Hackers of U.S. electrical grid left behind "sleeper" software programs
official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage (see story elsewhere in today’s issue). Overseas examples show the potential havoc.
- In 2000 a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers, and the grounds of a Hyatt hotel.
- Last year a senior Central Intelligence Agency official, Tom Donahue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the United States. The outage was followed with extortion demands, he said.
The U.S. electrical grid comprises three separate electric networks, covering the East, the West, and Texas. Each includes many thousands of miles of transmission lines, power plants, and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.
Gorman writes that the sophistication of the U.S. intrusions — which extend beyond electric to other key infrastructure systems — suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. Terrorist groups could develop the ability to penetrate U.S. infrastructure, but they do not appear to have yet mounted attacks, these officials say.
It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.
Utilities are reluctant to speak about the dangers. “Much of what we’ve done, we can’t talk about,” said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in thirteen states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.
In January 2008 the Federal Energy Regulatory Commission (FERC) approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks. Last week Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.
Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator.
The North American Electric Reliability Corporation (NERC) yesterday warned its members that not all of them appear to be adhering to cybersecuirty requirements. The reliability of the grid is ultimately the responsibility of NERC, an independent standards-setting organization overseen by FERC. The NERC set standards last year requiring companies to designate “critical cyber assets.” Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.
