Feeds

US power grid the target of 'numerous and daily' cyber-attacks

Report finds utilities vulnerable, threatened

Reducing security risks from open source software

The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA).

"National security experts say that cyber attacks on America's electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks," Markey said in a statement. "We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare."

Among the report's findings, more than a dozen utilities surveyed said their systems were under "daily," "frequent," or "constant" attack, with one claiming to be the target of around 10,000 attempted cyber-attacks each month.

Yet although the companies admitted to being the targets of attacks, most said they complied only with mandatory cyber-security standards set by the North American Electric Reliability Corporation (NERC).

Only 21 per cent of investor-owned utilities, 44 per cent of municipal or cooperatively-owned utilities, and 62.5 per cent of federally-owned utilities said they had taken any additional, voluntary "Stuxnet measures," as the report terms them.

Stuxnet, as most Reg readers will recall, was the mysterious malware that infected supervisory control and data acquisition (SCADA) systems in plants related to Iran's nuclear enrichment facilities in 2010. Many security researchers believe it was a targeted attack initiated by the US government – and if the US can do it, then so can its enemies.

The report calls out the power grid as a particularly high-profile target for attacks because of its critical importance to industry and infrastructure. According to the report, power outages and disturbances are estimated to cost the US economy between $119bn and $188bn per year, with individual events costing $10bn or more.

"Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker," the report states. "It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyber-attacks have been conducted against critical infrastructure in other countries."

By way of example, the report cites the 2012 malware attack on Saudi Aramco, Saudi Arabia's massive, state-run oil company, which infected some 30,000 computers.

To help harden US infrastructure against such attacks, Markey and Waxman would like to see Congress grant the Federal Energy Regulatory Commission (FERC) additional authority to draft and enforce cyber-security standards among power utility companies.

The report points out that although President Obama signed an executive order in February 2013 identifying critical infrastructure areas and establishing a voluntary cyber-security framework, only an act of Congress can empower agencies to police the standards.

The full text of the report is available here. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.