Experts debate U.S. power grid's vulnerabilities to hackers
Nationwide rolling blackouts could have a devastating impact on the economy, but experts also fear that the stress being placed on the nation's power grid could make it more susceptible to disruptions from hackers.
In California's Silicon Valley, large Internet data centers have been blamed for stressing the region's power grid beyond what its Korean War-era design can handle. Now, other states, including Oregon, Utah and Washington, are preparing for possible rolling blackouts.
"From a cybersecurity perspective, the electric power grids in the West are now more fragile, [and] margins for error are significantly less," said Tim Bass, a longtime information security consultant for the U.S. Air Force and now CEO of The Silk Road Group Ltd., a network security consulting firm in Centerville, Va. "With diminishing margins and power reserves, the probability for cascading catastrophic effects are higher."
The recent power shortages come as the Critical Infrastructure Assurance Office (CIAO) of the U.S. Department of Commerce on Feb. 22 delivered to Congress the first status report on private-sector efforts to bolster cyberdefenses for systems that run critical sectors of the economy. Although progress has been made in improving information sharing, officials acknowledged that they still know very little about how failures in one sector could affect other sectors.
"In the context of broader infrastructure assurance, the scale and complexities of the energy infrastructure and their impact on infrastructure security and reliability are not fully understood," the report states.
The energy industry continues to be the target of Internet-based probes and hacker attacks that seek to exploit known vulnerabilities in off-the-shelf software and systems that are increasingly being used to control and manage the power grid, according to the CIAO report.
Likewise, the sector continues to fall victim to poor personnel security practices, ports and services that are open to the Internet, outdated software without current security patches and improperly configured systems.
"With the system itself teetering on the brink of collapse, it becomes easier for a smaller incident to have a wider impact," said David Thompson, a security analyst at New York-based PricewaterhouseCoopers. "For instance, if someone were to find a way to force the shutdown of a single power plant or a section of the power grid, the results would be much more devastating, since there is not enough reserve capacity to take up the slack."
In addition to the technical risks, analysts said they're also concerned about the publicity generated by the recent crisis in California and the possibility that hackers may try to exploit known vulnerabilities to make a bad situation worse.
"One risk with a situation like this is that it exposes the flaws of the system to public scrutiny," said Thompson. "It shows everyone how vulnerable our economy is to a power disruption. Like it or not, there are people in the world [who] pay attention to such revelations."
"Anytime the visibility of a system is raised, it acts as an attack magnet," said John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn. Pescatore recommended that companies, particularly utility companies, treat the power crisis as a siggnal to begin stepping up network monitoring and security operations. Although he downplayed the likelihood that a cyberattack could lead to widespread power failures, Pescatore characterized the link between the stress level on the power grid and its vulnerabilities as "like blood in the water to a shark."
"Hackers smell weakness and a chance for their 15 minutes of fame," said Pescatore.
But electric companies have made significant progress in stepping up their security preparedness and have also set up an Information Sharing and Analysis Center to enable system administrators to share information with the FBI's National Infrastructure Protection Center, said Gene Gorzelnik, a spokesman for the North American Electric Reliability Council in Princeton, N.J.
"When a transmission system is stressed, the system operators and security coordinators are operating at a heightened level of alert so they can quickly address and return the transmission system to normal from any situation that may occur," said Gorzelnik. "The electric system can withstand sudden disturbances such as electric short circuits or unanticipated loss of system elements. This was the case decades ago, and it is still true today."