The "malicious attack from Russian hackers that cracked security on an Illinois water utility and destroyed one of its main pumps turned out to be what Wired called a "comedy of errors" after interviewing the prime suspect for a story that ran last week.
That doesn't mean utilities in the U.S. – especially electrical utilities – are not desperately vulnerable to attack.
The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.
U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.
The risk of a Stuxnet-like attack on utilities was dismissed by many security experts after the revelation that reports of a successful attack on the Illinois water utility hack were mistakes, the possibility that it is possible was not.
Current risks of cyberattack on electric utilities
- Loss of grid control resulting in complete disruption of electricity supply over a wide area can occur as a result of errors or tampering with data communication among control equipment and central ofﬁces.
- Consumer-level problems ranging from incorrect billing to interruption in electric service can be introduced via smart meter tampering.
- Commuting disruptions for electric vehicle operators can occur if recharging stations have been modiﬁed to incorrectly charge batteries.
- Data conﬁdentiality breaches, both personal and corporate, can provide information for identity theft, corporate espionage, physical security threats (for example, through knowing which homes are vacant), and terrorist activities (for example, through knowing which power lines are most important in electric distribution).
With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber events is impossible, and improving resilience to attacks and reducing the impact of attacks are important…
… For the electric grid in particular, cybersecurity must encompass not only the protection of information but also the security of grid equipment that depends on or is controlled by that information. And its goals must include ensuring the continuous and reliable operation of the electric grid……We believe the natural evolution of grid information technologies already points toward such an approach: the development and integration of increasingly rapid and accurate systems control and monitoring technologies should facilitate quicker attack detection—and consequently, shorter response and recovery times.
Cyberattack response and recovery measures would be a fruitful area for ongoing research and development in utilities, their vendors, and academia. – Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011
U.S. utilities – electric, water and others – are so vulnerable and so insensible to security concerns that using passwords only three characters long doesn't raise a huge stink among companies that largely either refuse to believe there's a target painted on their backs or believe it's too expensive to do anything about it.