Security holes in power grid have feds scrambling

April 30, 2014 Facebook Twitter LinkedIn Google+ Apocalypse,Economic News

Security holes in power grid have feds scrambling

By: Evan Halper

April 30, 2014

WASHINGTON — Adam Crain assumed that tapping into the computer networks that power companies use to keep electricity zipping through transmission lines would be nearly impossible in these days of heightened vigilance over cybersecurity.

To his surprise, it was startlingly easy.

When Crain, the owner of a small tech firm in Raleigh, N.C., shared the discovery with beleaguered utility security officials, the Homeland Security Department began sending alerts to power-grid operators, advising them to upgrade their software.

The alerts haven’t stopped, because Crain keeps finding new security holes he can exploit.

“There are a lot of people going through various stages of denial” about how easily terrorists, or anyone, could disrupt the power grid, he said. “If I could write a tool that does this, you can be sure a nation state or someone with more resources could.”

In Congress, the vulnerability of the power grid has emerged as among the most pressing domestic security concerns. It is also among the most vexing.

At times, lawmakers appear to be working at cross purposes. Some want to empower regulators to force specific security upgrades at utilities.

Others are attacking whistle-blowers and the media, demanding an investigation into disclosures of how easily the country’s power grid could be shut down.

The magnitude of the problem is underscored by insurance giant Lloyd’s of London, whose appraisers have been making visits lately to power companies seeking protection against the risk of cyberattack. Their take-away: Security at about half the companies they visit is too weak for Lloyds to offer a policy.

“When Lloyds won’t insure you, you know you’ve got a problem,” said Patrick Miller, founder of the Energy Sector Security Consortium, a Washington, D.C.-based nonprofit that advocates for tougher cybersecurity measures for the electricity industry.

The challenges are compounded by lingering tensions between federal law enforcement and the industry. Each accuses the other of being territorial and evasive, neglecting to share confidential incident reports, intelligence analyses and other sensitive data.

Power companies, eager to keep regulators at bay, find themselves in a bind. They need to show quickly that they are equipped to protect the grid against outside attacks. They warn that the grid is so massive, complicated and fragile that any tinkering needs to remain the responsibility of those who operate it day to day, not well-intentioned but inexperienced federal regulators.

“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous,” said Gerry Cauley, chief executive of North American Electric Reliability, the quasi-governmental organization through which utilities manage the power grid.

Even security experts who criticize Cauley’s organization for moving too slowly agree his argument has merit. The problem, said Scott White, a security technology scholar at Drexel University in Philadelphia, is that “you are basically dealing with these monopolies that are determining for themselves which expenditures are a priority. Security has not generally been one.”

Utilities deny they’ve ignored the problem, pointing to the billions they say they’ve spent to upgrade outdated computer systems and close security holes.

Read rest of article here…