Power grid hackers are of greater concern than influential report indicates, DHS official says

Ed Metz/Shutterstock.com

Authors of the 2007 National Academies study pushed to declassify the paper this month because utilities remain a terrorist target.

A previously classified 2007 National Academies report  on power grid vulnerabilities that, coincidentally, was declassified mid-November when many Hurricane Sandy victims remained in the dark after widespread power outages, stated that cyberattacks, unlike natural disasters, probably could not cause lengthy blackouts. But that was not true at the time nor is it now.   

Five years later, the risk of hackers severely disrupting electricity service is higher, Homeland Security Department officials told Nextgov on Tuesday.

The Oct. 29 superstorm opened the public’s eyes to the potential for societal disorder during prolonged manmade or naturally caused service disruptions.

Concerns about cyber intrusions at electric utilities “stem from a whole new range of threat vectors,” Thad Odderstol, a director for Homeland Security’s Office of Cybersecurity and Communication, said in an interview. “You’ve got control systems that may have an Internet connection.”

The network threats “are evolving and they are increasing -- increasing in sophistication as well,” he added, speaking after a panel discussion hosted by Government Executive Media Group.

The National Academies study had stated “cyberattacks are unlikely to cause extended outages, but if well-coordinated they could magnify the damage of a physical attack.”

The Academies pushed to declassify the report because the institution felt many of the findings remain relevant today, the study’s authors said. In 2007, they wrote that a terrorist attack on the power system executed by knowledgeable adversaries “could deny large regions of the country access to bulk system power for weeks or even months,” which would generate “turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists.”

Unlike trains or natural gas pipelines, electric power usually cannot simply be sent via another line to customers if there is a disruption at one location, the study stated.

Last week, Federal Communications Commission Chairman Julius Genachowski announced a series of regional, post-Sandy hearings that will probe the resiliency challenges confronting communications networks, including their dependency on electric power. Due to electricity failures and physical damage as much as 25 percent of cellphone sites went down across 10 states during the disaster, FCC reported.

In late October, DHS warned of several new, cheap tools that enable hackers to crash Internet-accessible systems running utility equipment. The 2007 Academies report underscored that “cybersecurity is best when interconnections with the outside world are eliminated.”

Homeland Security’s Industrial Control Systems-Cyber Emergency Response Team stated in an industry alert that many electricity companies still use Internet-facing systems that potential attackers can and are locating through Web searches.

Industry, which owns more than 90 percent of U.S. power grid, according to the Academies report, and the federal government are just beginning to gauge computer security at power facilities nationwide.

In May, the Obama administration released the “Electricity Subsector Cybersecurity Capability Maturity Model,” a 92-page measuring stick that explains the levels of protection organizations should maintain and judges how they stack up against those benchmarks.

“We wanted to understand how secure is the grid,” Samara N. Moore, a critical infrastructure director on the White House national security staff, said during Tuesday’s event.

Conversations among the White House, the Energy and Homeland Security departments, and power companies led to the development of the maturity model.

“The cybersecurity threat is certainly there,” said Mark Engels, director for enterprise technology security and compliance at Dominion Resources Services, a Virginia power company. “There’s been more than a few instances where you’ve had issues targeted at a few utilities,” and while those incidents have not risen to the level of Hurricane Sandy, “that’s not to give the impression that it couldn’t turn into something like that.”

Dominion served on an advisory group that collaborated on the project.

The cyber evaluations are not obligatory and utilities do not have to share their results with the government.

“It’s certainly not mandatory, but I don’t think either side is going to be successful without it,” Engels said during Tuesday’s conference.

(Image via Ed Metz/Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.