A year ago, an unidentified computer intruder tried to penetrate the Lower Colorado River Authority's power generation network with 4,800 high-speed log-in attempts that originated at an Internet address in China, according to a grid official's confidential memo that was leaked to the media.
And that was probably just an amateur's work, says David Bonvillain, vice president of Accuvant LABS, the security and research division of Accuvant, a cybersecurity consulting firm based in Denver.
Far greater challenges lie ahead as smart grid technologies proliferate in the nation's transmission network and utility control centers and eventually reach business and residential electricity customers, he says.
"There are known vulnerabilities, and there are vulnerabilities that haven't been discovered yet," he said. The risk that a hacker could disrupt a closely managed grid control system is considerably lower than for an intrusion into a financial or industrial network, but the consequences could be far graver, Bonvillain and other experts agree.
And the scope of the threat is expanding faster than the utility sector's response, says Michael Assante, the former chief security officer of the North American Electric Reliability Corp., the federally designated grid monitor. Assante left NERC last year to form a new nonprofit, the National Board of Information Security Examiners, which provides technical certification qualification for utility cyber defenders. The certification is intended to identify elite cybersecurity professionals.
"The smart grid increases the complexity of the system," Assante said in an interview. "There is more technology, and more networks highly interconnected to share information. You've increased the overall attack surface. You're deploying technology that is no longer in a building you control, and you are deploying it over the air, right up to the home.
"And you are deploying it at such a scale, it's a real challenge to manage and maintain security," Assante said. "We should deploy the technology" because of the range of benefits it promises, he said. "But we must learn where the weaknesses are."
The smart grid's rollout is raising awareness of the threat even as it increases vulnerability, some experts say. "The smart grid is one of the best things to ever happen to security in the utility space. People are really starting to see that threats are present there," said Jon Miller, director of Accuvant LABS.
"The smart grid will make technology management a core part of what any utility is," he said. But this transition is happening faster at some energy companies than at others, he said.
Security 'floor' needed for utility control rooms
The threshold challenge has been the slow development of security standards that establish a floor for safeguarding generator and transmission control rooms, according to the Government Accountability Office. A GAO report on March 11 called on the National Institute of Standards and Technology to complete its updating of cybersecurity guidelines, and concluded that the Federal Energy Regulatory Commission needed a stronger process for monitoring industry compliance with cyber standards.
The GAO report also cited a dramatic increase in cyber attacks on federal agencies, as reported to the U.S. Computer Emergency Readiness Team (US-Cert). Cyber incidents totaled 41,776 in fiscal 2010, a 650 percent increase in five years.
The standards-setting process has been burdened by jurisdictional issues and the need to seek a time-consuming utility industry consensus on a response to a rapidly evolving threat, experts say.
Responding to GAO's criticism, FERC chairman Jon Wellinghoff has pointedly noted that when Congress set up the process for creating cybersecurity standards for the electric power industry in the 2005 Energy Policy Act, it put the agency into a reactive stance: FERC can approve or reject cyber standards developed through NERC's industry consensus process, but it cannot do more.
Because FERC's regulatory authority is limited to the interstate high-voltage transmission network, it has no direct influence over cybersecurity on utility distribution grids that deliver power to customers in cities. State utility commissions oversee that part of the grid. FERC and the National Association of Regulatory Utility Commissioners, the American Public Power Association and the National Rural Electric Cooperative Association are trying to harmonize a common approach, Wellinghoff said in a response to GAO last month.
After years of disjointed efforts since the 2005 act passed, the cyber issue has begun to move on some fronts, officials said, although some difficult regulatory policy negotiations still lie ahead.
Jurisdictional disputes remain
NERC's board of directors approved in December a new detailed checklist that power and transmission companies are to follow in identifying critical parts of their systems that will be subject to cyber protection regulation. The checklist responds to criticism from some members of Congress and FERC's staff that some utilities had kept critical facilities off the "critical assets" list to limit the future reach of cyber legislation. That new policy awaits FERC action.
NERC's trustees also approved in December a new regulatory approval process that is designed to prevent new cyber and reliability standards sought by FERC from being shelved because they failed to win approval by a supermajority of NERC's power company members. The federal regulators had directed NERC in March 2010 to come up with a solution to the impasse issue, and a year later, a resolution is about to occur, with a final approval from FERC expected soon, officials said.
Another jurisdictional issue involving nuclear plants has been overcome. The Nuclear Regulatory Commission has agreed to take oversight responsibility for cybersecurity of all systems at nuclear power plants, not just the reactors, officials said. A memorandum of understanding between the NRC and FERC resolves this question.
But a new Senate initiative is likely to reignite the federal-state jurisdictional quarrel over cyber standards.
Wellinghoff, in his March 10 letter to the GAO, said that the Federal Power Act, which applies to high-voltage interstate power transmission, "excludes virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber security or other national security threats to reliability that involve such facilities and major population areas. It is also important to note that much of the smart grid equipment will be installed on distribution facilities and will not fall under the Commission's Federal Power Act jurisdiction."
Last week, Chairman Jeff Bingaman (D-N.M.) of the Senate Energy and Natural Resources Committee and ranking Republican Lisa Murkowski (R-Alaska) circulated a draft bill on cyber protection policy that would give FERC the authority over critical distribution networks that it has been seeking. The proposed language says the bill would cover the "generation, transmission, or distribution of electric energy affecting interstate commerce" that federal authorities consider to be vital to U.S. security or national public health and safety.
Wide gap between least and most protected
A hearing on the legislation will be held in May, the committee said. Majority Leader Harry Reid (D-Nev.) has begun meetings with leaders of several Senate committees interested in the cybersecurity issue, seeking a coordinated path toward action this year, Senate aides said.
But even the successful completion of standards and rules for cyber protection for the power sector won't be enough if the technical competency of the industry's cyber managers is not upgraded, Assante insists.
The case study Assante cites is the Stuxnet computer worm, which industry experts believe penetrated a part of Iran's nuclear power infrastructure in mid-2009, damaging some of its critical uranium enrichment centrifuges.
The code for the Stuxnet cyber weapon, whose authors remain unidentified publicly and are the subject of intense speculation, was identified by a Russian security firm that found it on a USB flash drive, Assante says. The USB stick was turned over to the Russian firm by a security specialist at another firm who had plugged the stick into a computer and noticed a split-second response that was out of the ordinary.
The specialist didn't shrug off the anomaly, he says. "The reaction wasn't, 'Well, that was odd, and just move on,' which is a typical unaware reaction. ... It's easy to say, 'Well, that didn't work right. Let's just restart the computer.'"
Grid reliability is based on planning to keep the power flowing if a plant suddenly goes offline, a power line is knocked out, or a transformer fails, Assante said. The cyber challenge is different. "Planning engineers are used to saying, 'If this goes away, can the system still operate safely?'
"My point to them was, what happens if it doesn't go away, but this part of your system is being misused" to threaten the system?
Assante said there is still too wide a gap dividing power companies that are serious about raising cyber threat barriers and training people to use them, and other companies whose awareness and preparations are not adequate.
"Some utilities are certainly more progressive. They have more skilled folks on staff, and they've been able to do more to protect their systems. Others have suffered from the challenge of getting technical skills." The Tennessee Valley Authority is an example of a power provider that is setting high standards, he said. "Awareness differs. It's not a simple task," he said. "There's still work to be done."
Correction: An earlier version referred to Accuvant LABS as a company based in Hanover, Md.; however, Accuvant LABS is a division of Accuvant, which based in Denver.