A previously classified 2007 National Academies report on power grid vulnerabilities that, coincidentally, was declassified mid-November when many Hurricane Sandy victims remained in the dark after widespread power outages, stated that cyberattacks, unlike natural disasters, probably could not cause lengthy blackouts. But that was not true at the time nor is it now.
Five years later, the risk of hackers severely disrupting electricity service is higher, Homeland Security Department officials told Nextgov on Tuesday.
The Oct. 29 superstorm opened the public’s eyes to the potential for societal disorder during prolonged manmade or naturally caused service disruptions.
Concerns about cyber intrusions at electric utilities “stem from a whole new range of threat vectors,” Thad Odderstol, a director for Homeland Security’s Office of Cybersecurity and Communication, said in an interview. “You’ve got control systems that may have an Internet connection.”
The network threats “are evolving and they are increasing -- increasing in sophistication as well,” he added, speaking after a panel discussion hosted by Government Executive Media Group.
The National Academies study had stated “cyberattacks are unlikely to cause extended outages, but if well-coordinated they could magnify the damage of a physical attack.”
The Academies pushed to declassify the report because the institution felt many of the findings remain relevant today, the study’s authors said. In 2007, they wrote that a terrorist attack on the power system executed by knowledgeable adversaries “could deny large regions of the country access to bulk system power for weeks or even months,” which would generate “turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists.”
Unlike trains or natural gas pipelines, electric power usually cannot simply be sent via another line to customers if there is a disruption at one location, the study stated.
Last week, Federal Communications Commission Chairman Julius Genachowski announced a series of regional, post-Sandy hearings that will probe the resiliency challenges confronting communications networks, including their dependency on electric power. Due to electricity failures and physical damage as much as 25 percent of cellphone sites went down across 10 states during the disaster, FCC reported.
In late October, DHS warned of several new, cheap tools that enable hackers to crash Internet-accessible systems running utility equipment. The 2007 Academies report underscored that “cybersecurity is best when interconnections with the outside world are eliminated.”
Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team stated in an industry alert that many electricity companies still use Internet-facing systems that potential attackers can and are locating through Web searches.
Industry, which owns more than 90 percent of U.S. power grid, according to the Academies report, and the federal government are just beginning to gauge computer security at power facilities nationwide.
In May, the Obama administration released the “Electricity Subsector Cybersecurity Capability Maturity Model,” a 92-page measuring stick that explains the levels of protection organizations should maintain and judges how they stack up against those benchmarks.
“We wanted to understand how secure is the grid,” Samara N. Moore, a critical infrastructure director on the White House national security staff, said during Tuesday’s event.
Conversations among the White House, the Energy and Homeland Security departments, and power companies led to the development of the maturity model.
“The cybersecurity threat is certainly there,” said Mark Engels, director for enterprise technology security and compliance at Dominion Resources Services, a Virginia power company. “There’s been more than a few instances where you’ve had issues targeted at a few utilities,” and while those incidents have not risen to the level of Hurricane Sandy, “that’s not to give the impression that it couldn’t turn into something like that.”
Dominion served on an advisory group that collaborated on the project.
The cyber evaluations are not obligatory and utilities do not have to share their results with the government.
“It’s certainly not mandatory, but I don’t think either side is going to be successful without it,” Engels said during Tuesday’s conference.