Expert opinion differs widely over a report that the U.S. electric power-grid has been compromised by cyberspies, perhaps from Russia and China, who have installed malware so they can disrupt industrial control systems for electricity distribution in the event of a conflict.
Quoting former and current government officials anonymously, the Wall St. Journal article this week asserts “the espionage is pervasive across the U.S.” and “software tools left behind” in electric-grid systems could be “used to destroy infrastructure components” in the event of war. However, while the electric power grid is seen as vulnerable to cyber-attacks, there's doubt in some quarters the system has been so wholly compromised or could be so easily destroyed.
“No, it isn’t, but it is vulnerable,” says Ed Legge, spokesman for the Edison Electric Institute (EEI), an association representing about 70 of the largest utilities which generate the bulk of the nation’s electricity through complex swatches of eastern- and western-distribution grids and management and control points called Independent System Operators.
“There is hacking,” says Legge. “Hackers are coming after the electrical grid all the time.”
While EEI has no knowledge that the nation’s interconnected systems have been pervasively compromised by malware that could disrupt it, there are no illusions that the grid is as safe or efficient as it could be.
“The cybersecurity issue is on our radar,” says Legge. “Computers come with that, and as we use them more and more with our systems, and they become more a part of providing electricity, we have to be concerned about it.”
Gregory Reed, professor of electrical-power engineering at the University of Pittsburgh, as well as a technical consultant with experience at Con Edison in New York City, expresses doubts regarding claims of a pervasive compromise of the U.S. electric grid that would allow an attacker to disrupt it through malware.
“It doesn't seem feasible from what I know,” Reed said. No real-time control of the electric grid is coming from the Internet, he says. “It's firewalled and on separate systems,” says Reed. “We're not operating these systems on the Internet.”
But he does think that if there is espionage, it “won't reveal more than how the network is connected, and being able to map the infrastructure is not a threat without knowing how the system is operated and controlled.”
He adds that some of this information, though not in great detail, is available publicly already from the U.S. Dept. of Energy and the Federal Energy Regulatory Commission.”
Others, though, say the assertions about cyberspies infiltrating the power grid though malware are true and “should be a wake-up call.”
Alan Paller, director of SANS Institute, a security training and information center that has worked closely with utilities operating Supervisory Control and Data Acquisition (SCADA) systems as well as government agencies, says the potential for a massive cyber-attack on the power grid is real.
Paller says some in the industry may be in denial about it, but “the Wall Street Journal article may be the first step in a 12-step program for utility executives.”
“The management of the utilities do need real-time monitoring of what is happening inside the plants so those systems have to feed data out,” Paller notes. “But there should be absolutely no way to feed data in.”
Security vendors that have utilities as customers have a mixed reaction to the claims about a pervasive compromise of the U.S. grid.
“The whole grid going down is the hardest one to believe,” says Eric Knight, senior knowledge engineer at Log Rhythm, noting the Wall Street Journal article lacked sufficient information “about why we should be panicking, per se.”
Others do believe.
“This should come as a surprise to no one,” says Patrick Peterson, chief security researcher at Cisco, adding, “The truth is slowly coming out.”
“We all know there are a number of state and non-state actors pursuing U.S. intelligence and disruption activities,” Peterson says. He adds the “use of off-the-shelf technology and networked systems provides an avenue of attack.”
He notes the newspaper story and others like it provide “the visibility and attention to catalyze necessary security improvements.”
Shane Buckley, CEO at Rohati, says he's worries that “a number of utilities outsource development to Eastern Europe, Russia and China,” and cyberspy attacks could originate through outsourcing.
Amid all this controversy over spies in the grid, the Obama Administration next week is expected to release its promised 60-day “Cyber Security Review” that will include a look at the status of critical infrastructure.
And there’s also the widespread expectation that the nation--the government and industry in tandem--will eventually embrace the concept of investing in a modernized electric-power grid dubbed the “SmartGrid.”
The SmartGrid concept would both provide consumers with more information about their energy demands and provide an “over-riding communications platform and real-time access to transmission systems,” says Reed. “It would lead to better decisions about how we use electricity, and it’s a natural evolution of where technology needs to go.”
But it would need to include very tight security or it could become a potential entry point for attackers, Reed points out.
"We will have to build protection in to start,” agrees EEI's Ed Legge, noting the utilities strongly support the SmartGrid concept as way to “provide more control and more visibility” over the power grid. “The idea is to make things work better and get efficiencies and reduce costs,” says Legge. “We’ve treated electrons like they grow on trees. We need to manage things better.”