Feds offer $20M for critical energy network cybersecurity tools

US Department of Energy wants more advanced tools to secure energy supply

Quelle: www.networkworld.com vom 11.02.13

the DOE faces in securing the nation's energy supplies. From the report:

  • § Limited knowledge, training, understanding, and appreciation of energy delivery systems security risks inhibits security actions within the energy sector. There is also an incomplete understanding of the cost of decisions and system resilience in terms of failure modes and vulnerabilities. Current risk assessment capabilities fall short of determining the effects of each cost decision on system resilience in terms of failure modes and vulnerabilities.
  • § While standards have helped to raise security to a baseline level across the energy sector, some standards remain unclear or too broad, or may have prompted utilities to use less advanced security measures to meet requirements. In addition, a rapidly changing risk environment means standards compliance today may not be sufficient tomorrow. 
  • § Improving security comes at a cost, and demonstrating direct line benefits to an energy organization is difficult. Without the occurrence of a catastrophic cyber incident or a strong business case, public and private partners will continue to have limited time and/or resources to invest in partnership efforts. 
  • § The increasing sophistication of cyber intrusion tools and complexity of energy delivery systems makes it difficult for asset owners and operators to recognize an incident once it is under way. The use of automated intrusion detection systems and applications have the potential to introduce serious operational issues. 
  • § Executives, the public, and even organizations within the utility still lack a full understanding of energy delivery system vulnerabilities and the potential consequences of an incident. The limited exchange of threat and incident information prevents the sector from compiling the evidence it needs to build a compelling business case to increase private investment in energy delivery systems security. Credible, actionable, and timely information is also essential to ensuring that the energy sector can adequately mitigate energy delivery system vulnerabilities before adversaries can exploit them. 
  • § Belief that security standard compliance is sufficient for cybersecurity of energy delivery systems inhibits adoption of additional security measures 
  • § Secure coding practices are not uniformly enforced 
  • § Incomplete understanding of the cost of decisions and system resilience in terms of failure modes and vulnerabilities
  • § Patching/fixing vulnerabilities in energy delivery systems can create new cyber risks.

Viele große Herausforderungen, wo sich zwangsweise die Frage stellt, ob hier nicht neue Ansätze erforderlich sind.