Electric Power Grid Hack Lights Up Cyber-Security Infrastructure Experts

Russian and Chinese hacks into the U.S. power grid infrastructure neither surprise nor panic cyber security experts. Sensational as it all sounds, some experts contend, the simple ability to map the electrical infrastructure is not the same as knowing how the system is operated or controlled.

News reports of Russian and Chinese spies hacking into the U.S. power grid and planting destructive malware for a later date is not as potentially threatening as it might sound, according to several cyber-security experts. While serious, they point out, both the White House and Congress are moving to pass tougher cyber controls and standards for electrical utilities.

At the White House, spokesman Nick Shapiro told Reuters, "The president takes the issue of cyber-security very seriously, which is why he ordered a top-to-bottom review shortly after taking office." President Obama ordered his National Security and Homeland Security advisors Feb. 9 to conduct an immediate review of the U.S. government's cyber-security plans, programs and activities. The report is due in next few days.

Shapiro added the White House is not aware of "any disruptions to the power grid caused by deliberate cyber-activity here in the United States."

Homeland Security Secretary Janet Napolitano told reporters in an April 8 briefing, "The vulnerability is something that the Department of Homeland Security and the energy sector have known about for years."

Cyber-security experts agreed.

"This should be a surprise to no one. We all know there are a number of state and non-state actors pursuing U.S. intelligence and disruption activities," Cisco's Chief Security Researcher Patrick Peterson said in a statement. "Today's world is wired, and of course these groups have added electronic infiltration to their attack portfolio."

Gregory Reed, a professor of electrical and computer engineering in Pitt's Swanson School of Engineering and director of the school's Power and Energy Initiative, said the U.S. electrical grid vulnerability is widely known to foreign operatives but, at least at this point, the harm is minimal.

"The recent espionage won't reveal more than how the network is connected, and being able to map the infrastructure is not a threat without knowing how the system is operated and controlled," Reed said in a statement. "But this points out the risk of a smart grid and the need to better secure our energy system: It's good to have open access and consumer control in real time, but we're exposed if it creates entry points for hackers and terrorists."

Reed said the current reports suggest that the hackers did not infiltrate into the electrical grid control systems, but added, "If they can determine where critical facilities are located, how power is delivered, and where control systems are vulnerable, then the information could be used adversely."

In addition to the White House's pending national cyber-security review, Senate lawmakers introduced April 1 legislation calling for a widespread revamp of the country's cyber-security measures. The Cybersecurity Act of 2009 would also give a new cyber-security czar or the president unprecedented authority over private-sector networks, Internet services, applications and software.

According to the bill's language, the president would have broad authority to designate various private networks as a "critical infrastructure system or network" and, with no other review, "may declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from" the designated the private-sector system or network."