Electric Utilities May Be Vulnerable to Cyberattack

By Ellen Nakashima and R. Jeffrey Smith
Washington Post Staff Writers
Thursday, April 9, 2009

The nation's electric utilities have failed to fully survey the vulnerability of their equipment to computer-based attacks from foreign countries and hackers, a government-authorized regulatory group concluded this week. That assessment came as senior U.S. officials renewed warnings that experts from Russia, China and other nations have been trying for years to probe and exploit those vulnerabilities.

The alert by the North American Electric Reliability Corp. on Tuesday came on the same day that a senior military official reported that the Pentagon has spent more than $100 million in the past six months responding to cyberattacks or other network problems. Government officials have long complained that private industry, which controls almost all of the U.S. electrical supply, has taken few measures to defend itself against debilitating attacks.

The Obama administration is nearing completion of a two-month review of cybersecurity policy, which experts said is likely to urge a more robust federal role in setting security standards for utilities and other industries considered vital to the American economy. Democratic lawmakers have also introduced legislation this year supporting the creation of such standards.

So far, the federal government has tread lightly in setting computer security regulations for the power grid. The corporation, which has the authority to ensure the reliability of the electrical power supply, has been industry-run until recently; it says its current trustees, elected by industry members, are independent. The group's principal initiative to date has been to require that companies identify their vulnerabilities to cyberwarfare attack.

But in this week's letter to industry and government officials, Michael J. Assante, the group's chief security officer, complained that the most recent self-scrutiny did not go far enough. He warned in particular that "system planners and operators" need to pay more attention to the danger of "simultaneous manipulation" of computers within power substations and the consequences of such attacks on the larger grid.

The fact that "an intelligent cyberattacker" can compromise "multiple assets at once, and from a distance" requires more protection than utilities have considered, Assante said in his letter. He said they need to take a new look at "the potential consequences . . . of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors."

Assante did not specify where the threats might originate, but several independent experts said federal authorities have detected penetrations of computer controls for the power grid emanating from Russia and China, whose war colleges and militaries have been teaching cyberwarfare techniques. Those efforts to penetrate the controls were aimed at finding computer vulnerabilities and, once detected, sometimes involved planting software so that security patches could be circumvented in the future.

"We know penetrations started more than 10 years ago. But we don't know all of them," said James A. Lewis, a former federal computer-security expert who directed a commission on the cybersecurity threat for the Center for Strategic and International Studies last year. "It could be longer. We don't know the scope. In some cases, people have found the leave-behinds. In other cases, they know they've been penetrated but haven't found any malware."

Lewis was responding to an article in yesterday's editions of the Wall Street Journal that described the foreign penetrations of electric utility company computers.

Homeland Security Secretary Janet Napolitano declined to comment directly on the report but told reporters that to her knowledge, no part of the U.S. electricity grid has been "compromised by a deliberate cyberattack." She added that the utility industry is "working all the time to detect cyber-intrusions and to mitigate their impact, and clearly it's a function of the utilities, not the government -- but we work with them."

Staff writer Spencer S. Hsu contributed to this report.

© 2009 The Washington Post Company