U.S. power companies under frequent cyberattack

Legislation that would give the federal government power to oversee the protection of utilities has stalled

A survey of U.S. utilities shows many are facing frequent cyberattacks that could threaten a highly interdependent power grid supplying more than 300 million people, according to a congressional report.

More than a dozen utilities said cyberattacks were daily or constant, according to the survey, commissioned by U.S. Democratic Representatives Edward J. Markey and Henry A. Waxman. The 35-page report on the survey, called "Electric Grid Vulnerability," was released on Tuesday.

The report is in response to widespread concerns that hackers could damage parts of the U.S. power grid, causing widespread outages and prolonged economic effects. Markey and Waxman are members of the U.S. House Energy and Commerce Subcommittee, which held a hearing on cyberthreats and security on Tuesday.

Power outages and quality disturbances cost the U.S. economy upwards of US$188 billion annually, with single outages costing as much as $10 billion, the report said. Replacing large transformers, for example, can take more than 20 months.

The 15-question survey was sent to more than 150 utilities owned by investors, municipalities, rural electric cooperatives and those that are part of federal government entities. About 112 responded to the survey, which was sent in January.

Many utilities were coy in their responses. None reported damage as a the result of cyberattacks, and many declined to answer the question of how many attempted attacks were detected, the report said

One utility said it recorded 10,000 cyberattacks per month, while another said it saw daily probes for vulnerabilities in its systems and applications. Cyberattacks are inexpensive to execute and hard to trace, the report said.

"It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyberattacks have been conducted against critical infrastructure in other countries," the report said.

The U.S. Congress has not delegated oversight of utilities' cybersecurity to a federal agency. An industry organization, the North American Electric Reliability Corporation (NERC) publishes both mandatory and voluntary security standards, the report said.

In 2010, the U.S. House of Representatives passed the GRID Act, which would have given the Federal Energy Regulatory Commission the authority to protect the electricity grid. But the legislation did not pass the Senate, and the issue remains inactive in the House, the report said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionGovernment use of ITregulationsecuritygovernmentExploits / vulnerabilitiesU.S. House Energy and Commerce Subcommittee

More about Federal Energy Regulatory Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place