Electric grid breaches symptomatic of deeper cybersecurity gaps

Observers say networked environment and lax regulation of private sector companies make critical infrastructure particularly difficult to protect.

Malicious software was found on computers that control the nation's power grid, according to a news report.Ambient Photos/Newscom

A Wall Street Journal report about the discovery of malicious software on computers that control the nation's power grid highlights a far more widespread problem, former intelligence officials and other security specialists said on Wednesday.

"Attacks are happening against more than just the power grid -- it's the food system, the transportation system," said Dale Meyerrose, vice president for cyber and information assurance at Melbourne, Fla.-based Harris Corp., and chief information officer for the director of national intelligence during the Bush administration. "Anybody that is looking to have an adverse impact on the U.S. and our economy is looking at all of these things simultaneously."

Sources cited in the Wall Street Journal article claimed computers were penetrated by spies from China, Russia and other countries. This comes more than a year after a CIA official warned the government and utility companies that hackers had targeted power company computers worldwide, causing at least one widespread electricity outage.

Like many other organizations, companies that control the nation's critical infrastructure, including the electric grid, run day-to-day operations in a networked environment that is especially susceptible to cyberattack.

"We're still running legacy Supervisory Control and Data Acquisition systems that were not made to be used in a networking environment," said Howard Schmidt, former White House cybersecurity adviser and chief executive officer of the nonprofit Information Security Forum. "What security is in place on the systems that run the systems? We talk about building interfaces, but that is done with software, which can be vulnerable."

Different federal agencies regulate the industries that control critical infrastructure. In the case of the electric grid, security standards are established by the North American Electric Reliability Corp., an independent organization overseen by the Federal Energy Regulatory Commission. But private sector companies' compliance with regulations is not enforced strongly.

"When I was at [the Homeland Security Department], we were working hard to motivate the owners and operators to invest the resources in technology and training to fix vulnerabilities, but they're still not taking this seriously enough," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs his own information security consulting firm, Garcia Strategies. "There needs to be an aggressive push -- a last push -- to force the private sector to self-regulate. Failing that, there may need to be more required standards."

Alan Paller, director of research at the SANS Institute, said self-regulation doesn't work.

"That was the policy of the last administration," he said. "This [incident] illustrates again that faith-based security is a failed strategy."

Instead, Paller said, government must give NERC more authority to enforce regulations, and force utility companies to implement strict security controls and procure technology to replace legacy systems.

Others said the federal government should provide information and support -- not regulations. Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, said while NSA is well-equipped to deal with cybersecurity threats, bureaucratic processes often prevent sharing information with organizations under attack.

"NSA should provide NERC and the companies that run the electric grid with the wherewithal to go in and find and correct this issue, and then work with them to put up perimeter controls to prevent this from happening in the future," Jacobs said. "But [they're] constrained in who they can serve; constrained essentially to the classified world of government."

Meyerrose agreed, saying he often felt his hands were tied from securing cyberspace beyond the intelligence community.

"About 85 percent of the critical infrastructure in our country is in private hands," he said. "Our government needs to figure out how to interface with the companies and individuals that own, control and operate these systems. I'm hoping the Obama administration takes this on."