A survey of 112 of the top 150 national utilities by US Reps. Edward Markey (D-Mass.) and Henry Waxman (D-Calif.) painted a picture of continuous assault, using techniques that range from phishing to malware infection to unfriendly probes.
Markey and Waxman noted that "Cyberattacks can create instant effects at very low cost and are very difficult to positively attribute back to the attacker. It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of US grid systems, and that cyberattacks have been conducted against critical infrastructure in other countries."
More than one public power provider reported being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.” A Northeastern power provider said that it was “under constant cyber-attack from cyber criminals including malware and the general threat from the Internet.” And, a Midwestern power provider said that it was “subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of this activity is automated and dynamic in nature – able to adapt to what is discovered during its probing process.”
While the hackers seem to have been thus far unsuccessful – none of the utilities reported specific damage to any of their computer systems – the parameters for sharing information are lacking, the report found.
“There did not appear to be a uniform process for reporting attempted cyberattacks to the authorities; most respondents indicated that they follow standard requirements for reporting attacks to state and federal authorities, did not describe the circumstances under which these requirements would be triggered, but largely indicated that the incidents they experienced did not rise to reportable levels," Markey and Waxman wrote.
The survey did find a high compliance rate with mandatory standards issued by the North American Electric Reliability Corporation (NERC), but providers are less likely to have implemented NERC's voluntary recommendations.
For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet, a sophisticated bug that was used to shut down centrifuges at Iranian nuclear facilities. Of those that responded, 91% of investor-owned utilities, 83% of municipally or cooperatively owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally or cooperatively owned utilities, and 62.5% of federal entities reported compliance.
Hackers may not spend very much to attack the grid, but the potential consequences are staggering. The US bulk-power system serves more than 300 million people, is made up of more than 200,000 miles of transmission lines, more than 1 million megawatts of generating capacity, and is valued at over $1 trillion. The vast majority of grid assets are owned and operated by private companies and other non-federal institutions. The components of the grid are thus highly interdependent, and a line outage or system failure in one area can lead to cascading outages in other areas, with catastrophic effects.
“For example, on August 14, 2003, four sagging high-voltage power lines in northern Ohio brushed into trees and shut off,” the report noted. “Compounded by a computer system error, this shut-down caused a cascade of failures that eventually left 50 million people without power for two days across the United States and Canada. This event, the largest blackout in North American history, cost an estimated $6 billion and contributed to at least 11 deaths.”