Experts debate U.S. power grid's vulnerabilities to hackers

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88_STO58300,00.html

By DAN VERTON
March 02, 2001

Nationwide rolling blackouts could have a devastating impact on the
economy, but experts also fear that the stress being placed on the
nation's power grid could make it more susceptible to disruptions from
hackers.

In California's Silicon Valley, large Internet data centers have been
blamed for stressing the region's power grid beyond what its Korean
War-era design can handle. Now, other states, including Oregon, Utah
and Washington, are preparing for possible rolling blackouts.

"From a cybersecurity perspective, the electric power grids in the
West are now more fragile, [and] margins for error are significantly
less," said Tim Bass, CEO of The Silk Road Group Ltd., a network
security consulting firm in Centerville, Va. "With diminishing margins
and power reserves, the probability for cascading catastrophic effects
are higher," said Bass, who is also a longtime information security
consultant for the U.S. Air Force.

The recent power shortages come as the Critical Infrastructure
Assurance Office (CIAO) of the U.S. Department of Commerce on Feb. 22
delivered to Congress the first status report on private sector
efforts to bolster cyberdefenses for systems that run critical sectors
of the economy. Although progress has been made in improving
information sharing, officials acknowledged that they still know very
little about how failures in one sector could affect the others.

"In the context of broader infrastructure assurance, the scale and
complexities of the energy infrastructure and their impact on
infrastructure security and reliability are not fully understood," the
report states.

The energy industry continues to be the target of Internet-based
probes and hacker attacks that seek to exploit known vulnerabilities
in off-the-shelf software and systems that are increasingly being used
to control and manage the power grid, according to the CIAO report.

Likewise, the sector continues to fall victim to poor personnel
security practices, ports and services that are open to the Internet,
outdated software without current security patches and improperly
configured systems.

"With the system itself teetering on the brink of collapse, it becomes
easier for a smaller incident to have a wider impact," said David
Thompson, a security analyst at New York-based PricewaterhouseCoopers.
"For instance, if someone were to find a way to force the shutdown of
a single power plant or a section of the power grid, the results would
be much more devastating, since there is not enough reserve capacity
to take up the slack."

In addition to the technical risks, analysts said they're also
concerned about the publicity generated by the recent crisis in
California and the possibility that hackers may try to exploit known
vulnerabilities to make a bad situation worse.

"One risk with a situation like this is that it exposes the flaws of
the system to public scrutiny," said Thompson. "It shows everyone how
vulnerable our economy is to a power disruption. Like it or not, there
are people in the world [who] pay attention to such revelations."

"Any time the visibility of a system is raised, it acts as an attack
magnet," said John Pescatore, an analyst at Gartner Group Inc. in
Stamford, Conn. Pescatore recommended that companies, particularly
utility companies, treat the power crisis as a signal to begin
stepping up network monitoring and security operations. Although he
downplayed the likelihood that a cyberattack could lead to widespread
power failures, Pescatore characterized the link between the stress
level on the power grid and its vulnerabilities as "like blood in the
water to a shark."

"Hackers smell weakness and a chance for their 15 minutes of fame,"
said Pescatore.

But electric companies have made significant progress in stepping up
their security preparedness and have also set up an Information
Sharing and Analysis Center to enable system administrators to share
information with the FBI's National Infrastructure Protection Center,
said Gene Gorzelnik, a spokesman for the North American Electric
Reliability Council in Princeton, N.J.

"When a transmission system is stressed, the system operators and
security coordinators are operating at a heightened level of alert so
they can quickly address and return the transmission system to normal
from any situation that may occur," said Gorzelnik. "The electric
system can withstand sudden disturbances such as electric short
circuits or unanticipated loss of system elements. This was the case
decades ago, and it is still true today."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".