5 Concerning Reasons The U.S. Power Grid Is Vulnerable To Cyber Attacks10:00 AM EST Tue. May. 28, 2013
The threat of Iran, China or other countries attempting to bring down the U.S. power grid isn't enough to prompt electric utilities to better lock down and monitor systems, according to a report issued by two U.S. legislators last week. Electric utility operators comply with mandatory cybersecurity standards, but often fail to implement voluntary recommendations, the report found. The Electric Grid Vulnerability report surveyed about 150 electric utilities in the United States. Reps. Edward J. Markey, D-Mass., and Henry A. Waxman, D-Calif., are attempting to bolster support of the GRID Act, legislation that was introduced in 2010 to create mandatory physical and cybersecurity standards for electric utilities. The electric grid is the target of numerous daily cyberattacks, including malware, phishing and network probes, the report found.
The Stuxnet worm was used in 2010 against a nuclear research facility in Iran. It targeted a specific industrial control system and was designed to alter the programmable logic controller used to closely manage Iran's nuclear enrichment program. The attack spread, infecting systems globally. The North American Electric Reliability Cooperation issued five mandatory standards and seven voluntary measures to ensure that Stuxnet does not impact power generation facilities. The majority of electric utilities that responded to the inquiry indicated that they were complying with five mandatory Stuxnet measures. Far fewer indicated that voluntary measures were being implemented. Increased personnel screening was being conducted and many utilities indicated that assessments were under way to identify critical assets, the report found.
Almost all utilities indicated compliance with mandatory cybersecurity standards imposed by the Federal Energy Regulatory Commission. Some utilities indicated that the standards did not apply because their systems were isolated from the Internet. Security experts say system isolation helps drastically reduce the threat from external attacks. The Stuxnet worm, however, did not require the Internet to attack its target. It infected the Iranian facility using a USB thumb drive.
Some power providers indicate attempts to probe internal networks and applications for vulnerabilities and configuration weaknesses. Much of the activity is automated, the report found. Attacks using malware are frequent, but the aim of the attacks is unclear. Financially motivated cybercrime, fueled by automated attack toolkits, are widespread and are out to steal account credentials and credit-card data. Some probes also could be used by hacktivist groups or nation-state cyberespionage campaigns in an attempt to gain information about systems, the report found.
Electric utilities lack a uniform process for reporting cyberattacks against their systems, according to the report. Most reported that they follow standard requirements for reporting attacks to state and federal authorities, but they did not describe when reporting was mandatory. Currently, the incidents being experienced did not rise to reportable levels, they said. Many facilities indicate ongoing threats posed by banking malware, phishing scams and other financially motivated cyberattacks.
Investor-owned utilities are more likely to have dedicated IT security teams, according to the report. Over the past five years, several independently owned utilities reported dramatic increases in IT security-related staff. Increases were reported from five to 30 employees. Four independently owned utilities used outside vendors or contractors for security defenses or supplemented their staff with outside contractors. Municipality-owned or cooperatively-owned utilities, and the 11 federal entities that own major pieces of the bulk power system, did not provide specific information.