A government watchdog is calling for tighter — and more coordinated — cyber security efforts by federal agencies to protect the U.S. electricity grid, a potentially vulnerable target for U.S. enemies.
The volume of malicious software and online attacks targeting overall U.S. computer networks has tripled in the last two years, raising the possibility of an eventual threat to the flow of electric power to homes, businesses, and the Internet itself, according to a Government Accountability Office report released Tuesday.
“Terrorists, hackers, and other non-government groups all have the desire and are trying to gain the ability to get into our electricity infrastructure,” Gregory Wilhusen, the director for information security issues at GAO, said in an interview. “The impact of widespread outages could have national security implications. And, in residential areas, it not only affects homes and customers. It also has major effects on commerce.”
According to a report three weeks ago by the Department of Homeland Security’s Computer Emergency Response Team, reported attacks on organizations in the electrical energy sector in the U.S. have increased from three in 2009 to 31 in 2011. These amounted to 21 percent of the total reported in that time period.
Several of the attacks cited in the report were carried out through spear-phishing, an attempt to steal information for monetary gain. In one case, an employee at what the report identified only as a “bulk electric power organization” opened to door to hackers merely by clicking on what appeared to be a PDF of an e-mailed industry newsletter; the attachment then released malicious software onto the company computer. Homeland Security’s response team was called on to deal with what it labeled as a “sophisticated threat.”
A spear-phishing effort also targeted what the report called “an Energy Sector organization” in 2010, successfully withdrawing data from the group’s network. Called to the site, Homeland Security’s team found evidence of a targeted attack — versions of malicious software that had been specially adapted to the organization, allowing hackers to retrieve information. Homeland Security’s report said its response team was able to “identify, mitigate, and eradicate” the threat.
According to GAO, security for smart grids — which measure energy use and redirect power to areas that need it most — is threatened by a lack of coordination between authorities tasked with energy and water security at the federal level and those at state and city levels.
So far, many of the attacks have not been aimed at shutting off service but at avoiding paying for it. Wilhusen said some hackers have tinkered with usage software, allowing them to escape proper billing.
Although the Federal Energy Regulatory Commission is responsible for electrical security on a national scale, local authorities handle security for smart grids within their own jurisdictions, with no mandatory standards to follow. Instead, local offices are supposed to follow voluntary standards put in place by the Energy Independence and Security Act of 2007. However, the GAO report notes that federal regulators have no way of checking who’s adhering to those.
“Without a good understanding of whether utilities and manufacturers are following smart grid standards, it would be difficult for FERC and other regulators to know whether a voluntary approach to standards setting is effective or if changes are needed,” according to the GAO report.
The Federal Energy Regulatory Commission did not return a request for comment.