In a story today, the Washington Post notes that the U.S. power grid remains at risk from cyber security threats that could have real physical effects on the network and that the federal government is stepping up its efforts to make sure utility companies are addressing the threat.
Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department’s Idaho National Laboratory showed him how a skilled hacker could cause serious problems.
Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility’s Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment.
Describing his reaction to the demonstration, Wood said: “I wished I’d had a diaper on.”
In our work before Congress and the President’s Information Technology Advisory Committee (pdf), we’ve tried to emphasize the importance of cyber security R&D, especially long-term R&D, because IT systems constitute the “control loop” of most other elements of our nation’s critical infrastructure (e.g., the electric power grid, the air traffic control grid, the financial grid, the telecommunications grid), and constitute a significant vulnerability. While the federal government has been reasonably quick to warn companies of the risk, it hasn’t done quite as well in ramping up the long-term research to reduce vulnerabilities. Hopefully the imminent release of PITAC’s report (pdf) on the state of cyber security R&D will help move things forward at agencies like DHS and DARPA, and result in increased funding for NSF’s cyber security R&D efforts.
In the meantime, USACM’s Cameron Wilson has more, and Jim Horning has a related post on how the nuclear industry is reacting to new proposed voluntary standards for the increased security of digital systems. Short answer: not well.