A blackout that swept parts of North America in August 2003, leaving 50 million people in the dark for as long as four days, provides a glimpse of the havoc a cyber attack could inflict on the nation’s power grid.
Internet-based terrorists would be capable of causing blackouts “on the order of nine to 18 months” by disabling critical systems such as transformers, said Joe Weiss, managing director of Applied Control Solutions LLC, a Cupertino, California-based security consulting company.
“The dollars are incalculable,” Weiss said in a phone interview. The 2003 event, triggered when a power line touched tree branches in Ohio, caused losses of as much as $10 billion, according to a study by the U.S. and Canadian governments.
Energy companies including utilities would have to increase their investment in computer security more than seven-fold to reach an ideal level of protection, according to a survey done for Bloomberg Government by the Ponemon Institute LLC, a data-security research firm based in Traverse City, Michigan.
Electric utilities fail to recognize the risk because, unlike banks and telecommunications companies, they aren’t prime targets for Internet theft or espionage, said James Lewis, technology program director at the Center for Strategic & International Studies in Washington. Yet “if there was a cyber attack, the electrical grid would be target number one” for terrorists, he said.
“There’s some percentage of utilities out there that just don’t take this seriously,” Lewis said.
The Bloomberg survey of network managers at 21 energy companies including 14 utilities found the companies spend an average of $45.8 million a year on computer security and are able to prevent 69 percent of known cyber strikes against their systems.
Over the next 12 to 18 months, the companies estimated they could increase annual spending to an average $69.3 million and be able to avert 88 percent of attacks. It would take an average annual budget of $344.6 million per company to stop 95 percent of the threats, the survey found.
That sum exceeds the $277 million in profit that Atlanta-based Southern Co., the largest U.S. utility by market capitalization, reported for the fourth quarter of 2011.
Bloomberg also surveyed other fields -- including telecommunications, financial services and health care -- and found that technology managers in 124 companies and 48 government agencies said they could double their spending on cybersecurity, and still their networks would remain vulnerable. All of the companies surveyed employ at least 10,000 workers.
The energy companies surveyed anonymously included eight private utilities, six public utilities, four oil and gas exploration and production companies, and three pipeline and retail businesses.
The four largest U.S. utilities by market capitalization declined to release information on their cybersecurity spending when contacted by Bloomberg News. They are Southern; Dominion Resources Inc. of Richmond, Virginia; Duke Energy Corp. of Charlotte, North Carolina; and Exelon Corp. of Chicago.
Congress is considering legislation that may include increased government sharing of information, as well as tax and insurance benefits for companies that implement certain cybersecurity controls.
“Regardless of how much money we spend, it is simply not possible to eliminate all risk,” James Fama, vice president for energy delivery at the Edison Electric Institute, said in an e-mail. “Utilities have to make choices and set priorities concerning investments.”
The Washington-based industry group, whose members include Duke Energy Corp. and Consolidated Edison Inc., wants more senior executives at utilities to have top-secret security clearance so they can get better intelligence on cyber threats.
Energy Secretary Steven Chu announced an initiative Jan. 5 aimed at helping utilities and grid operators identify weaknesses in their cyberdefenses and devise research and investments to eliminate them. The Energy Department plans workshops with utilities this year to come up with a set of best practices for the industry.
American Electric Power Co. of Columbus, Ohio, received $75 million from the 2009 stimulus law and is working with 15 unnamed utilities to share cyber-threat information learned using software developed by Lockheed Martin Corp.
While no major cyber attacks on the U.S. electric grid have been reported, Russia and China have “probed the electrical grid to find vulnerabilities to exploit if they needed to attack it,” Lewis said, citing the National Security Agency. “The risk is that the attack capabilities are spreading, and countries like Iran and North Korea, along with jihadis and anarchists, will eventually be able to attack.”
Power companies have become more exposed to hackers and cyber terrorists as they replace older equipment with digital devices and the electrical grid becomes more interconnected through the Internet.
“In almost every case, a control system is connected to the Internet and it’s vulnerable to being hacked,” said Lewis.
Utilities are investing in technologies designed to give their customers greater control over their energy use, such as the ability to use a cell phone to set the air conditioning level at home. As computer links create the so-called “smart grid,” power companies will need to spend about $3.7 billion between now and 2030 on protection from cyber threats, according to a 2011 study by the Electric Power Research Institute of Palo Alto, California.
Power-grid security is “both a hardware and a software issue,” because hackers can use viruses to make industrial control programs go haywire and damage critical equipment such as transformers, Roger Cressey, senior vice president at Booz Allen Hamilton Holding Corp., a McLean, Virginia-based consulting firm, said in an interview.
If hardware is attacked “the concern is we don’t have enough replacements in supply to switch them out,” he said.
The Stuxnet computer worm, which attacks software sold by Munich-based Siemens AG, is an example of a virus that can overtake a power plant’s industrial control systems. Almost 60 percent of Stuxnet-infected computers were in Iran, where officials said systems used to enrich uranium were the targets.
The North American Electric Reliability Corp. has instructed power companies to isolate computers to prevent a hacker attack from triggering a widespread blackout, said Gerry Cauley, chief executive officer of the Atlanta-based organization that develops standards for the nation’s utilities.
The Federal Energy Regulatory Commission reviews NERC’s cybersecurity standards for approval, and utilities can be fined as much as $1 million a day for violations. The process for approving reliability standards can take years, according to FERC Commissioner John Norris.
“That’s not in my mind an adequate mechanism for addressing an imminent threat,” he said in an interview.
Cybersecurity legislation should allow FERC to issue emergency orders to protect the grid and give the agency the authority to respond to a threat before an incident occurs, Joseph McClelland, the commission’s electric reliability director, told a congressional panel May 31.
Government can help utilities prioritize cybersecurity investments by keeping them apprised of threats, Fama said.
“While we spend significant money and resources to provide reliable service, we also have to accomplish this at a reasonable cost,” he said in an e-mail.