Electric utility operators already have their hands full in achieving compliance with mandatory federal Critical Infrastructure Protection (CIP) standards aimed at cyber security in the electric power industry. But when the use of wireless technologies is thrown into the mix, the problem gets even more complicated. In fact, according to the authors of a recent White Paper on the topic, the CIP standards are not only ambiguous on the use of wireless technologies, but also present potential conflicts with other federal regulations, such as those of the Federal Communications Commission (FCC).

The White Paper, titled “ Wireless System Considerations When Implementing NERC Critical Infrastructure Protection Standards ,” can be found at www.automationworld.com/whitepaper-5312 . NERC stands for North American Electric Reliability Corp., the organization charged with enforcement of the CIP standards. And while the White Paper discusses wireless security concerns specific to CIP and control centers in the electric power industry, many of the wireless issues it raises are applicable to other industries as well, as are the cyber-security “defense-in-depth” strategies that it recommends.

To get an overview of the issues, Automation World spoke recently with three of the Paper’s seven co-authors: Wayne Manges, a program manager at the U.S. Department of Energy’s (DOE) Oak Ridge National Laboratory, in Oak Ridge, Tenn.; Teja Kuruganti, research-and-development staff member, Modeling and Simulation Group, at the same lab; and Tom Flowers, president of Flowers Control Center Solutions, in Todd Mission, Texas, and a control systems consultant who specializes in the energy sector. The Paper’s other four authors hail from the Oak Ridge National Lab or from the Pacific Northwest National Laboratory, in Richland, Wash.

That’s illegal!

The impetus for the paper grew out of the CIP standards requirement that utilities must “monitor and control” all electronic access to their electronic security perimeters. In the world of wired connectivity, there are a variety of tools available for accomplishing this task. But the current tools for monitoring and control of wireless electronic access are unavailable, undeveloped or less capable than those used for wired network systems, and some are even illegal, noted Flowers.

One case in point involves cellular phones, which can pose a particularly troublesome vulnerability in control system environments, the authors said. For instance, said Kuruganti, “Somebody could actually hook up a cell phone to their laptop and use it as a transmitter to haul data from a control center to a long-distance location, so that poses a covert threat.”

In certain cases, then, a utility operator might want to consider jamming a cell phone that was being used for covert activities in or around a control center, Manges suggested. But in the United States, that’s not an option, he observed, because the FCC prohibits cell phone jamming for any purpose. As Flowers put it, “When you’re dealing with wireless technology, things get very fuzzy very quickly, as far as what you’re capable of doing, what you’re allowed to do legally and the overall effectiveness of what you can do.”

It’s not practical for electric utility operators to require employees, vendors and others to check their cell phones, laptop computers and other wireless-enabled devices at the gate when they enter an electric power plant. And even if techniques such as cell phone jamming were legal in the United States, to do so within a control center environment could interfere with the legitimate use of the technology at the facility, Flowers pointed out.

But Flowers added that FCC regulations also prohibit certain kinds of research that might lead to better solutions. “Until some of those regulations are changed or addressed in some form or another, nobody is going to be doing any kind of research on how to be able to control wireless technology in the same way that is common practice for wired technology today, because it’s illegal,” he declared.

Here’s the problem

While the authors believe that federal legislation or changes in the regulatory requirements will ultimately be needed, the White Paper is only a first step, they said. “We’re certainly not going to get any legislation kicked off as a result of this [White Paper],” said Flowers. “But from an awareness standpoint, we felt it would be a step in the right direction to identify the issues—that the use of wireless in a secured, controlled arena is not like wired electronic access. It’s still electronic access, but it’s not the same, and you don’t have the same tools and abilities.”

To be sure, various tools do exist today to help combat wireless ...