Aliya Sternstein | Nextgov | November 27, 2012 | 0 Comments

Power grid hackers are of greater concern than influential report indicates, DHS official says

Ed Metz/

A previously classified 2007 National Academies report  on power grid vulnerabilities that, coincidentally, was declassified mid-November when many Hurricane Sandy victims remained in the dark after widespread power outages, stated that cyberattacks, unlike natural disasters, probably could not cause lengthy blackouts. But that was not true at the time nor is it now.   

Five years later, the risk of hackers severely disrupting electricity service is higher, Homeland Security Department officials told Nextgov on Tuesday.

The Oct. 29 superstorm opened the public’s eyes to the potential for societal disorder during prolonged manmade or naturally caused service disruptions.

Concerns about cyber intrusions at electric utilities “stem from a whole new range of threat vectors,” Thad Odderstol, a director for Homeland Security’s Office of Cybersecurity and Communication, said in an interview. “You’ve got control systems that may have an Internet connection.”

The network threats “are evolving and they are increasing -- increasing in sophistication as well,” he added, speaking after a panel discussion hosted by Government Executive Media Group.

The National Academies study had stated “cyberattacks are unlikely to cause extended outages, but if well-coordinated they could magnify the damage of a physical attack.”

The Academies pushed to declassify the report because the institution felt many of the findings remain relevant today, the study’s authors said. In 2007, they wrote that a terrorist attack on the power system executed by knowledgeable adversaries “could deny large regions of the country access to bulk system power for weeks or even months,” which would generate “turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists.”

Unlike trains or natural gas pipelines, electric power usually cannot simply be sent via another line to customers if there is a disruption at one location, the study stated.

Last week, Federal Communications Commission Chairman Julius Genachowski announced a series of regional, post-Sandy hearings that will probe the resiliency challenges confronting communications networks, including their dependency on electric power. Due to electricity failures and physical damage as much as 25 percent of cellphone sites went down across 10 states during the disaster, FCC reported.

In late October, DHS warned of several new, cheap tools that enable hackers to crash Internet-accessible systems running utility equipment. The 2007 Academies report underscored that “cybersecurity is best when interconnections with the outside world are eliminated.”

Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team stated in an industry alert that many electricity companies still use Internet-facing systems that potential attackers can and are locating through Web searches.

Industry, which owns more than 90 percent of U.S. power grid, according to the Academies report, and the federal government are just beginning to gauge computer security at power facilities nationwide.

In May, the Obama administration released the “Electricity Subsector Cybersecurity Capability Maturity Model,” a 92-page measuring stick that explains the levels of protection organizations should maintain and judges how they stack up against those benchmarks.

“We wanted to understand how secure is the grid,” Samara N. Moore, a critical infrastructure director on the White House national security staff, said during Tuesday’s event.

Conversations among the White House, the Energy and Homeland Security departments, and power companies led to the development of the maturity model.

“The cybersecurity threat is certainly there,” said Mark Engels, director for enterprise technology security and compliance at Dominion Resources Services, a Virginia power company. “There’s been more than a few instances where you’ve had issues targeted at a few utilities,” and while those incidents have not risen to the level of Hurricane Sandy, “that’s not to give the impression that it couldn’t turn into something like that.”

Dominion served on an advisory group that collaborated on the project.

The cyber evaluations are not obligatory and utilities do not have to share their results with the government.

“It’s certainly not mandatory, but I don’t think either side is going to be successful without it,” Engels said during Tuesday’s conference.

(Image via Ed Metz/


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.