Russian and Chinese cybercriminals penetrated the U.S. electrical grid, leaving behind malware that could disrupt the system.
The potential for attack on the nation's power grid is fueling alarm in the cybersecurity community, with experts warning that the federal government should act quickly or face the consequences of having the nation's infrastructure crippled by cybercriminals abroad.
"This is the American way of life that is being threatened," said Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group. "We need continuous automated monitoring and real oversight of these critical systems and it needs to be a top priority."
Current and former national security officials told The Wall Street Journal that malware discovered on electrical grid computer systems suggests that someone abroad could damage the system in a time of war or during a national security crisis in the United States. In addition to the nation's power grid, nuclear power plants and water and sewage systems are also at risk. Financial networks could also be disrupted.
Federal cybersecurity issues:
Group identifies top 20 security controls to thwart cyberattacks: Experts said the latest list could help government agencies address FISMA compliance by prioritizing cybersecurity initiatives to block the latest attack vectors.
Amit Yoran on DHS, federal cybersecurity: In this podcast, Amit Yoran, former cybersecurity czar at DHS and a veteran security pro, discusses the Obama admin's security priorities and why information sharing hasn't worked.
DHS should lose cybersecurity authority, experts say: A group of security and policy experts told a House subcommittee Tuesday that cybersecurity should move from DHS to the White House.
Cybersecurity czar signals government cooperation at RSA Conference: Cybersecurity chief, Greg Garcia told RSA Conference attendees that government, enterprises and academia need to work together to fight growing Internet threats.
The nation's power grid and other critical infrastructure are connected to networks and systems that have indirect access to the Internet and can be penetrated by attackers. From there, a sophisticated hacker could make their way into a critical system, Paller said. In February a consortium of federal agencies released a draft of the Consensus Audit Guidelines (CAG), a list of 20 cybersecurity controls that organizations should use to defend against attacks. Paller said power systems should be immediately tested against those 20 critical controls and penetrated computers should be replaced.
"The separation of the power grid from the Internet was part of the design, but in reality there are typically interconnection points," said Ed Skoudis, founder and senior security consultant with InGuardians Inc. Skoudis was the technical editor that helped pull together the CAG list from guidelines issued by the National Institute of Standards and Technology (NIST) and other organizations.
Making matters worse, experts say, is the power grid's mixture of complex legacy systems and aging equipment with different communication protocols. Power companies are investing in modernization, deploying millions of automated metering systems, designed to increase automated command and control of the power grid and reduce the need to send out an agent to physically monitor power consumption. But Skoudis said the systems are not being fully vetted for security by independent testers. The federal stimulus law includes $4 billion in funding that could go toward deploying automated metering systems.
"These smart meters are accessible via wireless and some of them are accessible via the Internet," Skoudis said. "It's just another access point for someone to attack and exploit."
One way to respond to the threat is by increasing the powers of the North American Electric Reliability Corporation (NERC), said SAN's Paller. NERC, an organization of U.S. electrical grid operators, oversees standards for the industry. Paller said NERC could be transformed from an industry association into a powerful regulatory body that oversees cybersecurity issues and tests energy companies for compliance with a set of standards.
NERC may be a good starting point, said Tim Belcher, chief technology officer of network security monitoring firm NetWitness, which has a number of federal government contracts. Belcher has led assessments of various power and utility supervisory control and data acquisition (SCADA) networks and said he is not surprised that compromises exist.
"We've known that energy command and control networks are valuable targets and are actively being probed," Belcher said. "In general security in those environments has focused on limiting access and not providing security in depth, taking a look inside the network of what can be controlled."
Congress has not been silent on cybersecurity issues of late. Legislation is being debated that creates a cybersecurity advisor in the White House and strengthens cybersecurity regulations for the private sector. The proposed legislation would require a complete threat assessment for both government and private systems. Organizations that own pieces of the nation's critical infrastructure would also have to follow federal security standards.
NetWitness' Belcher said the best defense is continued and pervasive monitoring.
"People in the industry are very aware that disconnecting is not an option and they need to focus on perimeter controls, but it's difficult to implement security in-depth because they have very diverse and aging equipment," he said.