Cyber attack exercise reveals power-grid vulnerability

program passwords, industry experts say. Weiss and others hypothesize that multiple, simultaneous cyber-attacks on key electric facilities could knock out power to a large geographic area for months, harming the nation’s economy. “For about $5 million and between three to five years of preparation, an organization, whether it be transnational terrorist groups or nation states, could mount a strategic attack against the United States,” said Sami Saydjari of the Washington, D.C.-based nonprofit Professionals for Cyber Defense. Economist Scott Borg, cirector and chief economist of the U.S. Cyber Consequences Unit and the official in charge of producing security-related data for the federal government, projects that if a third of the country lost power for three months, the economic price tag would be $700 billion. “It’s equivalent to 40 to 50 large hurricanes striking all at once,” Borg said. “It’s greater economic damage than any modern economy ever suffered…. It’s greater then the Great Depression. It’s greater than the damage we did with strategic bombing on Germany in World War II.”

Computer experts have long warned of the vulnerability of cyber attacks, and many say the government is not devoting enough money or attention to the matter. “We need to get on it, and get on it quickly,” said former CIA Director James Woolsey. Woolsey, along with other prominent computer and security experts, signed a 2002 letter to President Bush urging a massive cyber-defense program. “Fast and resolute mitigating action is needed to avoid a national disaster,” the letter said. Five years later, however, there is no such program. Federal spending on electronic security is projected to increase slightly in the coming fiscal year, but spending by DHS is projected to decrease to less than $100 million, with only $12 million spent to secure power control systems. Despite all the warnings and worry, there has not been any publicly known successful cyber-attack against a power plant’s control system. Electric utilities have paid more attention to electronic risks than many other industries, adopting voluntary cyber-standards. “Of all our industries, there are only a couple — perhaps banking and finance and telecommunications — that have better cyber-security or better security in general then electric power,” Borg said. DHS notes that it uncovered the vulnerability discovered in March, and is taking steps with industry to address it. Borg notes that industry will have to remain forever vigilant at protecting control systems. “It will always be an ongoing problem. It’s something we will have to be dealing with [for] lots of years to come,” he said.