As far as the headline writers at the Wall Street Journal were concerned the battle was over and the U.S. electricity grid was under control by the enemy -- "Electricity Grid in U.S. Penetrated by Spies." There has been a bunch of speculation on the Web and in the blogosphere over just why this story came out when it did - this sort of thing is a fertile area for conspiracy theorists. But I'm more interested in the underlying issue and why it's not actually getting the attention it should.

The underlying issue is the security of the U.S. utility infrastructure -- electricity, water, gas, sewer. Observers have been warning for years that U.S. utility companies seem to have a negative understanding of security when it comes to protecting their systems from non-physical threats. Yet stories like the one in the Journal keep showing up. A quick look shows such a story each of the last three years. In June 2007 the U.S. Department of Homeland Security leaked a video of the results of a cyber attack on a power generator. A year later Forbes published a story headlined "Congress Alarmed At Cyber-Vulnerability of Power Grid." Now we get the WSJ article.

It looks like the utility folk have not been paying attention to the real world or are operating in utility-time rather than Internet time.

Why else would you only be at the requirements stage of protecting utility infrastructure? (see "Smart grid, other environmental control systems not smart about security") And why else would you get Michael Assante, the chief security officer of the electric industry's North American Electric Reliability Corporation (NERC), to say the day before the WSJ article, either as a coincidence or as a part of the conspiracy, that new thinking about security was needed from the utility companies?

Assante said NERC was requesting that utilities "take a fresh, comprehensive look at their risk-based methodology" to evaluate the potential misuse of utility systems by "intelligent threat actors."

Why is it so hard to get these people's attention? I assume it is not that they just don't care. Maybe it's that the technology of data networks is so different than that of power generators that the comprehension is just not there. I can sympathize -- to some degree. I do not have the faintest idea on how to design an overload protector for a 133 megawatt generator (the size of the generators in Hoover Dam), but I do have an idea that such a device is needed. The utility managers seem to not have any idea that data security is needed.