recommended reading

Power grid hackers are of greater concern than influential report indicates, DHS official says

Ed Metz/Shutterstock.com

A previously classified 2007 National Academies report  on power grid vulnerabilities that, coincidentally, was declassified mid-November when many Hurricane Sandy victims remained in the dark after widespread power outages, stated that cyberattacks, unlike natural disasters, probably could not cause lengthy blackouts. But that was not true at the time nor is it now.   

Five years later, the risk of hackers severely disrupting electricity service is higher, Homeland Security Department officials told Nextgov on Tuesday.

The Oct. 29 superstorm opened the public’s eyes to the potential for societal disorder during prolonged manmade or naturally caused service disruptions.

Concerns about cyber intrusions at electric utilities “stem from a whole new range of threat vectors,” Thad Odderstol, a director for Homeland Security’s Office of Cybersecurity and Communication, said in an interview. “You’ve got control systems that may have an Internet connection.”

The network threats “are evolving and they are increasing -- increasing in sophistication as well,” he added, speaking after a panel discussion hosted by Government Executive Media Group.

The National Academies study had stated “cyberattacks are unlikely to cause extended outages, but if well-coordinated they could magnify the damage of a physical attack.”

The Academies pushed to declassify the report because the institution felt many of the findings remain relevant today, the study’s authors said. In 2007, they wrote that a terrorist attack on the power system executed by knowledgeable adversaries “could deny large regions of the country access to bulk system power for weeks or even months,” which would generate “turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists.”

Unlike trains or natural gas pipelines, electric power usually cannot simply be sent via another line to customers if there is a disruption at one location, the study stated.

Last week, Federal Communications Commission Chairman Julius Genachowski announced a series of regional, post-Sandy hearings that will probe the resiliency challenges confronting communications networks, including their dependency on electric power. Due to electricity failures and physical damage as much as 25 percent of cellphone sites went down across 10 states during the disaster, FCC reported.

In late October, DHS warned of several new, cheap tools that enable hackers to crash Internet-accessible systems running utility equipment. The 2007 Academies report underscored that “cybersecurity is best when interconnections with the outside world are eliminated.”

Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team stated in an industry alert that many electricity companies still use Internet-facing systems that potential attackers can and are locating through Web searches.

Industry, which owns more than 90 percent of U.S. power grid, according to the Academies report, and the federal government are just beginning to gauge computer security at power facilities nationwide.

In May, the Obama administration released the “Electricity Subsector Cybersecurity Capability Maturity Model,” a 92-page measuring stick that explains the levels of protection organizations should maintain and judges how they stack up against those benchmarks.

“We wanted to understand how secure is the grid,” Samara N. Moore, a critical infrastructure director on the White House national security staff, said during Tuesday’s event.

Conversations among the White House, the Energy and Homeland Security departments, and power companies led to the development of the maturity model.

“The cybersecurity threat is certainly there,” said Mark Engels, director for enterprise technology security and compliance at Dominion Resources Services, a Virginia power company. “There’s been more than a few instances where you’ve had issues targeted at a few utilities,” and while those incidents have not risen to the level of Hurricane Sandy, “that’s not to give the impression that it couldn’t turn into something like that.”

Dominion served on an advisory group that collaborated on the project.

The cyber evaluations are not obligatory and utilities do not have to share their results with the government.

“It’s certainly not mandatory, but I don’t think either side is going to be successful without it,” Engels said during Tuesday’s conference.

(Image via Ed Metz/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.