Power company targeted by 10,000 cyberattacks per month

[CyberAbc 290]

 

 

A Congressional survey of utility companies has revealed that the country's electric grid faces constant assault from hackers, with one power company reporting a whopping 10,000 attempted cyberattacks per month.

US Reps. Edward Markey (D-MA) and Henry Waxman (D-CA) sent 15 questions to more than 150 utilities and received replies from 112 of them. Only 53 of those actually answered all the questions—the others provided incomplete responses or only "a few paragraphs containing non-specific information" without answering any of the questions.

Results from those who did answer show utilities are under continuous assault:

The electric grid is the target of numerous and daily cyberattacks.

• More than a dozen utilities reported “daily,” “constant,” or “frequent” attempted cyberattacks ranging from phishing to malware infection to unfriendly probes.
• One utility reported that it was the target of approximately 10,000 attempted cyberattacks each month.
• More than one public power provider reported being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”
• A Northeastern power provider said that it was “under constant cyber attack from cyber criminals including malware and the general threat from the Internet…”
• A Midwestern power provider said that it was “subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of this activity is automated and dynamic in nature—able to adapt to what is discovered during its probing process.”

The good news is that none of these utilities reported damage to any of their computer systems. "However, there did not appear to be a uniform process for reporting attempted cyberattacks to the authorities; most respondents indicated that they follow standard requirements for reporting attacks to state and federal authorities, did not describe the circumstances under which these requirements would be triggered, but largely indicated that the incidents they experienced did not rise to reportable levels," Markey and Waxman wrote.

The utilities are a mix of investor-owned entities, municipal power companies, rural electric cooperatives, and "federal entities that own major pieces of the bulk power system."

Reps want Congress to boost grid security

Markey and Waxman revealed the results of their survey yesterday in a report titled "Electric Grid Vulnerability: Industry Responses Reveal Security Gaps." The report examines threats from both cyberattacks and geomagnetic storms. Markey and Waxman noted that "numerous security experts have called on Congress to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms. Despite these calls for action, Congress has not provided any governmental entity with that necessary authority."

The survey found that nearly all responding utilities comply with mandatory standards issued by the North American Electric Reliability Corporation (NERC), but most haven't implemented NERC's voluntary recommendations. The report states:

For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [investor-owned utilities], 83% of municipally or cooperatively owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally or cooperatively owned utilities, and 62.5% of federal entities reported compliance.

Markey and Waxman also found cause for concern in the power companies' readiness for geomagnetic storms. "Most utilities have not taken concrete steps to reduce the vulnerability of the grid to geomagnetic storms and it is unclear whether the number of available spare transformers is adequate," they wrote. "Only 12 of 36 (33%) responding IOUs, 5 of 25 (20%) responding municipally or cooperatively owned utilities, and 2 of 8 (25%) responding federal entities stated that they have taken specific mitigation measures to protect against or respond to geomagnetic storms. Most utilities do not own spare transformers."

There are numerous types of cyberattacks targeting the utility industry. Two US power generation facilities were infected by malware spread by USB drives plugged into critical systems used to control power equipment, we noted in a story in January. Last year, a provider of software that helps the energy industry remotely monitor and control sensitive equipment was targeted by "a sophisticated hacker attack that managed to penetrate its internal defenses."

Markey and Waxman noted that "Cyberattacks can create instant effects at very low cost and are very difficult to positively attribute back to the attacker. It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of US grid systems, and that cyberattacks have been conducted against critical infrastructure in other countries."

In 2010, Markey and US Rep. Fred Upton (R-MI) introduced the GRID Act to boost security of the electric grid. It passed the House but not the Senate. The bill would have authorized the Federal Energy Regulatory Commission "to issue orders for emergency measures to protect the reliability of either the bulk-power system or the defense critical electric infrastructure whenever the President issues a written directive or determination identifying an imminent grid security threat." Markey is still pushing for passage of the act.