Infectious Computer Worms Are Sucking Energy And Money From Companies

From: Forbes

Ken Silverstein

It’s a stark reminder of the new world in which we are living: More than a dozen utilities are reporting that they are under routine attack — assaults that are coming in the form of malware and spyware that are worming their way through company control systems. How to cope?

The electric grid is a target. And it is a fat one. It is the vehicle by which electricity flows and it is therefore a critical economic asset. After all, keeping the lights on and maintaining commerce are fundamentals that preserve lifestyles and well-being. It’s estimated that a single brownout can cost as much as $10 billion, which comes in the form direct losses as well as forsaken opportunities, according to the Federal Energy Regulatory Commission, or FERC.

Current efforts to protect the transmission system from cyber attacks are comprised of voluntary actions that have been recommended by the North American Electric Reliability Corp. Legislation has previously been introduced to let FERC mandate actions to protect the grid. That bill failed last year to pass the U.S. Senate and the U.S. House has yet to consider it.

“Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker,” says a new report by Representatives Ed Markey, D-Mass. and Henry Waxman, D-Calif. “It has been reported that actors based in China, Russia and Iran have conducted cyber probes of U.S. grid systems, and that cyber-attacks have been conducted against critical infrastructure in other countries.”

The analysis, titled Electric Grid Vulnerability, goes on to say that the U.S. Department of Homeland Security has processed 68 percent more cyber-incidents in 2012 involving federal agencies than it did in 2011. The report references one U.S. utility that says it was the target of 10,000 attempted cyber-attacks each month. It also points to the Saudi state-run oil company, Saudi Aramco, which lost 30,000 hard drives from such intrusions.

A fix is a must: The electrical transmission network serves more than 300 million people and it is comprised of 200,000 miles of wires, says the congressional study. It is valued at more than $1 trillion — assets that are primarily owned and operated by private entities and ones that are interwoven into the fabric of the entire American economy.

Consider: The Great Blackout of 2003 that began in FirstEnergy’s territory and which was the result of unwieldy trees that had interfered with the lines, all compounded by a computer system error. Ultimately, 50 million people stretching from the Mid Atlantic states to the Northeast and into Canada were affected. That cost $6 billion and 11 lives.

“A cyber attack perpetrated by nation states are violent extremists groups could be as destructive as the terrorist attack on 9/11,” says the former Secretary of Defense Leon Panetta, in a speech. “Such a destructive cyber-terrorist attack could virtually paralyze the nation.” Besides the Saudi’s Aramco, he says that Qatar’s RasGas suffered the same attack on its information systems, which he labels the “most destructive attack” seen yet in the private sector.

The renewed emphasis on cyber security is coming at a time when U.S. nuclear energy companies are informing regulators how they are safeguarding their “critical digital assets.” Nuclear power plants are enviable targets, says Booz Allen, a consultancy and public relations firm. It says that government statistics show that attempted cyber attacks against them are up 40 percent in recent years.

Outsiders are infiltrating those computer systems through unsuspecting workers, says David Cronin, principal of power generation for the firm. Malware and spyware, for instance, are invading control systems when employees download infected items and when they connect corrupted mobil devices to the company’s network. The best line of defense, says Cronin, is to install firewalls, apply patches and to always perform upgrades.

“The Nuclear Regulatory Commission wants plants to establish a monitoring station,” says Cronin, in a phone conversation with this reporter. “If I apply patches, I have to sanitize everything I have brought into a plant.”

Basically, the regulatory agency will audit utilities to determine if they have listed their critical digital assets and to assess how well they are protecting themselves from potential disruptions. If a company’s security has been breached, it must be immediately and fully remediated, says Cronin. Such invasions can range from mere nuisances to the forced closure of power plants. That could cost $1 million a day and potentially punitive fines levied by regulators.

President Obama has issued an executive order to enhance cyber security through public-private partnerships, the sharing of vital information and the implementation of risk-based standards. He has supported the Senate bill, which mandates protections for critical assets that are brought down or destroyed and that would lead to mass casualties, mass evacuations or financial collapse.

For their part, power companies are already supposed to certify with FERC that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. As with other businesses, utilities are also concerned about overreach. They prefer voluntary efforts, as opposed to those mandated by law, noting that as owners of the assets, they are naturally motivated to secure them.

“Sharing real-time information about malicious codes between the government and private sector can make a real difference in our ability to thwart bad actors,” says McAfee’s Phyllis Schneck. “But many in the private sector hesitate to share information because of concerns about liability.”

The United States has awoken to old-school terroristic assaults. But cyber attacks are insidiously infecting critical infrastructure assets both here and abroad. It’s a problem that all sides agree is pervasive. But it is also an issue that has yet to garner wide enough congressional support to warrant new federal mandates.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *