WASHINGTON — Several major U.S. utilities are under “constant” cyberattack and haven’t taken precautions to protect critical systems from Iran, North Korea and other adversaries, according to a congressional survey of more than 100 companies accounting for much of the nation’s power system.
The survey shows the nation’s electrical grid remains “highly vulnerable” to attack after four years of failed efforts to pass major cyber-security legislation, according to an accompanying report. Industry trade groups, including the Edison Electric Institute, joined by Republicans in the Senate, opposed the bill, arguing minimum cyber-security standards would be out-of-date by the time they were implemented.
“Our enemies have the motive, the means, and the capacity to attack our grid with potentially catastrophic consequences,” Rep. Ed Markey, D-Mass., who co- wrote the report released Wednesday, said in an email. “The question is whether the utilities have the same determination to protect our country against these threats.”
Power utilities are part of a core of critical infrastructure that U.S. intelligence agencies are warning may be targets of aggressive cyberattacks designed to cloak the East Coast in darkness or shut off the sewers in New York City during a future conflict.
The report, whose other author, Rep. Henry Waxman, D-Calif., is the ranking member of the House Energy and Commerce Committee, is based on a 15-question survey sent to 170 electric utilities, including Exelon, Southern and Duke Energy.
There’s no confirmed example of a massive infrastructure attack, and the survey was designed in part to identify whether cyber warriors are trying to breach sensitive systems or utilities know of smaller-scale attacks that might show adversaries are practicing.
In many cases, utilities simply didn’t answer the questions posed by the lawmakers. Of the companies that received the letter, more than two-thirds either didn’t respond at all or gave minimal responses, according to the lawmakers’ report.
Among those that did respond, several described a running battle to keep ahead of the hackers.
One Midwestern utility said that its computer systems were being probed constantly, in some cases by automated programs designed to detect weaknesses that can be exploited later. A utility in the Northeast reported that it was “under constant attack” from cyber criminals.
More than a dozen utilities reported either “daily,” “constant” or “frequent” attempts at computer intrusions.
The answers didn’t give details on the nature of the attackers or whether they were attempting to gain access to corporate systems or the industrial computers that actually run the plants.
The report’s authors found evidence that some utilities collaborated or simply cut-and-pasted answers provided by trade groups rather than addressing their unique situations.
Four small utilities in Florida and Texas gave almost identical answers to the majority of the questions, according to an analysis by the Democrats’ staff. Others borrowed heavily from a “coaching guide” produced by the North American Electric Reliability Corp., or NERC, a private body that helps regulate the industry, according to the lawmakers’ staff.
“If you can’t respond to a letter, I’m guessing that you probably can’t respond to a cyberattack either,” said Jacob Olcott, a former cyber-security staffer for the Senate Commerce Committee, which helped draft the omnibus cyber-security bill that failed last year.
The reticence of some utilities reflects their reluctance to divulge even to lawmakers details of security concerns or potential vulnerabilities, the American Public Power Association said in a response to the report, which it called “misleading.”
Many questions were “so specific and confidential in nature that for security reasons, they could not be answered,” the group said.
In some cases, the utilities’ answers suggested they had a poor grasp of the system for alerting them to cyber-security threats or missed many of the alerts altogether, the report’s authors said. Asked how many grid security alerts they had received from NERC since January 2010, the companies gave answers that ranged from one to 50. In fact, 24 alerts had been issued during that period.
Several utilities said that they failed to fix bugs in control systems and other technology that had been identified after a sophisticated attack software called Stuxnet sabotaged Iran’s uranium processing facility at Natanz in 2010. Stuxnet is widely believed to have been designed by hackers working for the U.S. and Israeli governments in an effort to disable the site.
The flaws used by the software are now widely known, and three years ago officials recommended 12 measures to ensure adversaries couldn’t deploy a repurposed version of Stuxnet against U.S. infrastructure.
Four of 45 utilities who responded to the survey hadn’t implemented the mandatory measures and 15 of 19 utilities hadn’t instituted several other measures which were voluntary, according to the survey answers.