Opportunities for computer-driven sabotage will rise with the number of web-connected devices deployed by utilities and energy companies into homes and businesses, said former Director of the Central Intelligence Agency Michael Hayden, one of the authors of the study released today by the Bipartisan Policy Center in Washington.
“We’re going to create a grid where the PLA - the Chinese Army -- can talk to my toaster,” Hayden said in an interview.
Local utilities aren’t prepared to handle such intrusions, he said. Governments in the U.S., Mexico and Canada lack a coordinated command structure needed to thwart potential incidents that could rival the 2003 U.S. blackout that cut power to 50 million people, Hayden and his coauthors, utility consultant Susan Tierney and Curt Hebert, a former Entergy Corp. executive and chairman of the Federal Energy Regulatory Commission, wrote in the report.
The study’s recommendations include spending as much as $7 billion by 2020 on measures that would include creating a multi-government command structure designed to react swiftly to shut down computer-driven attacks.
“The chain of command is critical to a successful performance,” Hebert said in a telephone interview before the report was released. “We don’t have a decision tree in place.”
Intrusions are rising, with utilities reporting daily efforts by unknown parties probing vulnerabilities in their computer systems, Hayden said.
Power companies have little experience combating the attacks that fall under criminal or national-security investigations, said Tierney, a former utility commissioner in Massachusetts. State and provincial regulators aren’t computer security experts and are only beginning to comprehend the problem and potential solutions, she said.
Until now, the complexity of the North American grid, which includes hundreds of utilities, may have made it resistant to a successful attack, Hayden said. The transformation of the grid with more wireless and interactive technology may break down some of those barriers.
New wireless “smart meters” monitor power usage inside a home and transmit data back to utilities. Internet giant Google Inc. (GOOG) agreed last month to pay $3.2 billion for digital-thermostat maker Nest Labs Inc., which features wireless control of heating and cooling systems by smartphone.
Expansion of distributed generation, such as rooftop solar arrays that are designed so homes can both supply the grid and draw power from it, increase the risk that a successful attack on a local network could spread, the report said.
“Products sold to the power sector may be insecure by design,” according to the report. Consumer devices “may be subject to malicious manipulation or compromised by the use of counterfeit parts.”
The 2003 blackout, triggered by an overheated power line that dipped onto a tree in Ohio, left major cities from Detroit to Toronto to New York in the dark for two days. Rolling blackouts persisted in Ontario for more than a week, according a 2004 report by the Electric Consumers Resource Council.
Some computer-based grid incursions may target commercially sensitive information, such as customer use and power markets, Tierny said. About two-thirds of U.S electricity is sold on wholesale markets, according to the Electric Power Supply Association.
Hayden sees less value in the data, and more of a threat in the potential for intruders to seize control of parts of the grid. The main reason for stealing information from the power grid is to learn what you need “to be able to manipulate it,” he said.
To contact the editor responsible for this story: Susan Warren at firstname.lastname@example.org