A year ago, an unidentified computer intruder tried to penetrate the Lower Colorado River Authority's power generation network with 4,800 high-speed log-in attempts that originated at an Internet address in China, according to a grid official's confidential memo that was leaked to the media.
And that was probably just an amateur's work, says David Bonvillain, vice president of Accuvant LABS, a cybersecurity consulting firm based in Hanover, Md.
Far greater challenges lie ahead as smart grid technologies proliferate in the nation's transmission network and utility control centers and eventually reach business and residential electricity customers, he says.
"There are known vulnerabilities, and there are vulnerabilities that haven't been discovered yet," he said. The risk that a hacker could disrupt a closely managed grid control system is considerably lower than for an intrusion into a financial or industrial network, but the consequences could be far graver, Bonvillain and other experts agree.
And the scope of the threat is expanding faster than the utility sector's response, says Michael Assante, the former chief security officer of the North American Electric Reliability Corp., the federally designated grid monitor. Assante left NERC last year to form a new nonprofit, the National Board of Information Security Examiners, which provides technical certification qualification for utility cyber defenders. The certification is intended to identify elite cybersecurity professionals.
"The smart grid increases the complexity of the system," Assante said in an interview. "There is more technology, and more networks highly interconnected to share information. You've increased the overall attack surface. You're deploying technology that is no longer in a building you control, and you are deploying it over the air, right up to the home.
"And you are deploying it at such a scale, it's a real challenge to manage and maintain security," Assante said. "We should deploy the technology" because of the range of benefits it promises, he said. "But we must learn where the weaknesses are."
The smart grid's rollout is raising awareness of the threat even as it increases vulnerability, some experts say. "The smart grid is one of the best things to ever happen to security in the utility space. People are really starting to see that threats are present there," said Jon Miller, director of Accuvant LABS.
"The smart grid will make technology management a core part of what any utility is," he said. But this transition is happening faster at some energy companies than at others, he said.
Security 'floor' needed for utility control rooms
The threshold challenge has been the slow development of security standards that establish a floor for safeguarding generator and transmission control rooms, according to the Government Accountability Office. A GAO report on March 11 called on the National Institute of Standards and Technology to complete its updating of cybersecurity guidelines, and concluded that the Federal Energy Regulatory Commission needed a stronger process for monitoring industry compliance with cyber standards.
The GAO report also cited a dramatic increase in cyber attacks on federal agencies, as reported to the U.S. Computer Emergency Readiness Team (US-Cert). Cyber incidents totaled 41,776 in fiscal 2010, a 650 percent increase in five years.
The standards-setting process has been burdened by jurisdictional issues and the need to seek a time-consuming utility industry consensus on a response to a rapidly evolving threat, experts say.
Responding to GAO's criticism, FERC chairman Jon Wellinghoff has pointedly noted that when Congress set up the process for creating cybersecurity standards for the electric power industry in the 2005 Energy Policy Act, it put the agency into a reactive stance: FERC can approve or reject cyber standards developed through NERC's industry consensus process, but it cannot do more.