The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA).
"National security experts say that cyber attacks on America's electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks," Markey said in a statement. "We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare."
Among the report's findings, more than a dozen utilities surveyed said their systems were under "daily," "frequent," or "constant" attack, with one claiming to be the target of around 10,000 attempted cyber-attacks each month.
Yet although the companies admitted to being the targets of attacks, most said they complied only with mandatory cyber-security standards set by the North American Electric Reliability Corporation (NERC).
Only 21 per cent of investor-owned utilities, 44 per cent of municipal or cooperatively-owned utilities, and 62.5 per cent of federally-owned utilities said they had taken any additional, voluntary "Stuxnet measures," as the report terms them.
Stuxnet, as most Reg readers will recall, was the mysterious malware that infected supervisory control and data acquisition (SCADA) systems in plants related to Iran's nuclear enrichment facilities in 2010. Many security researchers believe it was a targeted attack initiated by the US government – and if the US can do it, then so can its enemies.
The report calls out the power grid as a particularly high-profile target for attacks because of its critical importance to industry and infrastructure. According to the report, power outages and disturbances are estimated to cost the US economy between $119bn and $188bn per year, with individual events costing $10bn or more.
"Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker," the report states. "It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyber-attacks have been conducted against critical infrastructure in other countries."
By way of example, the report cites the 2012 malware attack on Saudi Aramco, Saudi Arabia's massive, state-run oil company, which infected some 30,000 computers.
To help harden US infrastructure against such attacks, Markey and Waxman would like to see Congress grant the Federal Energy Regulatory Commission (FERC) additional authority to draft and enforce cyber-security standards among power utility companies.
The report points out that although President Obama signed an executive order in February 2013 identifying critical infrastructure areas and establishing a voluntary cyber-security framework, only an act of Congress can empower agencies to police the standards.
The full text of the report is available here. ®