How serious is the hacking threat to the U.S. power grid?
Dozens of U.S. energy providers face "daily, constant or frequent" attempted cyber attacks, according to a new Congressional review of power grid safety. In an extreme case, one utility provider said it was the target of more than 10,000 attacks a month.
These numbers are intended to highlight the growing threat of cyber attacks to the nation's infrastructure, but some utility companies are calling the report alarmist and an effort to bolster congressional arguments for enhanced federal cybersecurity authority.
Earlier this week Rep. Henry Waxman (D-Ca.) and Rep. Edward Markey (D-Ma.) released a 35-page report entitled Electric Grid Vulnerability. Waxman and Markey gauged the threat to utility providers by sending a 15-question survey to 115 energy companies around the country. 112 of those companies responded and their answers revealed that the U.S. power grid is a prime target for cyber attackers using a variety of tactics and operating under a range of motives.
The electric grid is the target of numerous and daily cyber attacks, according to the report.
- More than a dozen utilities reported 'daily,' 'constant,' or 'frequent' attempted cyber attacks ranging from phishing to malware infection to unfriendly probes.
- One utility reported that it was the target of approximately 10,000 attempted cyber attacks each month.
- More than one public power provider reported being under a 'constant state of attack from malware and entities seeking to gain access to internal systems.'
- A Northeastern power provider said that it was 'under constant cyber attack from cyber criminals including malware and the general threat from the Internet...'
- A Midwestern power provider said that it was 'subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of this activity is automated and dynamic in nature, able to adapt to what is discovered during its probing process."
Although these attacks occur with a great deal of frequency, none of the companies responding to the survey reported any sort of damage to the power grid as a result. Many of the attempted attacks were so minor in scope they were not reported to government authorities.
This has led critics, like Wired's Kim Zetter, to call the report overblown.
Pls people stop repeating that phony stat about power companies getting 10,000 cyberattacks a month. They're pings/ probes not attacks.— Kim Zetter (@KimZetter) May 22, 2013
At a hearing of the House Energy and Commerce Committee this week, utility owners also said the bandying about the "10,000 monthly attacks" statistic was misleading.
"The majority of those attacks, while large in number, are the same attacks that every business receives," Arkansas Electric Cooperative Corporation CEO Duane Highley told the hearing, according to Reuters.
But in their report, Waxman and Markey say the threat should still be taken seriously. The bulk power grid examined in the report provides energy to more than 300 million people, is made up of more than 200,000 miles of transmission lines, has more than one million megawatts of energy generating capacity and represents a total investment of more than $1 trillion.
The study notes that the interdependency of the grid has shown, through historical example, the cascading effect of power failures than can spread far beyond their initial glitch. So a single successful attack could have significant impact. And power outages pose more than an inconvenience for just private consumers. The report says more than 85 percent of the power used by the Department of Defense comes from commercial utility providers.
Many commercial energy providers, like Highley, say their utilities are already protected through cyber security standards established by the North American Electric Reliability Corporation (NERC), a non-profit industry group. But Waxman and Markey are pushing for a piece of legislation, known as the Grid Act, that would put responsibility for setting private utilities' cyber security standards into the hands of the government.
NERC currently has two sets of security standards—mandatory and voluntary. Although compliance was high among energy providers for the mandatory standards, they were much lower for the extra voluntary procedures. Waxman and Markey also accused the NERC rule-making process of being too slow and thus unable to respond promptly to evolving threats.
The proposed Grid Act is just the latest move by the federal government to bolster its cyber attack defenses. In recent months, the Obama administration has put a heavy emphasis on federal internet security, with President Barack Obama signing an executive order in February.
"Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," Obama said at the time. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Photo by matti.frisk / Flickr