Will cyberintrusions crash U.S. electrical grid?

WASHINGTON--Some critics of the U.S. government's cybersecurity efforts might argue that nothing short of a bomb going off--or, well, purported Chinese cyberattacks on feds' machines--will land the issue more notice.

Without tougher security standards, Americans are in danger of hacker-induced blackouts, some politicians say.

(Credit: Declan McCullagh/mccullagh.org)

This time around, the wake-up call for politicians was, indeed, an explosion: In September, U.S. Homeland Security officials revealed that researchers at the Idaho National Laboratory had managed to destroy a small electrical generator through a simulated cyberattack. A few weeks ago, CNN aired a gloom-and-doom segment featuring snips from the once-classified video showing the device going up in smoke.

Although the prospect of that sort of incident causing massive disruption to the U.S. electrical grid has been around for years, the success of the experimental hack is drawing new calls from Congress for tougher federal security standards on the computer systems that control the nation's power systems.

"I'll be blunt--if this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty," said Rep. Jim Langevin (D-R.I.), chairman of a House of Representatives cybersecurity panel that convened a hearing here on the topic Wednesday afternoon.

It's widely agreed that the threats to so-called "control" systems--sometimes known by the acronym SCADA, short for "Supervisory Control And Data Acquisition"--have grown in recent years. That's because more and more of them are being hooked up to "open" networks, including corporate intranets and the Internet, in an effort by their owners and operators to improve efficiency and lower costs.

But there was never much focus on the idea of building security features into those systems when they were first created, and that trend, unfortunately, continues today, said Joseph Weiss, a consultant and nuclear engineer who spent more than 30 years designing, implementing and analyzing control systems.

Feds: We're on it
Government regulators, for their part, say they are growing increasingly aware of those shortcomings and working valiantly to address the problem. Homeland Security's cybersecurity czar, Greg Garcia, told politicians Wednesday that his agency is handing out cybersecurity self-assessment guidelines to control systems operators, offering training to workers in that sphere, and distributing recommended "mitigations" against real-world attacks like the one simulated in Idaho.

And right now, the Federal Energy Regulatory Commission (FERC), which is responsible for overseeing the reliability of the nation's power systems, is considering proposed rules that purport to strengthen cybersecurity standards for the nation's power systems.

That proposal, however, falls woefully short of offering sufficient protections, Langevin and his Democratic and Republican colleagues said in comments filed recently with FERC. One major problem: The proposed rules are written in such a way that they would not even require electric grid operators and owners to install comprehensive security measures on all critical pieces of their systems that, if compromised, could cause significant disruptions, they argued. Instead, they'd have some latitude to focus only on certain components and neglect others.

The politicians are urging FERC to incorporate some of the more comprehensive, stringent standards developed by the National Institute of Standards and Technology, which is considered home to the government's technical experts.

Weiss, the consultant, argued that the infamous blackout that pummeled the Northeast in August 2003 (and was reportedly linked to the so-called MSBlast worm) arguably wouldn't have been prevented by the proposed regulations, but the NIST rules are comprehensive enough to deal with that issue.

Some suggested that the rules may not be up to par because, as required by law, they were devised chiefly by a group called the North American Electric Reliability Corporation (NERC), which was long considered the trade association for the power industry and was recently given legal authority to propose regulations for federal regulators to approve. An entity with those potential conflicts of interest isn't necessarily well-positioned to come up with objective standards, and it's high time for Congress to create a more independent means of devising critically important cybersecurity rules, Weiss said.

Rep. Zoe Lofgren (D-Calif.) appeared sympathetic to that idea and suggested that Homeland Security's cybersecurity division should be granted more authority to help out. "I don't think the energy sector is necessarily the expert on cybersecurity," she said.

NERC Executive Vice President David Whiteley said his organization was open to revising the proposed rules, while Joseph McClelland, director of FERC's Office of Electric Reliability, acknowledged that further improvements should be made before the rules gain final approval.

Although the electric grid was the primary focus Wednesday, threats to the control systems that deal with myriad other types of utilities could also prove, how shall we say, messy.

After all, the first prominent recorded incident of such an act came in 2000, when a software developer in Australia, apparently miffed after being turned down for a government job, used stolen radio equipment to hack into a system controlling a sewage plant. On nearly 50 occasions, he sent malicious code that opened control valves, causing refuse to ooze into nearby rivers and parks.