Electric Grid Is Vulnerable To Cyber-Attacks

Computer networks controlling the electric grid are plagued with security holes that could allow intruders to redirect power delivery and steal data, the Energy Department warned in a recent report.
Many of the security vulnerabilities are strikingly basic and fixable problems, including a failure to install software security patches or poor password management. Many of the fixes would be inexpensive, according to the Idaho National Lab, an Energy Department facility that conducted the study.
The report reinforces concerns that intelligence officials have raised in recent years about growing surveillance of the electric grid by Chinese and Russian cyber-spies, which The Wall Street Journal reported last year. One worry is that a foreign country could shut down power in parts of the U.S.
The report’s release comes hot on the heels of a report from Siemens AG, the German engineering firm, which said it had detected an attack targeting critical infrastructure, the collective term for systems such as electric grids, subways and air-traffic control. Siemens issued a tool to detect and fix the security gap July 22, an unusual acknowledgment of the threat. The company said none of its customers has sustained damage.
“The Siemens attacks from a couple weeks ago, in addition to evidence from several private firms that utilities are being attacked…change the imperative,” said Alan Paller, director of research at SANS Institute, a cyber-security training group. He suggests the U.S. needs to adopt a more urgent response.
The Energy report is based on the findings of 24 assessments of computer-control systems performed between 2003 and 2009. It was completed in May, released July 22 on the Energy Department’s website and first noted by Steven Aftergood, a government secrecy specialist at the Federation of American Scientists.
The security gaps highlighted include “well-known unsecure coding practices” for software used by these control networks; and permitting an “excessive” number of portals access into the networks.
“Poor code quality leads to vulnerabilities and bugs in the code that not only make it vulnerable to attack, but also fragile and unstable,” the report said.
Ineffective passwords are also a major problem, the report said. That issue was borne out in the Siemens attacks, because the attack software took advantage of preset passwords that Siemens advised clients not to change. “Passwords are often the weakest link,” the report said.
A lack of sufficient encryption for communications lines used by these computer networks was another security gap the report identified, with the warning that “unfortunately there is no drop-in replacement currently available.”
Databases that archive information about the systems were also vulnerable to penetration, the report found.
Such security gaps have been known inside security circles for years, but it is unusual for a government agency to publicly acknowledge them.
“We have so many known vulnerabilities that have not been patched,” said Mischel Kwon, a former senior Homeland Security official and now a vice president at computer security company RSA. “The report offers common sense and best-practice recommendations that have been available for years.”

By Siobhan Gorman Wall Street Journal