U.S. Electricity Grid Compromised
Page 1 of 2
Experts have been saying for over a decade that the energy industry needs better infrastructure control and management systems. But change has been slow and now there's a report that the system has been compromised.
Electricity Grid in U.S. Penetrated By Spies says a report in the The Wall Street Journal today. That much is breaking news, but the ongoing modernization of the U.S. energy industry has been slowed by a dilemma involving tradeoffs between security and efficiency that were first recognized over a decade ago.
The threat is all too real today, as the Journal reports, "Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials."
The news comes as the smart grid is expected to grow as the government's stimulus package allocates funds to its expansion. But it's unlikely that threats to the smart grid will derail its deployment, experts said.
What's the potential damage? We don't know. We don't know whether or not it's possible to create a "three mile island-type incident," said Eric Knight, senior compliance engineer at compliance software company LogRhythm. However, he added, any penetration of the U.S. grid was likely detected by software systems that monitor networks in much the same way as activity monitors protect enterprise IT systems.
"Energy and power supply systems do have vulnerabilities," said Tiffany Jones, Symantec director of public policy and government relations who served as Deputy Chief of Staff of the President's Critical Infrastructure Protection Board in 2002. "We've seen it in tests and red teaming."
The issue is that many systems were not designed to be connected to the Internet. In addition, they were designed for reliability and efficiency. "Adding security onto these systems can slow things down," she said. "We need more research and development."
The slow development of standards
The federal government and regulatory agencies have been working for years to address the issue, but progress has been slow.
In 2003, Dr. Arden Bement, director of the National Institute of Standards & Technology, was able to point to years of warnings about the grid in his keynote speech to the NSF Workshop on critical infrastructure protection for SCADA & IT. He noted the following warnings: the 1997 report Critical Foundations: Protecting America's Infrastructures prepared by the President's Commission on Critical Infrastructure Protection; the 1998 signing of Presidential Decision Directive 63 calling for a national strategy to protect America's critical infrastructures, particularly its cyber-systems, and creating the Critical Infrastructure Assurance Office; and Executive Order 13231 of October 2001 on Critical Infrastructure Protection in the Information Age.
Bement also referred to "that incident in the Spring of 2001 when hackers broke into computer systems of CAL-ISO, California's primary electric power grid operator and apparently were not discovered for 17 days."
He called for "new or revised standards to address control system security . . . design guidelines and standards to address the need for interoperability, redundancy, and security . . . control system test beds to validate new approaches to security" and concluded, "We need to be able to retrofit the systems we have to provide the necessary level of security -- but without compromising performance and reliability."
Wired's Threat Level blog said that the issue dates back as least as far as June 10, 1999 (in a story published almost exactly a year ago), referring to an incident in which a computer failure prevented control room workers from releasing pressure in a pipeline to prevent its rupture. The resulting flood ignited a river, killing two ten-year-old boys and an 18-year-old man.
"These are the first fatalities from a control-system cyber-event that I can document, and for a fact say that this really occurred," said Joe Weiss, managing partner at Applied Control Solutions.
Next page: Will the industry respond?