The next security threat

The largest blackout in U.S. history happened in the late summer of 2003, when 50 million residents of eight northeastern states and Canada found their electricity dead on an August afternoon. The outage cost $6 billion and was collectively blamed on overgrown trees, a common computer virus, and an odd cascading effect in the electric grid that shut down dozens of power plants from Ohio to New York.

Tim Bennett, a cybersecurity expert, last year told National Journal there was more to the story: U.S. intelligence officials had confided to him a hacker working for China's People's Liberation Army had tapped into an online power control network serving the Northeast. A spring 2008 blackout also had been traced to China, Bennett said. Then, this month, charges of a similar nature were leaked: An unidentified U.S. intelligence source told The Wall Street Journal that foreign spies had hacked into a U.S. power grid and left behind malicious software.

These allegations haven't been officially verified, but they worry insiders to the world of cybersecurity. Nearly 70,000 infiltrations of U.S. government and private networks occurred in fiscal 2008, whether by foreign agents, pranksters, or serious hackers hoping to sell sensitive information. Experts warn that a government or a terrorist group could try to amplify the effects of a physical attack by disabling vital resources like electricity or water-placing a bull's-eye on utilities with online networks.

With the security of such U.S. infrastructure in question, the federal government is considering shifting its weight to oversee what private utilities might not. President Barack Obama commissioned a review of cybersecurity in February. Once findings are in, the president is likely to take steps to improve security through executive action, or he could decide to let Congress take the lead.

Legislation has already been drafted in the Senate. The Cybersecurity Act of 2009, introduced April 1 by Sen. John D. Rockefeller IV, D-W.Va., and Sen. Olympia J. Snowe, R-Maine, is intended to drastically restructure government's role in defending the United States from cyberattacks. A pair of bills would create a powerful cybersecurity office in the White House-centralizing authority now shared by separate agencies-and increase federal regulation of the private sector by establishing security standards for businesses.

The legislation was a result of recommendations from cybersecurity professionals, intelligence officials, and think tanks-one of which was the Center for Strategic and International Studies (CSIS), a public policy institution whose report on U.S. cybersecurity encouraged giving the White House coordinative power, and not leaving the defense of commercial networks to the private sector.

James Lewis, the CSIS senior fellow who oversaw the report, told WORLD he's pleased with the legislation overall. But he has reservations about a provision that gives the president authority to shut down the networks of private utilities during an emergency: "Say there was an electrical utility whose network was infected and it threatened to crash the entire electrical grid in a region. Then the president would have the ability to say to that utility, 'You have to go offline until things are better.'"

Like Lewis, Greg Nojeim of the Center for Democracy and Technology believes such authority is a major step in terms of federal oversight. But Nojeim is also critical of sections of the Act that challenge the privacy rights of internet and telephone users by allowing federal cybersecurity monitoring to override existing privacy laws. He thinks a government role is necessary, but he hopes other, less top-heavy proposals by Congress or the White House with shared responsibilities: "I don't think that either one acting alone could be as effective as the private and public sectors acting together."

Wastewater management companies and electric and gas providers use the convenience of "control systems" technology to remotely activate valves, circuits, and switches.

Convenience, though, sometimes translates into vulnerability: In 2000, a computer technician in Australia who had lost a city contract took revenge by wirelessly tapping into the city's water control systems at least 46 times and releasing hundreds of thousands of gallons of untreated sewage into rivers and public areas. In 2006, the operators of the Browns Ferry nuclear plant in Alabama lost control of pumps in a reactor because of a computer glitch (the plant was shut down before safety was compromised). In a 2007 Department of Homeland Security experiment, an overheated green diesel generator smoked and shook while following remotely issued orders.

Those cases may only be the tip of an iceberg. Joseph Weiss, a control systems expert who testified before Rockefeller's Commerce Committee prior to the introduction of the Cybersecurity Act, told WORLD he had documented over 125 control system "incidents"-a term that can mean anything from a computer malfunction to a possible cyber intrusion. Weiss said most are kept quiet because utilities don't want attention aimed at them, and few regulations are in place to force companies to report cyber mishaps (five U.S. water and electric utilities I contacted either didn't return calls or responded that it was their policy not to discuss security issues).

The difficulty, said Weiss, is that securing control systems isn't anything like protecting your PC. Traditional antivirus updates can cause a control system to crash. "And who did it? The corporate IT department. We have to protect ourselves not only from the malicious . . . but from the well-meaning."

To avoid crashes and outages, some electric companies say they're taking steps to make the power grid more resilient. Southern California Edison, which provides electricity to 13 million people in 180 cities, champions the latest utility buzzword: smart grid.

As a general term, smart grid refers to a type of control system technology-whether for electric, gas, or water-that allows two-way communication between a control center and remote devices. The feedback feature of the smart grid ought to make the power grid more reliable, allowing it to recover quickly from a malfunction or outage. Power-saving "smart meters" Obama has promoted (with the help of $4.5 billion in his stimulus package) incorporate this technology by bringing real-time analytics into homes and businesses, allowing power levels to be monitored and automatically adjusted. Around 2 million smart meters have already been installed, and an estimated 73 utilities have ordered 17 million more.

But last month, security firm IOActive announced that it had discovered a variety of ways to hack into the devices, which communicate wirelessly. Spokesman David Baker predicts a worst-case scenario would occur if "meters are attacked in a systemic fashion and a large number are instructed to turn off." By wresting control of smart meters, a hacker could hypothetically influence power levels in a region and trigger an outage. And since the meters are new, popular, and located on the customer end of electric supply, they're largely unregulated. (Asked about smart grid security, Southern California Edison provided WORLD with a statement saying its smart grid design "recognizes a wide variety of potential threats, and includes a number [of] protective measures designed to safeguard all layers of the system.")

Weiss believes it's a major problem that safety standards for electrical utilities have been developed and approved by the industry itself. He said cybersecurity regulation overlooks "distribution," the last leg in the journey of generated electricity, defined as the route between a substation and a customer. "There are no cybersecurity standards for the electric distribution system that goes to your home. Or buildings. Or hospitals."

Weiss is referring to the security standards of the North American Electric Reliability Corporation, or NERC, the regulatory body that oversees electric providers in the United States and Canada. NERC standards that were once voluntary gained some federal backing after the 2003 blackout, and today utilities face fines for overlooking rules. Even so, NERC oversight is sometimes limited by what utilities are willing to disclose. In an April 7 letter to industry leaders, NERC Chief Security Officer Michael Assante reprimanded utilities for under-reporting their ownership of "Critical Assets" and "Critical Cyber Assets"-structures and technology that, if compromised, could shut down power grids.

Assante warned that such infrastructure, not properly protected, might be hacked: "One of the more significant elements of a cyber threat . . . is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance." (NERC didn't return requests for comment.)

NERC will expand its cybersecurity auditing of utilities in July, but the industry's efforts at self-governance may be too slow and too late to ward off a federal hand. Dennis C. Blair, the Director of National Intelligence, told Congress in February that the past year had seen a growing number of infrastructure network "exploitations." His vague language may have been cover for real instances of infrastructure cyberattacks, instances that remain educated rumors outside the intelligence community.

"But we know some of our opponents are exploring them," says Lewis of the CSIS. "Could somebody do it? We don't want to find out the hard way."

Spy ring

An online ring of spies that invaded 103 countries was finally exposed last month, and you can thank the Dalai Lama for the tip-off. Gratitude ends there: The spies are still spying and have the startling ability to steal files and activate web cams on computers halfway around the world.

The cyber espionage network dubbed "GhostNet" was unearthed by a Canadian security group working for the Dalai Lama, the exiled Tibetan religious leader. He complained that the Chinese government knew about his personal appointments as soon as he did. The spies have successfully infiltrated some 1,300 private and government computers (though apparently none in the U.S. government) and are reportedly accessing a dozen more each week.

The Canadian group traced the ring's activity to computers based mainly in China but was unwilling to speculate on whether Chinese government officials or some other group was responsible. The level of sophistication suggests the work of an organized operation, not just a hacker's game.

Experts say many nations, including the United States, carry out some level of covert information-gathering in cyberspace. Chinese Foreign Ministry spokesman Qin Gang sharply denied his country's involvement in GhostNet: "Some people outside China now are bent on fabricating lies about so-called Chinese computer spies. Their attempt to tarnish China with such lies is doomed to failure."