ByJames Rogers, Staff Reporter , On Friday July 15, 2011, 10:29 am EDT
NEW YORK (TheStreet) — Power cut to businesses and hospitals. The inability to heat homes in winter or cool them in summer. Debilitating blackouts. Signs of Armageddon? Maybe. But they’re also the potential results of a incapacitating cyber-attack on the nation’s power grids, an act that experts say could happen at any time.
“The U.S. government and the American people should be more concerned about this,” Rep. Jim Langevin (D., R.I), co-chair of the congressional cyber-security caucus, told TheStreet. “I don’t feel that the electric grid is nearly as secure as it needs to be.”
Despite new attempts to deliver cyber-security standards for power plants, legislators and security experts are warning of gaping holes that exist for hackers to exploit, further fueling concerns that critical U.S. infrastructures are at risk.
Langevin explained that a successful assault on the electric grid would dwarf recent attacks on corporations like Sony, Lockheed Martin and Sega, which resulted in compromised customer data, among other things.
Langevin says the the nightmare scenario resulting from parts of the grid knocked out could be devastating and wide-reaching. “It would affect the economy, and potentially, even cause loss of life,” he said. “Imagine, god forbid, that part of the country was without power in the middle of winter.”
“There’s absolutely nothing theoretical about the power grid being vulnerable,” added Joe Weiss, managing director of consultancy Applied Control Solutions. “This is not hypothetical — it’s very real.”
Rather than one single power system, a spiderweb of multiple networks comprises the U.S. electrical grid, which encompasses somewhere around 500 different companies. That’s about 5,700 power plants generating at least 1 megawatt, according to the U.S. Energy Information Administration, with some plants using more than one generator.
Experts are concerned that the computer systems used to control plants across this sprawling network are prime targets for a sophisticated cyber-attack. A few years ago, the Department of Homeland Security replicated this type of attack, remotely accessing and destroying a generator. Specific details of the so-called Aurora test are hard to come by, but it allegedly involved a substation computer system, which was used to repeatedly connect and disconnect a generator to the grid. The test eventually wrecked the generator.
Another infecting type of attack to worry about is a worm, or self-replicating malware. Weiss points to Stuxnet, a Microsoft Windows worm that last year targeted industrial software and equipment, most notably within Iran’s nuclear program.
“Stuxnet was a very sophisticated, targeted attack,” said Weiss, adding that his concern is now for what he calls the “son of Stuxnet.” A massively complex set of code, Stuxnet has been touted as the first malware to attack industrial hardware, exploiting vulnerabilities in Windows. According to security specialist Symantec, the attack then modified code on control system technology from Siemens, leading to the destruction of centrifuges — equipment that spins objects around a fixed axis — used in Iran’s nuclear program.
Experts are also warning that the new breed of smart, highly-automated energy grids (clean energy-espousing “smart grids”) could open the door to attackers, citing the growing use of remote access technologies such as Bluetooth within power plants. “It makes the grid more vulnerable, there’s more points of attack,” said Weiss.
Attempts to Protect Us
The North American Electric Reliability Corporation (NERC), an industry standards body that aims to keep the country’s power systems up and running, proposes standards for approval by the Federal Energy Regulatory Commission (FERC), which it is then largely responsible for enforcing.
In an attempt to plug the power grid attack gap, NERC proposed a set of Critical Infrastructure Protection (CIP) standards to federal regulators earlier this year. The suggested solution covers areas like physical security, systems management, incident reporting and recovery plans. Who exactly will be covered by these standards, however, is controversial.
NERC’s proposal to FERC calls for only power plants with a generating capacity above 1,500 megawatts to be covered by the cyber-security standards. NERC itself admits that this would cover just 29% of America’s power generator capacity.
(By way of comparison, 1 megawatt is enough energy to power 1,000 average homes, according to Con Edison, which expects a peak demand 13,275 megawatts in its service area this summer.)
“This means that 70% of the power plants will not even be looking at cyber security,” said Weiss. “NERC has effectively put out a roadmap for hackers to attack the grid.”
Rep. Langevin also thinks that the grid needs better protection. “I don’t think that that 1,500-megawatt standard is sufficient,” he said. However, “it’s a small step in the right direction.”
“As a citizen, I would be happier if a clear majority of the power my society relies on was secured from at least opportunistic cyber-attacks,” added Andrew Ginter, industrial security director at Waterfall Security Solutions in a recent blog post. “The new … rule will not bring this about.”
The Commission, however, has questioned NERC on the 1,500-megawatt threshold, asking for more details in a filing earlier this year. In its response, NERC acknowledged that the proposal “does not capture all assets in North America,” but maintained that this is still a “significant step” toward better security.
In a blog post last week, Weiss also argued that the number of facilities covered could be less than the 29% cited by NERC. Alluding to a recent survey of NERC’s membership, Weiss said that, out of just under 11,000 power generating units, around 600 would be classified as “critical assets” that require cyber-security protection.
FERC declined to provide comment for this story, explaining that it is unable to discuss pending proposals. NERC has not yet responded to TheStreet’s request for comment.
Ginter nonetheless acknowledges that the new standards are “much better than nothing” noting that, without regulation, many utilities would do little to secure their power station control systems. The NERC CIP standards, he adds, are designed to catch the stragglers — companies that don’t have any procedures in place.
Some firms are taking grid security into their own hands. San Francisco-based Pacific Gas and Electric Company, a subsidiary of PG&E Corp., recently hired a former Sears Holdings security executive to serve as the company’s CIO. And The Southern Company, an Atlanta-based utility with more than 42,000 megawatts of generating capacity, has even hired hackers to identify vulnerabilities.
Uncovering the Disruptors
Opinions are divided on who could attack the power grid.
Many experts think that the extensive research and technology resources needed would make an enemy nation the likeliest perpetrator. North Korea, for example, was suspected of being behind the major denial of-service attack on the U.S. government in 2009. Additionally, the Wall Street Journal, citing intelligence officials, has reported foreign “cyber-spies” from China, Russia and other countries infiltrating the U.S. energy grid.
Weiss, however, thinks that smaller, less well-resourced groups, could also perpetrate an attack. “We can now go to the Internet and get these exploits without having to be a national lab or a nation state,” he said. “You don’t have to be an Iran or an Al Qaeda or anything else to do this.”
Perhaps highlighting the extent of the threat to critical U.S infrastructure, the Pentagon recently said that it would consider a military response to a major cyber-attack against the U.S.
“The Pentagon wanted to make it clear that we reserve the right to respond with conventional munitions or any other conventional means,” said Harry Raduege, a retired Lieutenant General in the U.S. Air Force, who is now chairman of the Deloitte Center for Cyber Innovation.
Raduege, however, thinks that it is not just the U.S. power grid that’s at risk. “There could be attacks on any of our critical infrastructure like telecoms, financial systems and, transportation and government services,” he told TheStreet. “We have heard about weapons of mass destruction, but cyber terrorism could create a weapon of mass disruption.”
–Written by James Rogers in New York.