Cyberthreats Rising Against Electric Grid

A government investigation warns that Internet hackers pose a threat to the nation's power grids, transit systems, pipelines and water plants. CBS

The electricity grid, power plants and refineries face increasing threats from computer hackers who could cause major disruptions and economic chaos, congressional investigators say.

Private industry and government are paying more attention to cybersecurity. But the Government Accountability Office said control systems at such critical facilities "are more vulnerable (today) to cyberattacks than in the past."

A number of key systems have already been infiltrated, reports CBS News correspondent Bob Orr:

  • The "Sobig" computer worm temporarily stopped trains on the East Coast in 2003.
  • Last year, hackers scrambled Los Angeles traffic computers triggering big-time tie-ups.
  • Another foreign-based hacker breached security at a Harrisburg, Penn., water plant.
  • Two pumps at an Alabama nuclear plant were shut down when excessive computer activity swamped its control system.

    Among the reasons are the extensive use of the Internet and the systems' links.

    Read the GAO's full report here.
    Greg Wilshusen, the agency's director of information security issues, told a House Homeland Security subcommittee Wednesday that the government has improved the security of power lines, nuclear plants, refineries and power stations.

    Yet, he added, "there is yet no overall strategy to coordinate the various activities across federal agencies and the private sector."

    The agency and several lawmakers said the Homeland Security Department is not doing enough to spread word about adequate standards for cybersecurity and threat information.

    "Since 9/11, we've had a great deal of emphasis on gates, guns, and guards," said CBS News security consultant Paul Kurtz, "and cyber security has been, frankly, neglected."

    "The cyber-risk to these systems is increasing," agreed Rep. James Langevin, chairman of the subcommittee on emerging threats, cybersecurity and science and technology. "If this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty."

    Langevin, D-R.I., noted the recent disclosure that government scientists at the Energy Department's Idaho National Laboratory were able to hack into a simulated power plant control system and cause an electric generator to destruct.

    While the test was conducted on a small-scale system, experts said it showed that a similar attack potentially could disable huge generators and other equipment essential to power production.

    But Texas Rep. Michael McCaul, the subcommittee's top Republican, said the simulated attack last March was "a good news story" because it disclosed vulnerabilities. He said changes and improvements were made to reduce the risk. "We found it. ... We fixed it," McCaul said.

    Greg Garcia, assistant secretary for cybersecurity, told lawmakers that "we've known for some time that there are (cyber) vulnerabilities." He said Homeland Security is working with other agencies on standards and guidance to protect critical control systems.

    Rep. Zoe Lofgren, D-Calif., pressed Garcia on what the department is doing to get more stringent standards to industry. Garcia said issuing such standards was a job for the Federal Energy Regulatory Commission.

    "Our role is one of coordination," he said.

    Lofgren said that was not the intent of Congress when it created the department. "We haven't made any progress in the cybersecurity side for a long, long time," she said.

    The commission is considering more stringent standards for the electricity industry that a quasi-industry group, the North American Electric Reliability Corp., is developing.

    Joe Weiss, a cybersecurity consultant, said private industry should have to comply with tougher standards that already apply to the government's critical infrastructure.

    But David Whiteley, the group's executive vice president, said its proposed standards "represent a significant improvement of cybersecurity for the electricity industry."
    • CBSNews

    Comments