The power blackout that struck the northern United States and Canada in August shocked industry executives into acknowledging the need to upgrade outdated circuitry and power-generating equipment.
However, analysts and security experts now are warning that the outmoded, intrusion-prone computers used to control the grid pose a greater risk than the aging grid infrastructure.
The patchwork system of computers loosely linking the electricity producers in the United States and Canada makes an Internet attack that could shut down the power grid again mere child’s play, experts told TechNewsWorld.
For starters, the computer systems that run the maze of electrical power grids are largely vulnerable because of poor oversight. No government regulators oversee this equipment, which controls the connections to the power grid.
“The computer systems have not changed since the 1980s,” said Jerry Brady, CTO of security-services company Guardent. “There are numerous types of systems, and each one has its own set of rules.”
Power companies’ inadequate network security measures are equally responsible for the high risk the electrical grid faces. Analysts have described the companies’ equipment as a ragtag mixture of networked Windows and Unix machines.
“These computers are connected to the same IP networks found throughout the Internet,” said Alex Bakman, CEO of Ecora Software, a company that designs security software. “If we want to ensure security for the electrical power grid, then we have to disconnect these power-company computers from the Internet.”
It is primarily this lack of controls within the industry that has led analysts and security experts to worry about Internet-based attacks on the grid. According to Brady, the August power grid failure highlighted many of these risks.
Stuck in Red Tape
Since the August power failure, some companies have started to make security changes to their corporate networks, but analysts say no significant changes have been made to overall power-grid security so far.
“The power industry side is not changing,” Brady said. He did note, however, that power companies do not have much leeway to make changes within the system.
“Any one power company cannot make much difference,” he said. “No one company can take the lead with safety issues. The rate structure and interconnectivity solutions have to come from the federal government.”
Bakman agreed that government action is needed to make the power grid network more secure. “Some level of government regulation should be imposed on the electrical power grid industry,” he said. “Right now there [is] none.”
Beware the Insiders
The recent power failure has increased speculation about terrorist threats to the electrical grid, noted William Flynt, the former director of the U.S. Army’s Homeland Infrastructure Security Threats Office. However, he said, a bigger threat to the power grid might actually emerge from within.
“It is also possible for others besides terrorists to exploit the grid,” he told TechNewsWorld. “We can’t forget the threats posed by disgruntled workers and hackers.”
The U.S. power grid is more of a prime target than power grids in other countries largely because in the United States, electricity drives computer networks that are the backbone of everything from schools to traffic-control devices and government agencies. Without electricity, the country would shut down.
“We are vulnerable to attacks from a variety of sources,” said Flynt. “The industry didn’t think it had to worry about that before now, but the fact is, they are [vulnerable].” Utility companies have the same unrecognized vulnerabilities to intruders that any other corporation has, he added. Even innocent actions like allowing a company worker to access the corporate network from home can open the door to security breaches.
That reality has created a new category of security breakdowns, according to Flynt. Even a product vendor that does business with an electric utility can leave open a hole in the utility’s network through which a foreign or domestic attacker could enter.
Toward a More Secure Grid
Flynt said several security practices can help utilities defend against vulnerabilities. For example, power companies can maintain a patch-management program to ensure there is an adequate barrier to protect against dangerous computer worms and viruses. He also suggested activating firewall software, disabling unnecessary network services, installing intrusion-detection systems and barring remote access to corporate networks.
Flynt said he believes it is time for power utilities to recruit what he called “renaissance managers” to replace IT computer “geeks.” He also called for the creation of a new corporate position — a new kind of security officer — to oversee safeguards against Internet attacks. Such security officers would bring the power grid industry into the new century by combining physical plant security with cyber security in a single job.
“They have to think about security in a 21st-century way,” he said. “The power grid does have vulnerability, but it is not yet time to say the sky is falling.”