The code for the Stuxnet cyber weapon, whose authors remain unidentified publicly and are the subject of intense speculation, was identified by a Russian security firm that found it on a USB flash drive, Assante says. The USB stick was turned over to the Russian firm by a security specialist at another firm who had plugged the stick into a computer and noticed a split-second response that was out of the ordinary.
The specialist didn't shrug off the anomaly, he says. "The reaction wasn't, 'Well, that was odd, and just move on,' which is a typical unaware reaction. ... It's easy to say, 'Well, that didn't work right. Let's just restart the computer.'"
Grid reliability is based on planning to keep the power flowing if a plant suddenly goes offline, a power line is knocked out, or a transformer fails, Assante said. The cyber challenge is different. "Planning engineers are used to saying, 'If this goes away, can the system still operate safely?'
"My point to them was, what happens if it doesn't go away, but this part of your system is being misused" to threaten the system?
Assante said there is still too wide a gap dividing power companies that are serious about raising cyber threat barriers and training people to use them, and other companies whose awareness and preparations are not adequate.
"Some utilities are certainly more progressive. They have more skilled folks on staff, and they've been able to do more to protect their systems. Others have suffered from the challenge of getting technical skills." The Tennessee Valley Authority is an example of a power provider that is setting high standards, he said. "Awareness differs. It's not a simple task," he said. "There's still work to be done."
Reprinted from Climatewire with permission from Environment & Energy Publishing, LLC. www.eenews.net, 202-628-6500