For nearly five years, the US government has struggled to guard the nation's electric grid, drinking water, and other critical infrastructure from cyberattack. But as hackers continue to infiltrate such systems, and as reports surface of a surge in computer attacks on the electric grid, experts and lawmakers have an urgent message for the Bush administration: Cybersecurity defenses need an overhaul.
US lawmakers are pressing for a new approach that focuses more on systems that can rebound if infiltrated than on building ever-stronger "fire- walls" to keep hackers out.
On Tuesday, lawmakers on a House Homeland Security subcommittee are expected to unveil a blue-ribbon commission charged with developing a new national cybersecurity strategy in time to offer the next president.
The Bush administration, meanwhile, is close to unveiling a new cybersecurity approach of its own, an administration official told the Monitor. National Security Agency expertise may be deployed to help protect vital control systems of the electric grid and other key infrastructure, The Baltimore Sun reported last month.
"Times are changing very quickly here, and cybersecurity that was good enough even a couple of years ago – the strategy and approach – is obsolete," says Scott Borg, director of the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry.
"We do have a growing problem as our adversaries focus on critical infrastructure," concurs Amit Yoran, CEO of Netwitness, a network security firm, and former director of DHS's National Cyber Security Division. In the event of a cyberattack on any critical piece of infrastructure, "what we need is a layered defense in which the overall system is still available – and not a systemic failure."
Both men have been tapped to serve on the new congressional commission.
Driving such concerns are reports that malicious attacks are rising on specialized computer-control systems that open and shut valves on natural-gas pipelines, throw circuit breakers on power lines, and make telecommunications and defense networks, nuclear-power plants and hydro dams do their jobs.
If hackers half a world away break into and commandeer these "supervisory control and data acquisition," or SCADA, systems, then the US grid, pipelines, and other key infrastructure connected to the Internet are vulnerable to interruption or damage, experts say.
Danger to SCADA systems for the electric grid, for instance, was highlighted in a 2002 National Research Council report. At a key meeting in July 2003, officials from the US Department of Energy, DHS, the national laboratories, and other agencies convened to develop a national cybersecurity plan.
Despite that and other efforts since 9/11 to protect control systems from cyberattack, "the federal government lacks an overall strategy for coordinating public and private sector efforts," the Government Accountability Office (GAO) reported to Congress earlier this month.
Some experts describe a patchwork defense that has many gaps – and they note that malicious attacks, directed in particular at the electric grid, are growing.
Internet attacks on the 100 electric utility clients protected by SecureWorks, an Atlanta-based cybersecurity firm, leaped 90 percent this year – from 43 attacks per utility per day at the beginning of the year to 93 since May, company officials reported this month. That's about double the rate for other industries SecureWorks protects.
The US has been "in a race against time" since early 2005, when the attention of "black hat" hackers shifted to focus more on probing and exploiting SCADA control-system weaknesses of electric utilities, says Mr. Borg. Yet lights have mostly stayed on – a testament to the notion that industry and government still appear to be ahead in the race.
In a bid to plug gaps, the National Electric Reliability Corp. (NERC) in June was put in charge of grid reliability. It has proposed eight new cybersecurity requirements that are already being adopted by the electric-power industry. Those standards, though, were attacked as inadequate by experts during an Oct. 17 congressional hearing.
Known examples of hackers infiltrating the grid and taking parts of it down are rare. Such cases exist, security experts insist, though nondisclosure contracts prohibit them from talking about them to the press.
A year ago, Ira Winkler, a security expert taking part in an exercise to test the cyberdefenses of a nuclear-power plant, used his computer to hack into the plant's control system. After a few hours, the whole thing was called off because the "simulation" was too successful. Mr. Winkler had wrested control of key systems from plant engineers and could do what he wanted with the plant.
"A lot of people have stock answers saying everything's just fine, but the point is, if the underlying systems are vulnerable, that's all there is to it, says Mr. Winkler, a former NSA cryptanalyst who is now president of Internet Security Advisors Group, an Internet security company.
In March 2005, security experts in the electric utility industry reported hackers were targeting the grid and had gained access to control systems, the GAO said last year. In a few cases, the cyberintrusions "caused an impact," although no serious damage occurred, it said.
Even so, a video released last month illustrates the potential danger to the power grid, experts say. While in the past, most had imagined a cyberattack might shut down patches of the US grid for a few days at worst, But the video – which shows a demonstration by the Idaho National Laboratory – depicts a large electric generator shaking violently, spraying metal parts, and spewing smoke before grinding to a stop.
The method of attack used in that demonstration could be replicated to destroy more and larger equipment, several experts say. Damage from such an attack would not be easy to repair quickly, because parts such as turbines are often huge, take a long time to build, and are made mostly overseas.
"There's a great danger right now that government will spend a lot of money trying to provide better perimeter defenses around the e-mail systems of government, when they should be thinking a lot more about critical infrastructure like the grid," Borg says.
A destructive attack could darken parts of the US for months, costing hundreds of billions of dollars and many lives, Borg's group estimates.
As soon as the vulnerability was identified, DHS alerted electric utilities nationwide and provided a fix. But it is not clear how widely the utilities applied the "mitigation measures" in the six months since the video, or even whether the NERC has the power to order a mandatory patch, says an Oct. 17 letter to the Federal Energy Regulatory Commission from Reps. James Langevin (D) of Rhode Island, Michael McCaul (R) of Texas, and Sheila Jackson-Lee (D) of Texas.
"We got the information into the hands of people that needed to know it," says Robert Jamison, DHS undersecretary for National Protection & Programs. "Currently, [utilities] are not a required [to respond], but industry does have a vested interest in these mitigations. We'll continue to monitor to see if we need to make it a requirement."
A spokesman for the electric industry says the industry is working hard on the cybersecurity issue and is moving at full speed to implement necessary fixes.
"Anytime we're adding something that's important enough to have effects on the system, reliability is the key issue," says Ed Legg, a spokesman for the Edison Electric Institute, which represents investor-owned utilities that supply 70 percent of the nation's power. "There is every incentive to do this. Our members are taking it very seriously."