US Congress is to hold a series of hearings next
month to find out what caused the recent electricity failure that
struck the Northeast and parts of Canada to determine the likely
causes and what can be done to prevent future
failures.
Committee chairman WJ Tauzin has requested information on the
blackout from all of the utility companies and various industry
councils affected.
Officials from the House Committee on Government Reform want to
study the security of the national power grid's cyber-based control
systems. The concern is that an equally devastating series of
failures could be triggered by relatively minor disruptions to the
control systems that manage the power grid.
Such incidents are exactly what security experts from the IT and
energy industries have been warning about for years.
The issue came to the forefront during the California energy
crisis in 2001. For 17 days, between 25 April and 11 May, hackers
managed to remain undetected after they breached the network of the
California Independent System Operator (ISO), which manages that
state's electric grid. Although no damage was reported, officials
traced the intrusion back to a system in China.
The problem, however, is that electrical grids such as
California ISOs are highly integrated and dependent on other
regional grids, and all are managed using technology known as
Supervisory Control and Data Acquisition (SCADA) systems. Once
highly proprietary, SCADA systems are, increasingly, being deployed
using commercial off-the-shelf technologies that rely on public
internet protocols and connections for ease of management and cost
savings, experts said.
"The [energy] sector has always contained security
vulnerabilities, but these vulnerabilities have been compounded by
the introduction of new networking technologies, deregulation and
structural changes in the industry," according to a report released
last December by the Institute for Security Technology Studies.
"There have been dozens of cases where [SCADA] systems - in the
electric power, water, waste water, oil, gas and paper industries -
have been intentionally or unintentionally impacted by electronic
means," the report stated.
In addition, testimony received by the institute from utility
companies "clearly shows that the electric energy sector is
vulnerable to cyber impacts, and indications are that terrorists,
hostile nation-states or malicious computer hackers pose a threat
to the sector".
"More co-ordinated attacks against regional power networks are
also possible in light of current vulnerabilities," the institute's
study concluded.
"Attacks that in some way disrupt the national power grid appear
possible, but too little information is currently available to
accurately assess the potential impact of cyberattacks on the
national grid. Therefore, it is imperative to support and expand
testing and research in this area."
Howard Schmidt, former chairman of the President's Critical
Infrastructure Protection Board and now chief security officer at
eBay, said the IT security technology capable of protecting
real-time control systems, such as SCADA systems, from hackers does
not yet exist.
Commercial technologies, such as firewall systems, are not
capable of operating in the real-time control environment of the
power grid.
"It is an urgent research and development issue that was put in
the National Strategy to Secure Cyberspace and one that can help
mitigate the vulnerability," Schmidt said.
Dan Verton writes for Computerworld