Experts debate U.S. power grid's vulnerabilities to hackers

Computerworld - Nationwide rolling blackouts could have a devastating impact on the economy, but experts also fear that the stress being placed on the nation's power grid could make it more susceptible to disruptions from hackers.

In California's Silicon Valley, large Internet data centers have been blamed for stressing the region's power grid beyond what its Korean War-era design can handle. Now, other states, including Oregon, Utah and Washington, are preparing for possible rolling blackouts.

"From a cybersecurity perspective, the electric power grids in the West are now more fragile, [and] margins for error are significantly less," said Tim Bass, a longtime information security consultant for the U.S. Air Force and now CEO of The Silk Road Group Ltd., a network security consulting firm in Centerville, Va. "With diminishing margins and power reserves, the probability for cascading catastrophic effects are higher."

The recent power shortages come as the Critical Infrastructure Assurance Office (CIAO) of the U.S. Department of Commerce on Feb. 22 delivered to Congress the first status report on private-sector efforts to bolster cyberdefenses for systems that run critical sectors of the economy. Although progress has been made in improving information sharing, officials acknowledged that they still know very little about how failures in one sector could affect other sectors.

"In the context of broader infrastructure assurance, the scale and complexities of the energy infrastructure and their impact on infrastructure security and reliability are not fully understood," the report states.

The energy industry continues to be the target of Internet-based probes and hacker attacks that seek to exploit known vulnerabilities in off-the-shelf software and systems that are increasingly being used to control and manage the power grid, according to the CIAO report.

Likewise, the sector continues to fall victim to poor personnel security practices, ports and services that are open to the Internet, outdated software without current security patches and improperly configured systems.

"With the system itself teetering on the brink of collapse, it becomes easier for a smaller incident to have a wider impact," said David Thompson, a security analyst at New York-based PricewaterhouseCoopers. "For instance, if someone were to find a way to force the shutdown of a single power plant or a section of the power grid, the results would be much more devastating, since there is not enough reserve capacity to take up the slack."

In addition to the technical risks, analysts said they're also concerned about the publicity generated by the recent crisis in California and the possibility that hackers may try to exploit known vulnerabilities