A new report released Tuesday by a group of national security experts calls on Congress to immediately pass legislation that would enable real-time information sharing between the government and the private sector on cyber threats to the nation’s electric grid.
The report by the Center for the Study of the Presidency and Congress — led by former White House Chief of Staff Thomas McLarty III and former Homeland Security Secretary Tom Ridge — traces in great detail the technological changes fundamentally transforming the electric industry and warns those same technologies are creating new vulnerabilities for the “most critical of critical infrastructure” in the nation.
“Paradoxically, as the grid is increasingly networked—thus increasing efficiency and overall situational awareness—it becomes increasingly vulnerable to intrusions from cyberspace,” the report states. “As smart grid technologies are installed, there will be a greater number of access points to the grid networks, requiring increased security awareness by utilities, device manufacturers, and the general public.”
“The grid is moving from the Edison era into the Google era,” Dan Mahaffee, the project co-director, said during a press conference Tuesday. “How do we secure a grid that is having new technology attached to it? We’re creating a broad amount of new threat vectors into critical infrastructure installing this technology. We’ve seen it with the spam botnet that was running on smart refrigerators. And when we begin to connect our toasters and tooth brushes to the smart grid how do we ensure that those standards of security are met?”
One example of the electric grid’s increasing complexity, the report highlights a future when electric cars will connect to a smart grid and transfer unused electricity back into the grid. “Car companies will very soon be part of the grid security discussion,” Mahaffee said. “We need to begin those discussions now as the technology is developed, rather than waiting for the day after.”
The 178-page report outlines a dozen short- and long-term recommendations for improving the security of the nation’s electric grid, focusing primarily on improving real-time information sharing on cyber threats between the government and the private companies that own and operate the grid. In particular, the report calls for Congress to “resolve the deadlock that has stymied” cybersecurity legislation.
“The sense of urgency seems to be missing on some of these issues,” Ridge said. “This concern has been out there and escalating year after year after year. And there are more and more attacks…and the sophistication of attacks is getting greater and greater. And we’re still sitting around talking about it. But at the end of the day, I really think that information sharing is a very, very significant first step.”
House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and ranking Democrat Rep. Dutch Ruppersberger, D-Md., threw their support behind the report’s recommendations, appearing with Ridge at the press conference Tuesday. Both warned of the increasing cyber threat posed by nation states, particularly Iran and China.
Rogers referred to private security assessments that have shown nation states are actively hacking into U.S. electric companies and laying in wait with “the option to use” their access. “The sheer level of the threat and sophistication of the threat has grown exponentially,” Rogers said. “Not doing anything is no longer an option.”
According to Rogers, the best thing the government can do in the short term is pass legislation that would provide industry with liability protection so it can engage with the government in real-time information sharing.
Ruppersberger likened the electric grid to the country’s Achilles’ heel. “If we don’t start dealing with what this report talks about, our energy [sector] is going to be attacked,” he said. “We’re not [trying] to scare anybody. These threats are for real.”
In 2007, researchers at the Idaho National Lab conducted the Aurora test, in which a computer virus manipulated the network systems that controlled diesel generators. The test demonstrated for the first time the ability of hackers to use malware to cause physical damage to components of the electrical grid. Follow @DanielVerton