NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0321 Vulnerability of US Electrical Grid under Scrutiny:
After Destructive Cyber Attack Demo.
In the wake of the recently publicezed Idaho National Laboratory test that destroyed
an electrical generator with a simulated cyber-attack, a Congressional panel on cyber-
security has called for an investigation into how well electric sector owners and
operators have implemented security mitigations developed by the Department of Homeland
Security and Department of Energy, according to a 19 October New York Times article.
A hearing on the matter was chaired by Representative Jim Langevin, Chairman of a House
of Representatives cyber security panel, on 17 October. Langevin's opening statement
pointed out that the US power system is worth more than $1 TRILLION, comprises more than
200,000 miles of transmission lines, and more than 800,000 megawatts of generating
capability, and is highly dependent on computer-based control systems. "Intentional and
unintentional control system failures on the bulk power system could have a signficant
and potentially devastating impact on the economy, public health, and national security
of the US," Langevin said.
Langevin's statement added, "For a society whose every function depends on reliable power,
the disruption of electricity to chemical plants, banks, refineries, hospitals, water
systems, and military installations presents a terrifying scenario. We will not accidentally
stumble upon a solution to these problems. Instead, we must dedicate a lot of hard work
and resources to secure our systems."
Newly proposed North American Electric Reliability Corporation (NERC) standards would
require certain users, owners, and operators of elements of the power grid to establish
plans, protocols, and controls to safeguard physical and electronic access to systems, to
train personnel on security matters, to report security incidents, and to be prepared to
recover information.
Joseph McClelland, Director of the Office of Electric Reliability at the Federal Energy
Regulatory Commission, said at the hearing that overly prescriptive standards run the risk
of becoming a "one-size-fits-all" solution that ignores "significant differences in system
architecture, technology and risk profile. A major concern with cyber-security is the
prevalence in the industry of 'legacy equipment' which may not be readily adaptable for
purposes of cyber-security protection. If this equipment is left vulnerable, it could be
the focal point of efforts to disrupt the grid."
(NY Times, 19OCT07)