U.S. power grid is increasingly vulnerable to attack

Published 19 October 2007

U.S. power system is worth more than $1 trillion, comprising more than 200,000 miles of transmission lines and more than 800,000 megawatts of generating capability; it serves more than 300 million; Congressional panel, describing industry-developed security standards as “woefully inadequate, “examines how well operators have implemented security measures developed by DHSDOE

We reported a few weeks ago about how a simulated cyber attack by the Idaho National Laboratory, an attack which included the blowing up of an electrical generator, revealed the fragility of the U.S. electrical infrastructure. This week a congressional panel on cybersecurity called for an investigation into how well electric sector owners and operators have implemented security measures and procedures developed by DHS and the Department of Energy (DOE). eWeek’s Lisa Vaas writes that many say that the danger is only growing, what with the increasing number of touch points between the U.S. power infrastructure and the Internet. It used to be the case that the systems controling the U.S. power grid were largely proprietary and closed, but such control systems are becoming increasingly connected to open networks, such as corporate intranets and the Internet, in the process making them more vulnerable to attack. “As such, the cyber-risk to these systems is increasing,” said Representative Jim Langevin (D-Rhode Island), chairman of a House of Representatives cyber-security panel, in an opening statement for a 17 October hearing devoted to the cyber-threat to utility control systems and the stronger regulations that are necessary to secure the electric grid. Langevin said that what is at stake is a power system worth more than $1 trillion, comprising more than 200,000 miles of transmission lines and more than 800,000 megawatts of generating capability that serves more than 300 million people through the United States and Canada. The effective functioning of this vast infrastructure depends on control systems, that is, computer-based systems used to monitor and control sensitive processes and physical functions. “For a society whose every function depends on reliable power, the disruption of electricity to chemical plants, banks, refineries, hospitals, water systems and military installations presents a terrifying scenario,” he said.

The Federal Energy Regulatory Commission has proposed implementing reliability standards developed by the North American Electric Reliability Corp. Langevin said, however, that members of the cyber-security committee have found those standards to be woefully inadequate. “The NERC standard focuses on the reliability of the bulk power system as a whole, ignoring the homeland security impact that loss of power in a region can have,” he said. The House panel criticized the standards for not covering a “significant number of assets” that are critical to keeping the nation’s electricity flowing — specifically, they neglect any requirements regarding electric sector owners and operators securing generation units, distribution units, or telecommunications equipment.

The Idaho National Lab’s classified demonstration of blowing up a generator (it was later revealed by DHS), illustrated how control systems can be used to inflict critical damage on physical structure — in the simulation, the physical structure was a turbine. Amit Yoran, CEO of Herndon, Virginia-basedNetWitness and former director of the DHS’ National Cyber Security Division, says the reality is a bit more complicated. Utilities and equipment that rely on control systems, that is, computer or electronic equipment attached to mechanical equipment, broadly in the power sector or in other utilities or other critical infrastructure, create a very complex system or set of systems, and their interaction is very complicated, not only in the case of power generation or transmission or distribution. When these things, which are very complicated in and of themselves, are being intertwined, it gets even more complicated. That complexity, says Yoran, means that we should not assume that one turbine blowing up in the controlled situation of a lab should be taken to mean that all control systems are vulnerable to this type of attack.

There is another problem here. Control systems themselves have complex and long deployment cycles, and they are deployed by vendors and come with warranties that the control system was tested and validated. As vulnerabilities are discovered, those who run control systems run into the problem that they might void their warranty if, for example, they apply a security patch. Joseph McClelland, director of the Office of Electric Reliability at the FERC, admitted as much during the 17 October hearing, saying that “A major concern with cyber-security is the prevalence in the industry of ‘legacy equipment’ which may not be readily adaptable for purposes of cyber-security protection…. If this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid.”