Skip Links

Damage from attack on power grid would surpass Sandy

Terrorists could black out large regions of the nation for weeks or months, a report from the National Research Council says

By Antone Gonsalves, CSO
November 29, 2012 08:13 AM ET

CSO - The U.S. is in urgent need of a nationwide strategy to protect its highly vulnerable electric grid from succumbing to a cyberattack that could cause far more damage than Hurricane Sandy, a recent report said.

Nearly two-dozen bugs easily found in critical infrastructure software

Terrorists who gained access to any one of a number of key facilities, either through Internet-delivered malware designed to destroy control systems or through a saboteur on the inside, could black out large regions of the nation for weeks or months, the report from the National Research Council said.

Damage from such an attack would be many billions of dollars more than the destruction caused by Sandy last month on the East Coast.

"Considering that a systematically designed and executed terrorist attack could cause disruptions even more widespread and of longer duration, it is no stretch of the imagination to think that such attacks could produce damage costing hundreds of billions of dollars," M. Granger Morgan, head of the engineering and public policy department at Carnegie Mellon University, said in a statement. Morgan was chairman of the committee that wrote the report released this month.

The grid's acute vulnerability comes from being spread across hundreds of miles and having many unguarded key facilities. In addition, federal legislation in the mid-1990s that opened the door to more competitors in the power market has stressed the nation's bulk high-voltage system, leaving it at risk to multiple failures following an attack. 

The grid is also riddled with important pieces of equipment that are decades old and lacks advanced technology for sensing and control that could limit outages. An example is how Long Island Power Authority struggled to restore electricity after Sandy, which caused more than $70 billion in damages. News media reported that the utility was hampered by the use of decades-old mainframe computers.

"As utilities struggle to make a profit, their last concern is updating antiquated systems and investing in security," said Darren Hayes, a professor at Pace University and an expert in computer forensics and security. 

Another problem lies with utilities over the years joining their IT operations in order to cut costs, Hayes said.

"Security has not been a priority but should be now that many utilities have centralized their IT operations to reduce costs," Hayes said in an email. "This centralization has meant that utilities networked together can be brought down together in a catastrophic manner." 

Fear of a cyberattack on the nation's critical infrastructure was heightened following the discovery of Stuxnet, sophisticated malware that damaged Iran's nuclear facilities in 2010. Iran has vowed to take "pre-emptive" strikes against the countries it believes are responsible. The New York Times reported that the U.S. and Israel developed Stuxnet together.

[See related: The changing security battlefield]

The report recommends ways to protect the nation's power delivery system, starting with money. Funding for research is currently much smaller than needed, the study said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News