The next security threat

"The next security threat" Continued...

Issue: "On the road again," May 9, 2009

The difficulty, said Weiss, is that securing control systems isn't anything like protecting your PC. Traditional antivirus updates can cause a control system to crash. "And who did it? The corporate IT department. We have to protect ourselves not only from the malicious . . . but from the well-meaning."

To avoid crashes and outages, some electric companies say they're taking steps to make the power grid more resilient. Southern California Edison, which provides electricity to 13 million people in 180 cities, champions the latest utility buzzword: smart grid.

As a general term, smart grid refers to a type of control system technology-whether for electric, gas, or water-that allows two-way communication between a control center and remote devices. The feedback feature of the smart grid ought to make the power grid more reliable, allowing it to recover quickly from a malfunction or outage. Power-saving "smart meters" Obama has promoted (with the help of $4.5 billion in his stimulus package) incorporate this technology by bringing real-time analytics into homes and businesses, allowing power levels to be monitored and automatically adjusted. Around 2 million smart meters have already been installed, and an estimated 73 utilities have ordered 17 million more.

But last month, security firm IOActive announced that it had discovered a variety of ways to hack into the devices, which communicate wirelessly. Spokesman David Baker predicts a worst-case scenario would occur if "meters are attacked in a systemic fashion and a large number are instructed to turn off." By wresting control of smart meters, a hacker could hypothetically influence power levels in a region and trigger an outage. And since the meters are new, popular, and located on the customer end of electric supply, they're largely unregulated. (Asked about smart grid security, Southern California Edison provided WORLD with a statement saying its smart grid design "recognizes a wide variety of potential threats, and includes a number [of] protective measures designed to safeguard all layers of the system.")

Weiss believes it's a major problem that safety standards for electrical utilities have been developed and approved by the industry itself. He said cybersecurity regulation overlooks "distribution," the last leg in the journey of generated electricity, defined as the route between a substation and a customer. "There are no cybersecurity standards for the electric distribution system that goes to your home. Or buildings. Or hospitals."

Weiss is referring to the security standards of the North American Electric Reliability Corporation, or NERC, the regulatory body that oversees electric providers in the United States and Canada. NERC standards that were once voluntary gained some federal backing after the 2003 blackout, and today utilities face fines for overlooking rules. Even so, NERC oversight is sometimes limited by what utilities are willing to disclose. In an April 7 letter to industry leaders, NERC Chief Security Officer Michael Assante reprimanded utilities for under-reporting their ownership of "Critical Assets" and "Critical Cyber Assets"-structures and technology that, if compromised, could shut down power grids.

Assante warned that such infrastructure, not properly protected, might be hacked: "One of the more significant elements of a cyber threat . . . is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance." (NERC didn't return requests for comment.)

NERC will expand its cybersecurity auditing of utilities in July, but the industry's efforts at self-governance may be too slow and too late to ward off a federal hand. Dennis C. Blair, the Director of National Intelligence, told Congress in February that the past year had seen a growing number of infrastructure network "exploitations." His vague language may have been cover for real instances of infrastructure cyberattacks, instances that remain educated rumors outside the intelligence community.

"But we know some of our opponents are exploring them," says Lewis of the CSIS. "Could somebody do it? We don't want to find out the hard way."

Spy ring

Chinese cyberattackers at work

By Daniel James Devine

Manan Vatsyayana/AFP/Getty Images

An online ring of spies that invaded 103 countries was finally exposed last month, and you can thank the Dalai Lama for the tip-off. Gratitude ends there: The spies are still spying and have the startling ability to steal files and activate web cams on computers halfway around the world.

The cyber espionage network dubbed "GhostNet" was unearthed by a Canadian security group working for the Dalai Lama, the exiled Tibetan religious leader. He complained that the Chinese government knew about his personal appointments as soon as he did. The spies have successfully infiltrated some 1,300 private and government computers (though apparently none in the U.S. government) and are reportedly accessing a dozen more each week.

The Canadian group traced the ring's activity to computers based mainly in China but was unwilling to speculate on whether Chinese government officials or some other group was responsible. The level of sophistication suggests the work of an organized operation, not just a hacker's game.

Experts say many nations, including the United States, carry out some level of covert information-gathering in cyberspace. Chinese Foreign Ministry spokesman Qin Gang sharply denied his country's involvement in GhostNet: "Some people outside China now are bent on fabricating lies about so-called Chinese computer spies. Their attempt to tarnish China with such lies is doomed to failure."

Daniel James Devine
Daniel James Devine

Daniel is managing editor of WORLD Magazine and lives in Indiana. Follow Daniel on Twitter @DanJamDevine.


You must be a WORLD member to post comments.

    Keep Reading


    Troubling ties

    Under the Clinton State Department, influence from big money…