Congressional Report: US Power Grid Highly Vulnerable To Cyberattack

An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"

Re:You're kidding me

[OhANameWhatName]

Can't they spend $40 on a Linksys router and call it good?

You can never spend $40 on a Linksys router and call it good.

Re:Yeah ... this is bullshit

Actually most of the equipment covered under NERC is custom embedded firmware. An air gap in this case is actually highly effective. In order to install a Trojan you need to access one of about 5,000 computers run by a select few people and trick them into installing a new firmware version on a proprietary system. Firmware updates are fairly uncommon, and take a lot of time with these systems (typically 9600 baud through a serial port). To do this automatically behind the users back would be highly unlikely as it would cause a visual reset condition on the hardware. The hacks that have been implemented primarily target SCADA systems, so if you have no SCADA you have no virtually no issue.

Note that I actually am a contractor that specializes in NERC compliance. The problem is that without SCADA your system is less usable, and requires a lot more direct maintenance (more downtime when something happens).

I would actually be more afraid of a custom bug targeting transmission systems than generation.

There are much bigger issues that need to be addressed here. I can't go into the specifics on this but there are a lot of things that scare me more than computer viruses.

Feeding an island is DEADLY.

[Ungrounded+Lightning]

It could even keep a local part of the grid up while all others around them suffer power failures.

And that is a BIG no-no. Because it kills linemen trying to fix the outage.

Those transformers work both ways. Your little generator or inverter gets stepped up to maybe 8,000 or 12,000 volts. Then a lineman who thinks the power is down brushes against a wire (or comes within a quarter-inch of it) and is "burned" - to death.

Grid-connected inverters with a "sell" feature MUST monitor the network and shut down if they detect islanding - being cut off from the grid, with one or a collection of generators running autonomously. It's perfectly OK to feed power into the grid when it's up (if you're using UL approved equipment, connected according to code, inspected for compliance, and the utility knows you're doing it according to the rules.) It's perfectly OK to have things wired so your equipment still feed your house if the grid goes down, but it MUST cut itself off from the dying or dead grid and stay off until the grid comes back up and stabilizes at the nominal voltage and frequency.