June 02, 2010, 9:59 AM — Cyber attacks, pandemics and electromagnetic disturbances are the three top "high impact" risks to the U.S. and Canadian power-generation grids, according to a report from the North American Electric Reliability Corp. (NERC).
"The specific concern with respect to these threats is the targeting of multiple key nodes in the system, if damaged, destroyed or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria," states the report, "High-Impact, Low-Frequency Risk to the North American Bulk Power System."
The contents of the 118-page report are largely the result of closed-door discussions held since November by NERC (which plays a key role in setting security standards for the U.S. power grid),power providers and U.S. government officials.
The report, which calls for better coordination between U.S. power-grid providers and the government, sets the stage for what may be new guidelines and processes required to combat the major threats identified, according to NERC officials.
The threat of a coordinated cyber attack, which might be combined with a physical attack, is considered the first of the top three "high-impact, low-frequency" threats to North American electricity supply, according to the report.
The electric power grid, on a daily basis, endures "hundreds of thousands of probes," said Gerry Cauley, president and CEO of NERC, in a conference call to unveil the report. He noted there has been "suspicious activity around control systems."
But NERC officials declined to confirm or deny past reports that spies have compromised the U.S. power grid with malicious code that would allow intruders to damage or otherwise interfere with safe operation of the grid.
However, the report does say "an intelligent attacker" could "mount an adaptive attack that would manipulate assets," and possibly "provide misleading information to system operators attempting to address the issue."Cyber attacks would impede the grid's operation, but the report suggests few details about possible defensive plans, except that there should be better "forensics tools and network architecture to support graceful degradation," with an "eye toward designing for survivability."
The report says: "Components and system design criteria should also be re-evaluated with respect to these threats and an eye toward designing for survivability. Prioritization of key assets for protection will be a critical component of a successful mitigation approach."