Security professional greeted this week's media reports of hackers infiltrating the electric grid with a collective yawn.
On Wednesday, the Wall Street Journal kicked off a fresh awareness of the vulnerability of U.S. critical infrastructure when the newspaper reported that cyber spies from China and Russia had infiltrated the U.S. electric grid and left behind software that could be used to disrupt operations. The report, which lacked named sources, was soon followed by similar stories from the Washington Post and Reuters.
A spokesman for the Chinese embassy in Washington D.C. criticized the report. "There are no such things as China and Russia attack (sic) the US national grid," Foreign Ministry Spokesperson Jiang Yu told members of the media, according to an embassy transcript. "I hope the press take a cautious approach when it comes to ungrounded accusations."
Security experts have long known of vulnerabilities in the systems that manage critical infrastructure. Both the Clinton administration and the Bush administration flagged the vulnerability of infrastructure control networks as an issue of national security. While incidents, such as the infection of a nuclear plant's network by the Slammer worm in 2003 and the Aurora test showing the potential consequences of a cyber attack, have underscored the vulnerabilities in critical infrastructure, the companies responsible for those networks have generally resisted toughening their security.
As the Obama administration and power companies push for more control over energy networks, in the form of a "smart grid," security professionals have warned that the initiative risks pushing insecure technologies toward adoption too quickly.
Both the U.S. Department of Homeland Security and the National Electric Reliability Council (NERC) have acknowledged that vulnerabilities exist in the current infrastructure but would not comment on the specifics of the media reports.
"Cybersecurity is an area of concern for the electric grid," NERC said in a statement released on Thursday. "Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of."
Some security experts have pointed to the Obama administration's review of the United States' cybersecurity policy as a potential reason for unnamed intelligence officials to bring up the vulnerability of the nation's critical infrastructure. The National Security Agency, the military agency responsible for securing and surveilling communications networks, has pushed to become the lead agency for U.S. cyber efforts. However, the outgoing director of the National Cybersecurity Center criticized the NSA for its efforts to control national cybersecurity policy.
"There's no coordinated conspiracy here, but there are a lot of government officials who stand to gain by this attempt at drastically increasing government control over the Internet," Robert Graham, CEO of Errata Security, stated earlier this week. "They will certain call up reporters they know and attempt to get them to write scare stories precisely like this."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos