The House Energy and Commerce Subcommittee on Oversight and Investigations today continued its hearing series examining current cyber threats and vulnerabilities to our nation's infrastructure. The hearing entitled, "Critical Infrastructure Cybersecurity: Assessments of Smart Grid Security" assessed cybersecurity threats to our nation's electric infrastructure and weaknesses that make our grid vulnerable to attacks. In February 2011, the Director of National Intelligence noted that there has been a dramatic increase in cyber activity targeting U.S. computers and systems, including more than tripling of the volume of malicious software since 2009. A secure electric grid is critical to our national and economic security.
During the hearing, Government Accountability Office (GAO) witnesses highlighted that as smart grid technologies are employed, the threats to systems supporting critical infrastructures continue to evolve and grow. Gregory Wilshusen, GAO Director of Information Security Issues stated, "The electricity industry is in the midst of a major transformation as a result of smart grid initiatives and this has led to significant investments by many entities, including utilities, private companies, and the federal government. While these initiatives hold the promise of significant benefits, including a more resilient electric grid, lower energy costs, and the ability to tap into alternative sources of power, the prevalence of cyber threats aimed at the nation's critical infrastructure and the cyber vulnerabilities arising from the use of new technologies highlight the importance of securing smart grid systems."
Oversight and Investigations Subcommittee Chairman Cliff Stearns also expressed concerns, stating, "We are woefully inadequate in our information sharing between DHS and other agencies and must make necessary improvements before we have a catastrophic cyber attack. America's infrastructure systems have become more automated and more reliant on information systems and computer networks to operate. While our systems are more efficient, they also open the door to cyber threats and cyber-attacks. We have seen in the past decade what impact both man-made and natural disasters have on our nation's utility systems. Imagine the impact of a cyber-attack to the electrical grid: How many days could hospitals operate with on-site electricity generation? How would metro rail systems operate if at all? How would we recharge our smart phones or access the internet? The goal of the Smart Grid is to improve efficiency, reliability and interoperability. An equal goal however, must be to improve upon the security controls and to minimize the impact from a man-made or natural disaster to ensure reliability and avoid such possibilities."
To underscore the growing threat, GAO highlighted four examples of known cyber incidents that directly affected the operations of energy facilities:
* Stuxnet. In July 2010, a sophisticated computer attack known as Stuxnet was discovered. It targeted control systems used to operate industrial processes in the energy, nuclear, and other critical sectors. It is designed to exploit a combination of vulnerabilities to gain access to its target and modify code to change the process.
* Browns Ferry power plant. In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device.
* Northeast power blackout. In August 2003, failure of the alarm processor in the control system of FirstEnergy, an Ohio-based electric utility, prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. When several key transmission lines in northern Ohio tripped due to contact with trees, they initiated a cascading failure of 508 generating units at 265 power plants across eight states and a Canadian province.
* Davis-Besse power plant. The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant's process computer failed, and it took about 6 hours for it to become available again.
The Oversight and Investigations Subcommittee will continue working to protect the nation from potential cyber attacks. Chairman Stearns intends to call DOE and possibly other stakeholders to a future hearing for further consideration of smart grid security.