Power Grid Security Risk has Feds Scrambling
In Congress, the vulnerability of the power grid has emerged as among the most pressing domestic security concerns.
Adam Crain assumed that tapping into the computer networks used by power companies to keep electricity zipping through transmission lines would be nearly impossible in these days of heightened vigilance over cybersecurity.
When he discovered how wrong he was, his work sent Homeland Security Department officials into a scramble.
Crain, the owner of a small tech firm in Raleigh, N.C., along with a research partner, found penetrating transmission systems used by dozens of utilities to be startlingly easy. After they shared their discovery with beleaguered utility security officials, the Homeland Security Department began sending alerts to power grid operators, advising them to upgrade their software.
The alerts haven’t stopped because Crain keeps finding new security holes he can exploit.
“There are a lot of people going through various stages of denial” about how easily terrorists could disrupt the power grid, he said. “If I could write a tool that does this, you can be sure a nation state or someone with more resources could.”
Those sorts of warnings, along with vivid demonstrations of the grid’s vulnerability, such as an incident a year ago in which unknown assailants fired on a power station near San Jose, nearly knocking out electricity to Silicon Valley, have grabbed official attention. In Congress, the vulnerability of the power grid has emerged as among the most pressing domestic security concerns.
It is also among the most vexing.
Lawmakers have expended considerable energy on the issue, to limited effect. At times, they appear to be working at cross purposes. Some members of Congress want to empower regulators to force specific security upgrades at utilities. Others are attacking whistle-blowers and the media, demanding an investigation into disclosures of how easily the country’s power grid could be shut down.
The magnitude of the problem is underscored by concerns raised by insurance giant Lloyds of London, which is known for a willingness to insure pretty much everything.
Lloyds’ appraisers have been making a lot of visits lately to power companies seeking protection against the risk of cyberattack. Their takeaway: Security at about half the companies they visit is too weak for Lloyds to offer a policy.
“When Lloyds won’t insure you, you know you’ve got a problem,” said Patrick Miller, founder of the Energy Sector Security Consortium, a Washington-based nonprofit that advocates tougher cybersecurity measures for the electricity industry.
The challenges are compounded by lingering tensions between federal law enforcement and the industry. Each accuses the other of being territorial and evasive, neglecting to share confidential incident reports, intelligence analyses and other sensitive data.
Power companies, eager to keep regulators at bay, find themselves in a bind. They need to show quickly that they are equipped to protect the grid against outside attacks. They warn the grid is so massive, complicated and fragile that any tinkering needs to remain the responsibility of those who operate it day to day, not well-intentioned but inexperienced federal regulators.
“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous,” said Gerry Cauley, chief executive of the North American Electric Reliability Corp., the quasi-governmental organization through which utilities manage the power grid.
Even security experts who criticize Cauley’s organization for moving too slowly agree his argument has merit. The problem, said Scott White, a security technology scholar at Drexel University in Philadelphia, is that “you are basically dealing with these monopolies that are determining for themselves which expenditures are a priority. Security has not generally been one.”