Security experts worry that the more connected our electric utilities are to the Web, the more vulnerable they’ll be to cyberattack.
Foreign hackers don't just pose a threat to classified material, corporate secrets, and individual privacy. Security experts say the greatest cyberthreat to the United States is the fact that the Chinese and Russian governments—and possibly other players—have succeeded in hacking into the nation's electric grid, giving them the ability, if they wish, to bring the U.S. economy to a screeching halt with the click of a mouse.
Such an attack—executed not by gun-wielding terrorists on planes but by hackers activating software programs from thousands of miles away—could "deny large regions of the country access to bulk-system power for weeks or even months," concluded a National Academies of Science study declassified late last year. "An event of this magnitude and duration could lead to turmoil, widespread public fear, and an image of helplessness that would play directly into the hands of the terrorists. If such large extended outages were to occur during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold."
And the cyberthreat is growing as U.S. utilities seek to modernize aging electric infrastructure. When power companies invest in updating the 20th-century power grid with 21st-century "smart-grid" technology—particularly digital tools that increase the efficiency of electricity distribution while cutting global-warming pollution—they're also making the grid more vulnerable to devastating cyberattacks.
"The modernization of electric utilities nationwide has left security loopholes that can be fairly easily exploited by hackers. It's created more efficiencies for utilities and convenience for consumers. But it's come at the expense of security," said Michael Dubose, managing director at Kroll, a risk-management firm, and a former chief of the Justice Department's Computer Crime and Intellectual Property Division.
"A few years ago, the grid was routinely being hacked by the Chinese and Russians.... They mapped the lay of the land, and now we have to assume they're inside the firewall," Dubose said.
Government officials say there's plenty of evidence that hackers have made their way into the 200,000 miles of transmission lines that provide electricity to more than 300 million people. In May, the Homeland Security Department told a House panel that between 2011 and 2012, DHS processed 68 percent more cyber incidents involving federal agencies critical infrastructure, including the electric grid, than it had the previous year.
And power companies are making it easier for hackers with the advent of the so-called smart grid. Experts say that the more the electric grid is integrated with the Internet, the easier it is for hackers to break in. President Obama has championed smart-grid technology as a way to address global warming. His 2009 stimulus law included $4.5 billion to increase smart-grid investment.
On Wednesday, the State Department announced a U.S.-China partnership in promoting smart-grid development—in both countries—to help reduce carbon pollution from power plants. That's good news for global warming, but potentially bad news for cybersecurity. "If your primary focus is reducing vulnerability, then a smart grid doesn't seem like a very good idea," said Adam Segal, an expert in China studies and cybersecurity at the Council on Foreign Relations.
Segal said that for now, the fact that hackers likely possess the capability to take down the U.S. grid doesn't mean they'll act. Bringing down major infrastructure is tougher than simply snooping on e-mails, he said, and it appears that only a few state actors—China, Russia, and the U.S.—have that capability. "It's hard to imagine a scenario where the Russians or the Chinese would turn off our grid for no reason," Segal said. "I suspect the Chinese have mapped these grids in case there's an escalation that spins out of control and they want to send a message that the U.S. is vulnerable." But, he added, "the Iranians are spending more on cyber [warfare], and al-Qaida has expressed an interest—we know this is something terrorists are interested in."
The threat of a terrorist attack even inspired the plot of a thriller novel. Retired Sen. Byron Dorgan of North Dakota has just released Gridlock, in which the Iranian and Venezuelan governments team up to attack the U.S. electric grid, leading to rolling blackouts that shut down 14 major U.S. cities. "This is fiction, but the threat to our electric grid system—it could happen," Dorgan, a former member of the Energy Committee, told National Journal.
Dorgan and other policymakers lament the lack of coordination among the entities that manage the electric grid. Electricity transmission is overseen by a patchwork of federal, state, and local agencies; public and private electric utilities; and regional managers. "We need leadership on this," Dorgan said. "There's no one running the signals."
In February, President Obama signed an executive order requiring government agencies to re-evaluate and improve their oversight of cybersecurity risks. But the order didn't provide agencies with additional statuatory authority to address cyber risks—that authority can only be granted through an act of Congress.
This spring, the House passed a cybersecurity bill aimed at reducing the vulnerability of the grid, in part by requiring electric utilities to share more information with the federal government. But the bill's backers say that, for now, its prospects of Senate passage are nil: In the wake of former National Security Agency contractor Edward Snowden's leaks about the U.S. government's surveillance of civilians, there's no chance the upper chamber will take up a bill that would result in private companies turning over customer information to the government.
"We need close coordination between the government and the private sector on this. We need the government's intelligence-gathering ability, and they need our electric-utility operations expertise," said Scott Aaronsen, director of national security at the Edison Electric Institute, a trade association representing privately owned electric utilities. "I lament that … the NSA saga is hampering that," he said. "It now means there's greater mistrust of government and corporations sharing information." And continued vulnerability to an attack.