Jack Rosson, Mason Rice, Juan Lopez, David Fass
Overview: Cyber incidents have bridged the divide from data compromise to physical effects. The Stuxnet worm’s physical destruction of Iranian centrifuges and the recent cyber induced Ukrainian power outages provide evidence that attitudes must transition from “what if?” to “when will cyber attacks result in physical damage in the power sector?” The Department of Homeland Security’s (DHS) most recent fiscal year’s Strategic Plan emphasizes this shift in focus by highlighting cyber security of critical infrastructure as a top priority of their cyber mission. The power industry’s viability, as the foundation of all other critical infrastructure’s functional capability, is crucial to the national security and well-being of the United States. However, the ownership of the power enterprise remains largely private, presenting regulatory and practical challenges in implementing effective security measures across the industry. To date, the primary concern of critical infrastructure (CI) operators is to ensure system availability and reliability, while the security of their control systems is considered a secondary objective. The conflict between availability and security is understandable, given that security often complicates operations. However, as more control systems are retrofitted for remote management or internetworked with enterprise business systems, they become exposed and vulnerable to cyber threats not foreseen when initially developed. Convincing CI asset owners to further strain budgets by investing in security that may or may not prevent damage is a hard sell. It is difficult to balance availability and reliability with security, and this, combined with the burgeoning costs of cyber risk management, presents a hurdle for effective cyber-security implementation in industrial control system dominated sectors, especially the power sector.