Aliya Sternstein | Nextgov | November 27, 2012 | 0 Comments

Power grid hackers are of greater concern than influential report indicates, DHS official says

Ed Metz/Shutterstock.com

A previously classified 2007 National Academies report  on power grid vulnerabilities that, coincidentally, was declassified mid-November when many Hurricane Sandy victims remained in the dark after widespread power outages, stated that cyberattacks, unlike natural disasters, probably could not cause lengthy blackouts. But that was not true at the time nor is it now.   

Five years later, the risk of hackers severely disrupting electricity service is higher, Homeland Security Department officials told Nextgov on Tuesday.

The Oct. 29 superstorm opened the public’s eyes to the potential for societal disorder during prolonged manmade or naturally caused service disruptions.

Concerns about cyber intrusions at electric utilities “stem from a whole new range of threat vectors,” Thad Odderstol, a director for Homeland Security’s Office of Cybersecurity and Communication, said in an interview. “You’ve got control systems that may have an Internet connection.”

The network threats “are evolving and they are increasing -- increasing in sophistication as well,” he added, speaking after a panel discussion hosted by Government Executive Media Group.

The National Academies study had stated “cyberattacks are unlikely to cause extended outages, but if well-coordinated they could magnify the damage of a physical attack.”

The Academies pushed to declassify the report because the institution felt many of the findings remain relevant today, the study’s authors said. In 2007, they wrote that a terrorist attack on the power system executed by knowledgeable adversaries “could deny large regions of the country access to bulk system power for weeks or even months,” which would generate “turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists.”

Unlike trains or natural gas pipelines, electric power usually cannot simply be sent via another line to customers if there is a disruption at one location, the study stated.

Last week, Federal Communications Commission Chairman Julius Genachowski announced a series of regional, post-Sandy hearings that will probe the resiliency challenges confronting communications networks, including their dependency on electric power. Due to electricity failures and physical damage as much as 25 percent of cellphone sites went down across 10 states during the disaster, FCC reported.

In late October, DHS warned of several new, cheap tools that enable hackers to crash Internet-accessible systems running utility equipment. The 2007 Academies report underscored that “cybersecurity is best when interconnections with the outside world are eliminated.”

Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team stated in an industry alert that many electricity companies still use Internet-facing systems that potential attackers can and are locating through Web searches.

Industry, which owns more than 90 percent of U.S. power grid, according to the Academies report, and the federal government are just beginning to gauge computer security at power facilities nationwide.

In May, the Obama administration released the “Electricity Subsector Cybersecurity Capability Maturity Model,” a 92-page measuring stick that explains the levels of protection organizations should maintain and judges how they stack up against those benchmarks.

“We wanted to understand how secure is the grid,” Samara N. Moore, a critical infrastructure director on the White House national security staff, said during Tuesday’s event.

Conversations among the White House, the Energy and Homeland Security departments, and power companies led to the development of the maturity model.

“The cybersecurity threat is certainly there,” said Mark Engels, director for enterprise technology security and compliance at Dominion Resources Services, a Virginia power company. “There’s been more than a few instances where you’ve had issues targeted at a few utilities,” and while those incidents have not risen to the level of Hurricane Sandy, “that’s not to give the impression that it couldn’t turn into something like that.”

Dominion served on an advisory group that collaborated on the project.

The cyber evaluations are not obligatory and utilities do not have to share their results with the government.

“It’s certainly not mandatory, but I don’t think either side is going to be successful without it,” Engels said during Tuesday’s conference.

(Image via Ed Metz/Shutterstock.com)

Comments
JOIN THE DISCUSSION

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.