U.S. power grid is a big, soft target for cyberattack, MIT study shows

Forget fake Illinois 'hack;' report shows security gaps widening, risk increasing as power nets improve

The "malicious attack from Russian hackers that cracked security on an Illinois water utility and destroyed one of its main pumps turned out to be what Wired called a "comedy of errors" after interviewing the prime suspect for a story that ran last week.

That doesn't mean utilities in the U.S. – especially electrical utilities – are not desperately vulnerable to attack.

The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.

U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.

The risk of a Stuxnet-like attack on utilities was dismissed by many security experts after the revelation that reports of a successful attack on the Illinois water utility hack were mistakes, the possibility that it is possible was not.

During the same week investigators were wondering if foreign intelligence services would bother cracking an Illinois water company to ruin a water pump, a hacker known as 'pr0f' posted evidence to Pastebin of having successfully cracked a South Houston water company, whose security was so appallingly bad pr0f complained it hardly qualified as a hack to crack security on the SCADA system that relied on a password only three characters long.

Utility company managers, however, seem more concerned with the cost of fossil fuels and environmental regulations than they are with the risk of cyberattack. Many utility companies are lobbying the Obama administration for more leeway in complying to environmental regulations after complaining that Environmental Protection Agency rules may force them to shut down some coal- and oil-fired plants, according to BusinessWeek.

Attacks on the network are "a greater threat to our reliability" than the cost of adhering to anti-pollution rules, according to the Federal Energy Regulatory Commission's John Norris, also quoted by BusinessWeek.

The utilities aren't pushing for any real solution to that, though they may be the only ones.

No one in charge to enforce rules that are too lax about security anyway

One big problem: there isn't one agency in charge of security regulation for the whole national grid, according to the two leading researchers on the MIT report, John G. Kassakian, provessor of electrical engineering and computer science and Richard Schmalensee, a professor of economics and management.

Right now responsibility for physical and digital security is split between the North American Electric Reliability Corp. (NERC) in Atlanta and the National Institute of Standards and Technology (NIST).

Another big problem: Regulations aren't tight enough to balance the level of actual threat, and may not any time soon, according to the MIT study led by John G. Kassakian, a professor of electrical engineering and computer science, and Richard Schmalensee, a professor of economics and management.

Though NIST and NERC as well as a scrum of other agencies are looking into cybersecurity for utilities, NIST is pushing for the creation of regulations that mirror what are currently considered "best practices" in the industry, rather than rules based on actual risks and data on countering them.

The effort is backed by the Electric Power Research Institute – a consortium of utilities and their representatives – and regulators who want better regulations in place right now even at the cost of making them less effective.

Existing NERC security rules will not be enough to hold off the kind of multifaceted spear phishing and malware-based attacks referred to by government security agencies as Advanced Persistent Threats, according to a presentation NERC Regional Security CoordinatorJim Brenton made (PDF) at the NERC's Grid Security Conference in October.

Brenton, who told attendees during a session he called a "wake-up call" for the industry, encouraged utilities to update intrusion-detection tools, hire digital security operations specialists and switch to continuous security monitoring rather than the paper-based compliance system NERC has required until now.

As part of an ongoing effort to raise security as a priority utilities will take seriously, NERC organized 75 utilities and government agencies into a cybersecurity exercise called GridEx 2011 – its first – Nov. 15-17 to "test and validate existing crisis-response plans and to adjust plans as needed in an exercise setting."

Feds can't tell if utilities are secure

Unfortunately, while NERC can fine utilities up to $1 million per day for failing to comply with security rules, having responsibility for creating and enforcing regulations spread among several agencies makes it difficult to even coordinate enforcement of current rules, let alone develop new ones to cover increasingly serious threats in the future, the MIT report concluded.

The Federal Energy Regulatory Commission currently has no way to monitor industry compliance with current digital security measures, according to a Government Accountability Office report cited by the MIT researchers.

Because each utility company is independent and most are regulated primarily by the states in which they operate and only secondarily by federal agencies, coordinating security efforts among all the players is a logistical nightmare, according to the MIT report, which recommends a single government agency be put in charge.

The Obama administration is pushing to make the Department of Homeland Security responsible, but some members of congress want to consolidate enforcement under the Energy Department and FARC.

On Nov. 7, NERC announced it had lost its chief security officer, Mark Weatherford, who took a job as deputy undersecretary for Cybersecurity for the National Protection and Programs Directorate at DHS.

 Current risks of cyberattack on electric utilities
  • Loss of grid control resulting in complete disruption of electricity supply over a wide area can occur as a result of errors or tampering with data communication among control equipment and central offices.
  • Consumer-level problems ranging from incorrect billing to interruption in electric service can be introduced via smart meter tampering.
  • Commuting disruptions for electric vehicle operators can occur if recharging stations have been modified to incorrectly charge batteries.
  • Data confidentiality breaches, both personal and corporate, can provide information for identity theft, corporate espionage, physical security threats (for example, through knowing which homes are vacant), and terrorist activities (for example, through knowing which power lines are most important in electric distribution).

    Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011

Network infrastructure is inadequate, too

The risk of successful cyberattack keeps growing as utilities roll more intelligence out into their power networks – adding monitoring appliances or management sub-stations to keep better track of small sections of the grid, control the flow of power at times of peak usage, for example.

Less well developed but just as surely on the way are plans by utilities to extent power-management intelligence all the way to the homes of consumers to make power-load-balancing more effective and to take into account the possibility some consumers will actually contribute to the grid power generated by wind turbines, solar cells or other alternative power they build themselves, the report said.

Making a power grid as manageable as an IP network would make the whole thing more reliable and efficient, but would also represent a far larger prize for successful hackers, according to the report – like putting more and more eggs in a basket that's already unguarded in a field full of foxes.

Luckily the networks of most utility companies aren't anywhere near ready for that kind of intelligence.

They're too slow, allow too much interference and most only communicate one way.

The economics of a business built mainly on increasingly expensive fossil fuels will drive utilities to develop intelligence and higher-efficiency management more quickly than they would otherwise, however, the report concluded.

That means Americans will get a far more effective and reliable power network during the next decade, as well as another potential source for broadband network connectivity.

However, it makes an already vulnerable part of the critical infrastructure an even bigger target, without any immediate promise of improvements in cybersecurity that will counter the risk – whether that counter comes from improvements in counter-hacking efforts by U.S. law enforcement and intelligence agencies, or from regulations requiring utilities to improve security to the point that they're no longer the soft, succulent target they have been for the past decade, the MIT researchers concluded.

With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber events is impossible, and improving resilience to attacks and reducing the impact of attacks are important…

… For the electric grid in particular, cybersecurity must encompass not only the protection of information but also the security of grid equipment that depends on or is controlled by that information. And its goals must include ensuring the continuous and reliable operation of the electric grid…

…We believe the natural evolution of grid information technologies already points toward such an approach: the development and integration of increasingly rapid and accurate systems control and monitoring technologies should facilitate quicker attack detection—and consequently, shorter response and recovery times. Cyberattack response and recovery measures would be a fruitful area for ongoing research and development in utilities, their vendors, and academia. – Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011

To (eventually) make a long story short: U.S. utilities – electric, water and others – are so vulnerable and so insensible to security concerns that using passwords only three characters long doesn't raise a huge stink among companies that largely either refuse to believe there's a target painted on their backs or believe it's too expensive to do anything about it.

So far, that response hasn't led to much effective revamping of security or even much obvious motivation to improve from a bunch of companies that could get Sony'd any day.

Unlike Sony, which had to take its movie and gaming networks offline for weeks after repeated hacks earlier this year, security failures at major utilities will cause immediate problems for customers – problems much more critical than having to go somewhere else to play games for a few days.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies