Cyberspies have hacked into power grid, officials say
— -- Federal regulators have warned lawmakers for more than a year that standards to protect the electric grid from computer attacks are inadequate, but Congress has yet to pass stronger safeguards.
Homeland Security Secretary Janet Napolitano on Wednesday acknowledged the power grid's vulnerability after The Wall Street Journal reported cyberspies have infiltrated the grid and left behind software that could be used to disable equipment.
"The vulnerability is something that the Department of Homeland Security and the energy sector have known about for years," Napolitano told reporters.
Last year, the Federal Energy Regulatory Commission approved eight cybersecurity requirements that utilities must implement this year. But the standard-setting process, set forth by Congress in a 2005 law, is slowed by red tape and gives utilities too much discretion, says Joe McClelland, director of FERC's office of electric reliability.
Under the system, the North American Electric Reliability Corp. proposes standards that FERC approves. But two-thirds of the group's members, largely utilities, must support each standard before it's adopted or modified, which can take years.
Also, power companies must identify critical equipment, such as generators, to protect from computer attacks. Yet, utilities have leeway on what to earmark. Many, McClelland says, omit equipment if they believe the risk of cyberattack is low and new security software would be costly. "There are loopholes," he says.
After a mock attack exposed grid vulnerabilities, the reliability group in 2007 issued an advisory urging utilities to take steps to protect the grid from cyberattacks. But a recent survey shows only 23% complied.
"We can have a bulletproof system and absolutely no one could afford the electricity," says Ed Legge of Edison Electric Institute, the industry's trade group. Still, he says, it's in utilities' best interest to have secure systems, and standards "are definitely going to be strengthened."
