Expert opinion differs widely over a report that the U.S. electric power-grid has been compromised by cyberspies, perhaps from Russia and China, who have installed malware so they can disrupt industrial control systems for electricity distribution in the event of a conflict.
While the American and Canadian grids are inter-connected, Ontario’s power distribution company, Hydro One, uses a closed system with no Internet access, said Rick Stevens, project director for the utility’s smart grid program, which includes meters that can be read over a WiMAX system.
North American Electric Reliability Corp, the industry group with responsibility for grid reliability and security for the United States and Canada, did not respond to a request for comment from Network World Canada, but posted a statement on its Web site that said “cyber security is an area of concern for the electric grid.” In its statement, NERC said it is “not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, but “there is definitely more to be done, and we look forward to continuing our work with the electric industry and our partners in U.S. and Canadian government to improve reliability standards ….”
Recently the Wall Street Journal claimed current and/or former government officials told it anonymously that “software tools left behind” in electric-grid systems could be “used to destroy infrastructure components” in the event of war.
Edison Electric Institute (EEI), an association of American generation companies, has no knowledge that the nation’s interconnected systems have been pervasively compromised by malware that could disrupt it, but a spokesman, Ed Legge, said there are no illusions that the grid is as safe or efficient as it could be.
“The cybersecurity issue is on our radar,” Legge said. “Computers come with that, and as we use them more and more with out systems, and they become more a part of providing electricity, we have to be concerned about it.” There’s a widespread expectation that in the U.S., the government and industry will eventually embrace the concept of investing in a modernized electric-power grid dubbed the “SmartGrid.”
The SmartGrid concept would both provide consumers with more information about their energy demands and provide an “over-riding communications platform and real-time access to transmission systems,” says Gregory Reed, professor of electrical-power engineering at the University of Pittsburgh, as well as a technical consultant with experience at Con Edison in New York City. “It would lead to better decisions about how we use electricity, and it’s a natural evolution of where technology needs to go.”
But it would need to include very tight security or it could become a potential entry point for attackers, Reed points out.
“We will have to build protection in to start,” agrees EEI’s Legge, noting the utilities strongly support the SmartGrid concept as way to “provide more control and more visibility” over the power grid. “The idea is to make things work better and get efficiencies and reduce costs,” says Legge. “We’ve treated electrons like they grow on trees. We need to manage things better.”
In Ontario, Hydro One is implementing Advanced Metering Infrastructure (AMI), which includes the ability to read meters remotely, allow customers to adjust appliances and thermostats wirelessly and alert Hydro One to power outages in real time.
Whether smart meters could make it easier to cybercriminals using the Internet to vandalize the power system depends on several factors, said James Quin senior analyst, Info-Tech Research Group of London, Ont.
“The big question is what kind of software (specifically operating system) these ‘smart meters’ are running?” Quin wrote in an e-mail responding to questions from Network World Canada. “If they are using something commercial, there is a higher likelihood that a problem could be presented since the code is somewhat readily available. If they are using something completely proprietary, the risk is significantly reduced since cyber criminals would need to have access to the code to find problems in it that could be exploited.”
Quin said he is not aware of any potential threats to automated devices controlling power distribution in Canada, but that does not mean there are no threats. It would depend on how the devices are networked, how they are managed and whether they are on open or closed networks.
Hydro One’s Stevens said the utility does not put any applications on the network “until they’re fully secure.”
“We are using private networks,” he said in an interview with Network World Canada. “This is not an internet based application by any stretch.”
Hydro One’s smart meters use the RedMAX 4C hardware, made by Markham, Ont.-based Redline Communications Group Inc.
When smart meters are on a completely closed network, “the threat is significantly reduced,” Quin wrote. “A cyber criminal would literally have to hack the physical infrastructure before hacking the electronic infrastructure – not necessarily an easy thing to do.”
Reed expresses doubts regarding claims of a pervasive compromise of the U.S. electric grid that would allow an attacker to disrupt it through malware.
“It doesn’t seem feasible from what I know,” Reed said. No real-time control of the electric grid is coming from the Internet, he says. “It’s firewalled and on separate systems,” says Reed. “We’re not operating these systems on the Internet.”
But he does think that if there is espionage, it “won’t reveal more than how the network is connected, and being able to map the infrastructure is not a threat without knowing how the system is operated and controlled.” He adds that some of this information, though not in great detail, is available publicly already from the U.S. Dept. of Energy and the Federal Energy Regulatory Commission.”
Others, though, say the assertions about cyberspies infiltrating the power grid though malware are true and “should be a wake-up call.”
Alan Paller, director of SANS Institute, a security training and information center that has worked closely with utilities operating Supervisory Control and Data Acquisition (SCADA) systems as well as government agencies, says the potential for a massive cyber-attack on the power grid is real. Paller says some in the industry may be in denial about it, but “the Wall Street Journal article may be the first step in a 12-step program for utility executives.”
“The management of the utilities do need real-time monitoring of what is happening inside the plants so those systems have to feed data out,” Paller notes. “But there should be absolutely no way to feed data in.”
Security vendors that have utilities as customers have a mixed reaction to the claims about a pervasive compromise of the U.S. grid. </