Damage from attack on power grid would surpass Sandy

The U.S. is in urgent need of a nationwide strategy to protect its highly vulnerable electric grid from succumbing to a cyberattack that could cause far more damage than Hurricane Sandy, a recent report said.

Terrorists who gained access to any one of a number of key facilities, either through Internet-delivered malware designed to destroy control systems or through a saboteur on the inside, could black out large regions of the nation for weeks or months, the report from the National Research Council said.

Damage from such an attack would be many billions of dollars more than the destruction caused by Sandy last month on the East Coast.

"Considering that a systematically designed and executed terrorist attack could cause disruptions even more widespread and of longer duration, it is no stretch of the imagination to think that such attacks could produce damage costing hundreds of billions of dollars," M. Granger Morgan, head of the engineering and public policy department at Carnegie Mellon University, said in a statement. Morgan was chairman of the committee that wrote the report released this month.

The grid's acute vulnerability comes from being spread across hundreds of miles and having many unguarded key facilities. In addition, federal legislation in the mid-1990s that opened the door to more competitors in the power market has stressed the nation's bulk high-voltage system, leaving it at risk to multiple failures following an attack.Ã'Â

The grid is also riddled with important pieces of equipment that are decades old and lacks advanced technology for sensing and control that could limit outages. An example is how Long Island Power Authority struggled to restore electricity after Sandy, which caused more than $70 billion in damages. News media reported that the utility was hampered by the use of decades-old mainframe computers.

"As utilities struggle to make a profit, their last concern is updating antiquated systems and investing in security," said Darren Hayes, a professor at Pace University and an expert in computer forensics and security.Ã'Â

Another problem lies with utilities over the years joining their IT operations in order to cut costs, Hayes said.

"Security has not been a priority but should be now that many utilities have centralized their IT operations to reduce costs," Hayes said in an email. "This centralization has meant that utilities networked together can be brought down together in a catastrophic manner."Ã'Â

Fear of a cyberattack on the nation's critical infrastructure was heightened following the discovery of Stuxnet, sophisticated malware that damaged Iran's nuclear facilities in 2010. Iran has vowed to take "pre-emptive" strikes against the countries it believes are responsible. The New York Times reported that the U.S. and Israel developed Stuxnet together.

[See related: The changing security battlefield]

The report recommends ways to protect the nation's power delivery system, starting with money. Funding for research is currently much smaller than needed, the study said.

Besides money, the report recommends developing, manufacturing and stockpiling "universal recovery transformers" that could temporarily replace downed high-voltage transformers, which are often custom built outside the U.S. and can take months, or even years, to replace. Recovery transformers would be less efficient, but they could drastically reduce delays in restoring power. The U.S. Department of Homeland Security (DHS) has recently started working with the U.S. power industry on a program to develop and test recovery transformers.

Other points of weakness include communication, sensor and control systems that are open to cyberattacks through an Internet connection or by sabotage from within. The best solution is to remove connections with the Internet, the report said. In those cases where that isn't possible, then state-of-art technical and managerial security systems should be in place, including systems that monitor for operator error or sabotage.

The threat of attack from the inside was made clear in August when a virus named Shamoon erased the data on three quarters of the corporate PCs of state-owned oil company Saudi Aramco. An insider is believed to have infected the computers through a USB memory stick inserted into a PC.Ã'Â

Finally, the report recommends that DHS and the Energy Department initiate and fund assessment programs across cities, counties and states. These programs should act as models for local and regional planning efforts that have a goal of eliminating vulnerabilities.

More collaboration and sharing of information between government agencies and private industry are also needed. But for that to happen, the federal government will have to address public policy and legal barriers, the report said.

That last condition may be difficult given the opposition to proposed legislation to mandate information sharing. This month, the Cyber Security Act of 2012 failed to pass the Senate, largely due to opposition from businesses and privacy advocates.

President Obama, who supported the bill, is expected to issue an executive order implementing those elements that do not require congressional approval.

Read more about critical infrastructure in CSOonline's Critical Infrastructure section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Carnegie Mellon Universitysecurityphysical securitycritical infrastructurePhysical Security | Critical Infrastructurepower grid

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place