Experts assert that the U.S. grid—already proven by federal agencies to be vulnerable to cyber attacks—has been compromised by spies who tried to map the system and left bugs that could be used to disrupt networks at a time of war or crisis.

The Wall Street Journal, which broke the news last week, cited current and former national security officials as it reported that the spies came from China, Russia, and other countries. It said that the intruders did not want to damage the grid or other key infrastructure. A former Department of Homeland Security (DHS) official told the newspaper, “There are intrusions, and they are growing. There were a lot last year.”

The DHS estimated that more than 60,000 cybersecurity breaches had been reported in fiscal 2008, according to the newspaper. A majority were by individuals, but about a fifth were by governments.

Last year, according to The Wall Street Journal, a senior Central Intelligence Agency official told utilities in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The attack was followed with extortion demands.

Regulatory agencies have been ramping up cybersecurity since the August 2003 blackout, which shut down 62,000 MW of generation capacity in eight U.S. states and Ontario, and cost businesses an estimated $13 billion in productivity.

An estimated $11 billion from the economic stimulus bill that President Barack Obama signed this February is dedicated to enacting standards for the smart grid and funding test cases.

New rules have also taken effect: The Federal Energy Regulatory Commission (FERC) in January 2008 approved standards for Critical Infrastructure Protection (CIP) put forth by the North American Electric Reliability Council (NERC), a quasi-public grid watchdog, to secure North American bulk power systems. (See “Focus on O&M” in POWER’s March issue for details.)

Later, after the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology lambasted the self-regulating agency for not doing enough to address vulnerabilities, NERC also announced six measures to improve cybersecurity. These included setting up a new program for CIP and hiring a new taskforce.

But in a letter to industry stakeholders (PDF) last week, NERC Chief Security Officer Michael Assante expressed concern that many assets that qualified as “critical” had not been identified. He said that a survey had shown that 29% of generation owners and operators and fewer than 63% of transmission owners had identified at least one critical asset.

“Most of us who have spent any amount of time in the industry understand that the bulk power system is designed and operated in such a way to withstand the most severe single contingency, and in some cases multiple contingencies, without incurring significant loss of customer load or risking system instability,” he wrote. “This engineering construct works extremely well in the operation and planning of the system to deal with expected and random unexpected events. It also works, although to a lesser extent, in a physical security world. In this traditional paradigm, fewer assets may be considered ‘critical’ to the reliability of the bulk electric system.”

“But as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations.”

One cybersecurity expert told POWER that NERC should have declared all utility assets as “critical” and then forced utilities to prove they weren’t. That approach, though more time-consuming and expensive, would have prevented many utilities from sidestepping the NERC CIP guidelines by declaring their assets noncritical.

Sources: The Wall Street Journal, POWER, NERC