In recent months, U.S. utilities, manufacturers, and technology firms received $3.4 billion as part of the economic stimulus package. These funds have been allocated to help modernize the country’s electric power system and increase energy efficiency. However, as these "smart-grid" grants continue to be awarded, questions are being raised about how to safeguard smart meters and other critical infrastructure from cyber attacks.

The threat of cyber attack is increasingly coming from a new breed of hacker that understands cyber vulnerabilities and how to exploit them. This next generation of hackers plays by a new set of rules.

Emerging Threats and the Potential Impact on U.S. Smart Grids

The rising threat of cyber attacks on the U.S. electric grid has become a pervasive theme over the past year.

On November 8, 2009, 60 Minutes aired a revealing episode discussing the vulnerabilities of the power grid and other critical infrastructure. The 60 Minutes episode, along with FBI reports, confirmed that hackers had targeted and compromised large banks and other companies, resulting in significant financial losses and reputational damage. The banking industry is generally regarded as being more secure than any other, lending credence to the suggestion that the exposure to cyber attack is real for other industries, including U.S. energy, water, and electrical power sources.

Today’s new breed of hacker, who is sophisticated, educated, and well funded, may have less difficulty getting into the network of a utility or energy company system and staying there undetected. For U.S. utilities, a cyber attack could be catastrophic to a multibillion dollar smart grid investment.

Operational Systems Vulnerabilities

Studies have shown that the operational systems used to monitor and control U.S. smart grid infrastructure are far more susceptible to cyber terrorists than previously thought.

These systems include Supervisory Control and Data Acquisition (SCADA) systems or Distributed Control Systems (DCS). In the energy and utility industry, there are several examples of SCADA or DCS systems, including the essential energy management systems that control the power grid.

SCADA systems, which have been in place for years, are increasingly subject to cyber attacks, as many are built around legacy technologies with weaker protocols that are inherently more vulnerable. In addition, these systems and their underlying networks have increasingly been interconnected to improve access to management and operational data. Since 2000, the number of successful cyber attacks has increased tenfold against SCADA systems at power generation, petroleum production, and nuclear plants and water treatment facilities. In fact, the North American Electric Reliability Corporation announced the week of April 5, 2010, that an electric utility in Texas had been attacked from Internet address ranges outside of the U.S. We are aware of numerous other attacks against electric and gas utilities which have not been widely publicized.

Proposed Legislation Aimed to Protect U.S. Utilities from Cyber Attacks

As the incident rate for cyber attacks on U.S. utilities continues to climb and threats against critical infrastructure become more likely, Congress is now considering numerous bills to strengthen the Federal Energy Regulatory Commission’s ability to impose cyber security rules and potentially establish an Office of the National Cyber Security Advisor.

The proposed legislation aims to protect various types of critical infrastructure, with electricity generation, transmission, and distribution topping the list.

Understanding Current Cyber Attack Trends and Latest Defensive Countermeasures

While the government getting more involved in the fight against cyber terrorism will certainly serve as a strong deterrent for would-be attackers, it will be crucial for utilities and smart grid operators to gain a deeper knowledge of current cyber attack trends and the most effective methods for guarding against these threats.

Today’s hackers are not only sophisticated, but they are becoming incredibly patient. Instead of trying to hack directly into the smart grid, they may circumvent the technical controls by targeting a specific user within the utility.

For example, to get into a utility’s network, a hacker could potentially go to work for a business that sells products or services to a company, which would allow them to have regular e-mail communications with the company’s procurement office. Once the hacker has established a trusted business relationship with the procurement office, they could send an email with advanced malware or a Trojan horse. This will allow them to create a virtual tunnel from the hacker’s computer directly to the procurement office employee’s computer behind the company firewall. At that point, the hacker can access the company’s network without being detected, and use this system as a launch point for further attacks.

While this may sound like an extreme hypothetical situation, similar attacks have already occurred. The threat of technical attack, however, becomes more concerning when discussing the smart grid. A smart grid in any major city could encompass several million customers, giving hackers millions of potential access points into the network.

The traditional approach to defending this type of attack has been to take the compromised system offline, bring in a forensics team to conduct imaging work, and shut down everything around it to protect the network as quickly as possible. The problem with this approach is that immediately shutting down a hacker’s backdoor into the network may cause them to lay dormant for months. This long period of inactivity could give network managers a false sense of security and prevent them from identifying what other systems have been compromised.

Utilities must take a more strategic approach. Once a compromised system has been flagged, the idea is to make it appear that you haven’t found it yet so that hackers continue to operate freely, giving utilities the opportunity to monitor their actions, identify where they’re coming from, and determine what other systems have been breached.

The threat of cyber attacks against the U.S. smart grid is real. Utilities must be proactive about assessing their security landscape and addressing vulnerabilities to preempt attacks, while implementing a strategic approach to countering an attack should one occur.

— Brad Bauch is the leader of the technology team within PricewaterhouseCoopers’ U.S. utilities advisory practice. He has provided IT and security services to electric and gas utility companies and independent system operators in Texas, Louisiana, Arkansas, New Mexico, and Wisconsin. This commentary first appeared in The Energy Daily, a sister publication of COAL POWER.