As the 9/11 anniversary approaches, experts wonder if the United States could withstand a breach of its power network, or whether the so-called "smart grid," which promises more efficient energy use, is more vulnerable to cyber attacks than the old one. The answers are yes and yes.
When it comes to protecting against hackers, the nation's electric utilities are about where the financial and telecommunications industries were a decade ago, according to Andy Bochman, Energy Security Lead for IBM's Rational division, which focuses on smart-grid security software.
Bochman says the electrical sector has been late in the game when it comes to embracing information technology that focuses on security, but is catching up.
"We are now at a sustained back-and-forth between the powers that are trying to attack these systems, and forces aligned to defend them," Bochman said.
While that statement may sound a bit like a sci-fi plot, the reality is that utilities across the country have seen a big increase in deliberate attacks, as well as inadvertent screw-ups that have thrown thousands of customers into the dark.
In a study released in April of electrical utilities by McAfee, the computer security firm, and the Center for Strategy and International Studies in Washington, utility industry executives from 14 nations found that things are getting worse.
"One of the more startling results of our research is the discovery of the constant probing and assault faced by these crucial utility networks. Some electric companies report thousands of probes every month. Our survey data lend support to anecdotal reporting that militaries in several countries have done reconnaissance and planning for cyber attacks on other nations' power grids, mapping the underlying network infrastructure and locating vulnerabilities for future attack," the report stated.
Could a Stuxnet-type virus, which pretty much destroyed one of Iran's nuclear power plants, happen in the United States? Some similar, but less dangerous events, already have:
•In April 2009, The Wall Street Journal reported that that cyber spies had infiltrated the U.S. electric grid and left behind software that could be used to disrupt the system. The hackers came from China, Russia and other nations and were on a fishing expedition to map out the system, the paper reported.
•In June 2008, the Hatch nuke plant in Georgia shut down for two days after an engineer loaded a software update for a business network that also rebooted the plant's power control system.
•In October 2006, a foreign hacker invaded the Harrisburg, Pa., water filtration system and planted malware.
•In August 2003, the "Slammer" worm infected the Davis Besse nuclear power plant in Ohio, causing a five-hour shutdown of computer systems.
There are also reports overseas, such as the news this week that a major South Korean bank was compromised by a deliberate attack by North Korean hackers sponsored by the rival nation's government. That cyber attack in April left more than 30 million customers without access to their accounts for several days, according to South Korean officials.
As U.S. power systems adopt smart-grid technology, some fear that they, too, will face greater threats.
"What we are doing is laying a new digital infrastructure over the very reliable and sturdy bulk power system," said Mark Weatherford, security chief for the North American Electric Reliability Corp. "This digital infrastructure provides a lot of new attack vectors into the electrical system that didn't previously exist. Smart meters that exist on homes and businesses and facilities, where it used to be an analog box now is a digital box, which provides new vectors to exploit those networks."
"As you increase those digital touchpoints, you're going to increase the potential vulnerabilities."
But at the same time, IBM's Bochman says the smart grid can actually keep the electrical system more secure because it will sense trouble earlier and send in cyber troops to protect data, as well as divert power around trouble spots.
"A small (attack) happening in one place will be easier to isolate, and other resources can be brought to bear and there isn't the damage that the bad guys were intending," Bochman said. "It's one of the motivators that keep senior people in government and industry up at night practicing for it."
Defense contractors who have years of experience in protecting Pentagon and other military computer networks are now focusing on civilian infrastructure such as the power supply. Rich Mahler, manager for energy and cyber services at Lockheed Martin, said smart-grid technologies are only as good as the people who program them.
"We want to make sure that new technology doesn't introduce new risk," Mahler said.
Mahler said Lockheed's new cyber security program for electric utilities, called Palisade, is being used in a pilot program by American Electric Power, based in Columbus, Ohio. The program draws from techniques used to prevent attacks on military computer systems.
"It's an intelligence analysis approach to cyber security," Mahler said.
Lockheed — the nation's largest defense contractor — was itself targeted by hackers earlier this year who managed to penetrate its VPN program that allows users to log in to accounts from home. The company called the attack "significant and tenacious," but said Lockheed was able to quickly prevent loss of data.
Making things a little more difficult to predict, not all U.S. electrical grids are created equal. Some utilities and regional networks have adopted smart-grid technologies quickly, while others are falling behind, according to Sean McGurk, director of the National Cybersecurity and Communications Integration Center at the Department of Homeland Security.
"Some metro areas have deployed this," McGurk said. "But if you got everyone in a room, and said define smart grid, you'd get a dozen answers. It's not clearly defined."