pace the discussion as you see fit.
Tuesday Week 1 Initial Posts: All participants post initial responses to these instructions (see below) and the scenario.
Thursday Week 1 Response Posts: Participants respond by tying together information and perspectives on important points and possible approaches. Participants identify gaps in information and seek to fill those gaps.
Tuesday Week 2 Refine Posts: Participants work toward agreement on what is most important, determine what they still need to find out, & evaluate one or more approaches from the previous week’s discussion.
Thursday Week 2 Polish Final Posts: Participants come to an agreement on what is most important, and propose one or more approaches to address the issue/s.
Discussion Instructions
Imagine that you are a team of engineers working together for a company or organization to address the issue raised in the scenario. Discuss what your team would need to take into consideration to begin to address the issue. You do not need to suggest specific technical solutions but identify the most important factors suggest one or more viable approaches.
Suggestions for discussion topics
• Identify the primary and secondary problems raised in the scenario.
• Who are the major stakeholders and what are their perspectives?
• What outside resources (people, literature/references, and technologies) could be engaged in developing viable approaches?
• Identify related contemporary issues.
• Brainstorm a number of feasible approaches to address the issue.
• Consider the following contexts: economic, environmental, cultural/societal, and global. What impacts would the approaches you brainstormed have on these contexts?
• Come to agreement on one or more viable approaches and state the rationale.
Power Grid Vulnerabilities
In 2010, the US power industry received $3.4 billion as part of the recent economic stimulus package to help modernize the country's electric power system and increase energy efficiency.
The nation’s security experts are concerned about the increased vulnerability of the operational systems used to manage and monitor the smart grid infrastructure. Supervisory Control and Data Acquisition (SCADA) systems are one of the primary energy management systems used to control the power grid. SCADA systems are susceptible to cyber attacks because many are built around dated technologies with weaker protocols. To increase access to management and operational data, these systems and their underlying networks have been progressively more interconnected.
Contemporary hackers may circumvent technical controls by targeting a specific user within the utility instead of hacking directly into the grid. For example, a person with intention to launch cyber attacks could be employed by a business that sells products or services to a company, allowing regular e-mail interactions with the internal procurement office. The hacker could circumvent the company’s firewall by sending emails with a Trojan horse or advanced malware, thus creating a virtual tunnel to the procurement office’s computers. This would give the hacker undetected direct access to the company's network which could be used to launch further attacks.
Since 2000, successful cyber attacks to the SCADA systems of a number of US power generation, petroleum production, water treatment facilities, and nuclear plants have increased by tenfold. In April 2010, a Texas electric utility was attacked from Internet address ranges outside the US. In late 2010 and early 2011, Iranian nuclear power plants and German-headquartered industrial giant Siemens witnessed the powers of Stuxnet, the sophisticated malware designed to penetrate industrial control systems. Experts warn that Stuxnet or next-generation worms could incapacitate machines critical to US infrastructure, such as electric power grids, gas pipelines, power plants, and dams. The worm circumvents digital data systems and thwarts human operators by indicating that all systems are normal, when they are actually being destroyed.
Official US governmental standards for power grid cyber security are not robust enough to ensure against such threats. According to a January 2011 Department of Energy audit, the current standards are not “adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
Sources
Audit Report: Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security. (January 26, 2011). U.S. Department of Energy, Office of Inspector General, Office of Audits and Inspections.
Computer Expert Says US Behind the Stuxnet Worm. (March 3, 2011). Agence France-Presse.
Cyberwar: In Digital Combat, U.S. Finds No Easy Deterrent. (January 25, 2010). New York Times.
Hacking the Smart Grid. (April 5, 2010) Technology Review.
New Breed of Hacker Targeting the Smart Grid. (June 1, 2010). Coal Power Magazine.
The primary issue expressed in this statement is improving the control and monitoring systems used by the US smart power grid to prevent access by malicious hardware.
ReplyDeleteThe security of the power grid is crucial to a variety of individuals. American consumers require the power grid to operate at peak efficiency to power personal, commercial and industrial devices. The maintainability and consistent operation of the grid is crucial to the US Department of Energy. Companies that do contracting work associated with the power grid rely on the functionality of system to retain contracts and maintain their reputations.
Fortunately the problem of computer security is currently a very important topic in computer science and engineering: as a result a lot of groundbreaking research is currently taking place in this area. Many universities and private organizations are investing research dollars in advanced projects and skilled individuals to work on them. As a result the academic output in the area of network security is relatively high. Private companies such as Boeing and Amazon also face serious security concerns. If professionals from these organizations and others who have dedicated security teams work with teams associated with the smart grid the relationship could be mutually beneficial. Another potentially useful resource is current or former malicious programmers. By observing their actions and consulting with individuals programmers can locate security flaws in their networks.
One possible solution to many of the security flaws in the network is updating the hardware and protocols used in the power grid network. Using newer, more secure hardware will decrease it's susceptibility to attack: research would be required to determine effectiveness of this solution. Updating software and hardware protocols to those that transmit limited or encrypted information would reduce the chances of malicious software accessing remote machines where it could cause damage. The primary concern with this approach would be cost and development time: upgrading software and hardware is expensive, time consuming, and requires a great deal of expertise.
ReplyDeleteAnother solution is eliminating or reducing external access to any network that contains control systems or critical data. If machines containing critical control and sensing information are completely isolated from machines that can receive data from the outside world, whether in the form of email, USB drives, or the internet, there will be less access points for malicious software. Machines that exchange data with the outside world should be connected on an isolated network. Updating the infrastructure of the network to fit this strategy could require the addition of new hardware and a great deal of IT work that could be costly.
It would also be possible to reduce the effect of malicious software by increasing the redundancy of the control systems software. This could alleviate concerns that malicious software is accessing a machine and affecting it in a way that is invisible to an operator. If several computers make each calculation independently and compare results before making control decisions abnormal operation could be detected. Such a system were implemented it would require new hardware but it is possible that minimal software development would be required.
Not all approaches require new hardware or software configurations. It is also possible to reduce access to power grid control software to individuals who have appropriate security clearances. If only trusted contractors and subcontractors are allowed to access critical areas of the software a certain amount of threat can be circumvented. This will reduce the pool of individuals qualified to work on the system and may require addition of more government jobs to police the candidate pool.
Because there are many negative environmental and societal effects associated with a compromised power grid it will be necessary to find a solution that works quickly and effectively. As such the more successful security measures that are put in place the better the solution. Unfortunately the security of the system will be limited by cost: if the government or private industry face funding decisions they will not be able to distribute all the resources required to improvement of the system. This will require compromises that may hurt the performance of the system.
To me the primary issue is the security of United States infrastructure and therefore improvement to the SCADA systems and protocols. This raises a secondary issue of making these improvements in a quick and efficient way to minimize disruption to the power grid and the systems SCADA protects. Another secondary issue is that of efficiency over safety. These SCADA systems have been increasingly linked together to make for more efficient systems; however this drops the security of each of these systems.
ReplyDeleteThere are many stakeholders related to this issue.
-US GOVERNMENT- The government regulates these systems and therefore makes the decisions on which directions to take. The government looks at the most cost effective design alternative that meets the minimum needs of the program. Currently the SCADA systems are not meeting these security needs.
-US CITIZENS- Citizens expect their safety and services to automatically be there. That is why they pay their taxes. These SCADA protocols are not protecting the citizen’s services and safety.
-USERS OF SCADA PROTOCOLS- These engineers need a system that is efficient to use in order to regulate their systems the effectively. However, security is very important in keeping these systems working. A balance between security and efficiency must be decided upon.
In order to find a balance between security and efficient systems computer scientist who specialize in security should be consulted. I suggest holding a call for papers and solutions relating this problem from universities. This protocol for starting a discussion on solutions has been used in the past. (The digital communications field has made great progress using this paper approach). Some of the greatest minds in the field will be thinking about viable security protocols that can be used. This is just a starting point. Computer Science is a very popular field currently and the design solution is out there.
This is just a beginning design step; therefore the impacts from this step are minimal. There are no environmental or economic issues to a call for papers. However, cultural/societal, and global affects could be seen because controversial solutions will be developed.
Quicker solutions of limiting intersystem connections, as well as outside user access are also on the table. These solutions could be used as an intermittent step while the system overhaul is being created. I believe keeping the functionality of these systems is of great importance. A more robust security system should be implemented for the long run in order to keep efficiency of these systems on par with the security side.
This comment has been removed by the author.
ReplyDeleteThe primary issue presented is that of the security and efficiency of the US power grid. The main concern with the security is that the SCADA systems used are built on dated, and weak, protocols. This leaves them open to cyber attacks, which have been shown to increase since 2000. In addition, foreign power plants have been attacked as well.
ReplyDeleteSecondary issues that arise include the timeliness of changes, the cost incurred, and the impact of the changes:
Necessary changes would most likely be implemented with the aforementioned stimulus money. In addition, the government often regulates many aspects of this industry. When dealing with the government, one must always consider how quick these important changes could be implemented; there is often a lot of red-tape associated with drastic changes such as these. Will the changes be implemented in such a time frame that they remain ahead of the curve? Or will these changes be implemented only to see cyber attackers already able to bypass them?
Another secondary concern is that of the cost. How much will these changes cost to implement? Implementing widespread changes in such a large industry could prove to be a massive task. Before proceeding with a course of action, one should make sure that alternative courses of action have been explored and considered based upon their timeliness, cost, etc.
A final secondary issue is that of impact. In order to undertake these changes, how will everyone involved be impacted? Will consumers have their daily routines impacted? Will portions of the grid be down for extended lengths of time? While systems are being updated, will portions of the grid be at increased risk of attack?
This last concern brings up some of the stakeholders in the overall issue presented. Some stakeholders include:
-The power industry itself
-Consumers of the power industry
-Large companies, as well as foreign countries, that might follow the power industry's lead in dealing with this issue
-The US Government (in giving stimulus money)
-Cyber attackers (and other industries). If the power industry updates their systems, will cyber attackers move on to more easily infiltrated industries?
The primary issue presented is protecting the US power grid from the increased frequency of malicious invasions. Secondary issues are not apparent but could be keeping cost low and implementing a solution that would create very little downtime in the current system.
ReplyDeleteThere are several stakeholders in this issue. One of the greatest would be United States citizens. In the event that a resource became compromised by a malicious invasion the general public would, in all likelihood be without that resource, such as electricity. From another aspect, as taxpayers, US citizens want to see their money go to a good cause instead of a possible wasted effort. The US government is another stakeholder, who also wants to see the stimulus funds bring about a more productive, stable, and safe power grid. Another stakeholder would be the US power industry and the companies within it. If these companies are able to develop a stronger infrastructure they will not only be making the government and citizens happy but also save themselves hassle from future would be attackers.
There are several ways in which this problem could be approached and solved. First, there should be very little access allowed to this system. All access should require a very high level of security clearance and there should be multiple checks and balances in place. One possibility would be to require hardware authentication of major decisions or changes being made to the system. This could be as simple as a key press or a finger print scan to confirm actions. This physical confirmation would make it nearly impossible for an exclusively cyber attack but would hamper the systems functionality somewhat. This solution would also require a lot of bureaucracy and could ultimately slow productivity of the system.
Another option would be to not allow large changes to be made to the whole system from a remote location. If a hacker were to hack into one part of the system they would have no way of accessing other parts of the system without also hacking each of those pieces as well, making it much more difficult to gain control of the entire network. This solution could cause issues with the system as a whole and may affect the functionality but could provide a good amount of protection from cyber attacks affecting the whole system.
Neither of these scenarios would have much of a global or environmental impact. Economically, depending on the cost of the security measures it could raise the price of the resource being protected and cost the government, power industry, and companies involved more money. Culturally, these solutions would also have little impact except by adding more bureaucracy to the power industry as a whole.
Reading the above comments I see four primary approaches being used to confront the security threats to the US power grid: The existing infrastructure could be enhanced by adding additional hardware and software security layers, the existing infrastructure could be repaired where security vulnerabilities are located, substantial changes could be made to the existing software to improve it's security, or the network hardware and software could be redesigned and constructed using enhanced security techniques.
ReplyDeleteIn selecting from these options it is necessary to consider the primary limitations. Trent, Austin, and Josh all mention the downtime of the system. If any significant portion of the US power grid is taken down for even a small period of time the effect on the US populace and economy could be significant. A such, repair to vulnerable code or significant overhaul of the system is risky: if the existing hardware or software architectures are modified it will require downtime. If bugs are fond in the modifications the downtime could be substantial. Solutions such as reconfiguring the network architecture to eliminate connections with external devices could present the most issues in this area, require substantial IT work for setup.
Another critical limitation, discussed by all group members, is the cost of the system. Solutions that require the development of substantial amounts of software or hardware might overrun the budget for the project. As such it will be crucial to recognize potential sources of funding from the Government and private industry and select solutions that adhere to this budget.
It is also important to reduce the time required to implement the system. The longer the system has security vulnerabilities, the more time hackers will have to locate security vulnerabilities and construct malicious code to take advantage of knows security flaws. As such solutions such as redesign and construction of the entire system infrastructure could allow hackers the time to implement a costly invasion of the smart power grid.
Trent's proposal for a call for papers from Academic sources would put some of the preeminent minds in computer science at work on the problem. Consultations with experts in industry could also focus the efforts of a great deal of individuals. The more experts that propose solutions to the issues, the higher the likelihood that a viable solution will be recognized. That being said, the discussion cannot be mired down in red tape and bureaucracy; a good solution must be selected, but it must be done in a timely manner!
Based on the suggestions above, a multi-pronged program seems like an acceptable solution. Resources should be divided between teams working to solve the most immediate and glaring flaws in the existing architecture through the addition of hardware or software and teams looking for a long term fix. If there is tight integration between these two teams, resources can be effectively allocated while forward thinking solutions can be implemented in a timely manner.
As we all have pointed out, there are several very key variables that need to be considered. Jeff summarizes it well in the above post, explaining that cost and time (both downtime as well as development time) are important factors when considering a solution to this problem. He also brought up a good point about the necessity to develop and implement a solution in a timely manner to prevent hackers from learning about the vulnerabilities of the system.
ReplyDeleteTrent and Jeff also brought up a great point of taking advantage of academic resources. Research done in Universities across the country discovers new things everyday and it would be a valuable asset to the development team for this issue. One downside I see to this is that too many people may become involved in the research. The more people involved the higher the likelihood that hackers could get involved, learn of what implementations were being made, discover vulnerabilities and later exploit them.
I think Jeff’s recommendation of using two teams: one to focus on the immediate problem and another to focus on long term solutions is an excellent plan. It does not give hackers time to settle in and discover vulnerabilities in the current system before the long-term system is implemented. In addition, this idea gives the long-term team time to focus and think rationally without feeling rushed to finish something that could be designed better if given more time. This seems like a flawless plan but I could see bureaucracy becoming an issue as the two teams negotiate compromises in certain systems and try to implement short-term fixes that will most likely affect the long-term product.
I agree that the main factors that need to be considered are both cost and time (downtime and implementation time). These factors will greatly impact all stakeholders involved. Often times, time is sacrificed for cost (or vice versa). In this situation, I think that this trade off needs to be carefully monitored to ensure that neither is sacrificed too greatly.
ReplyDeleteI agree that academic research provides a promising venue for solutions. However, I have two concerns with this. First, it could take a significant amount of time to learn the intricacies of the systems in place, conduct research, and present findings. Perhaps this is more suitable for finding a long term solution. Second, in order for innovative and effective solutions to be found, the researches will need to know a lot about the systems currently in place. As Josh said previously, so many people with access to sensitive information could prove to be a security risk.
I think that the idea to pursue both a long term and short term solution is a good one. This will help remedy the immediate threat, while providing a stable system for the future. If this approach is to be used, a high level of communication will need to be used between the "short term" and "long term" teams; what the "short term" team works on could greatly impact the actions of the "long term" team.
Before a more specific course of action can be decided on it will be necessary to learn more about the nature of the attacks on the SCADA systems. Design teams will have to sit down with security specialists to determine who will make attacks on the SCADA software (terrorists, dissenters, bored teenagers, etc?) and what type of attacks are most likely to occur. An analysis of potential attacks will allow computer scientists in academia and industry to search for and discuss potential fixes. Using these analysis techniques will require a broad focus: the design decisions of the team cannot become too fixated on a certain element of security, leaving the system vulnerable to different types of attacks by different individuals.
ReplyDeleteTo save development time in the early phases of implementation and design it will be necessary to consider preexisting security protocols and techniques. Reusing preexisting designs will allow developers to work with known technologies and ensure that encryption and security algorithms meet industry standards. Existing systems will be well documented and therefore a complete integration into existing systems will be possible at early stages of development. The downside of code reuse is strength of security: existing protocols may have known weaknesses and hackers have had many more opportunities to probe the system for security flaws. As such the program should move towards the design and implementation of new security protocols and features in later phases of development.
The physical configuration of the system could have serious security implications that have not yet been discussed in this thread. Wherever possible wireless communications, which allow interception of packets, should be avoided. System wiring should be located in secure routing channels to prevent tapping. Computing hardware should be consolidated and isolated, preferably in locked cabinets within locked rooms; end users should have very limited (if any) access to the machines. Particularly critical features should be protected by trusted security personnel.
The major weakness of the two threaded design approach I proposed in the last post is inefficiency due to bureaucracy and committee. Unfortunately this problem cannot be completely circumvented as the there will always be varying viewpoints on how to achieve an optimum solution; a rigorous process of concept selection is necessary to control progress on a problem. There are, however, ways to improve cooperation between teams while avoiding getting mired in debate and red tape. I would first propose that a short term exploratory committee containing members from a variety of specializations is formed to organize both solutions and personnel. Such a committee could provide the development process with a unified goal and an effective structure. When the work of this committee is complete the two threads of personnel discussed in the previous post could be formed. In addition to these two threads I would suggest the addition of a third group of individuals forming an executive committee. This committee, made up of individuals from both the sort-term and long-term development groups as well as individuals not associated with either group would ensure that the goals, development methods, software architectures, and ideas are consistent between development teams. Frequent meetings of this executive committee would focus design and provide a forum for discussing the progress of the project.
Taking a diversified approach to this problem will be critical. It is unlikely that any one solution presented will effectively eliminate the security vulnerabilities in the Power Grid control software. Diversified teams of professionals should be available for consultation at all phases of design. Experts in both computer hardware and software security will be especially critical in reducing vulnerabilities in the existing system and implementing new solutions. Mathematicians will be required to develop and review encryption algorithms. Software architects will be required to ensure that security features can fit into software models and software engineers will be required to implement software solutions. Security personnel will be necessary to review the physical protection of the system and make personnel decisions. All told a wide array of skills will be necessary: this problem cannot be solved by an individual.
ReplyDeleteThe most immediate task is identifying vulnerabilities in the current software and hardware system and finding effective, unique solutions to reduce these vulnerabilities and prevent more weaknesses that can be exploited. As such most of the personnel required at the start of the project will need to analyze the existing system: this will require a combination of individuals who worked on the original system and understand its complexities and new individuals who can approach the system with a fresh perspective.
Administrators should begin pursuing additional funds and determining what levels of funding will be available. As cost is a major concern a well defined budget will be necessary. It is an unfortunate reality that the project may not gather enough funds to complete all of the required upgrades and rebuilds. The project's executive committee should be tasked with deciding which systems will provide the most benefit for the least cost: this will be a difficult task as cutting corners in one area could result in major security flaws that could affect the entire system.