The United States' electrical grid is vulnerable to disruptive attacks by computer hackers that could shut off power to vital sectors of the economy and key public utilities, giving potential adversaries a new way of hitting the United States, according to a new study by a Washington think tank.
The report by the nonpartisan Center for the Study of the Presidency and Congress comes as lawmakers on Capitol Hill consider legislation that would beef up cybersecurity standards for critical infrastructure like the power grid while also encouraging the government and private sector to share more information about cyberthreats and thwarted attacks. That legislation has been in the works for years but has been blocked by business interests that see mandatory security standards as an improper attempt by Washington to dictate how companies manage privately owned facilities in industries ranging from telecommunications to the financial and transportation sectors.
Cyberattacks on the power grid have long been seen as a kind of doomsday scenario that could cripple large swaths of the U.S. economy and society, leading to lengthy power outages and wide-scale panic. The new report identifies a range of potential cyberattackers that have both the motive and the capability to take down portions of the power grid, from countries like China and Russia to terrorist organizations and organized criminals.
"For countries like Iran and North Korea, grid vulnerabilities serve as targets for attacks aimed at disruption or asymmetric effects in terms of national, economic, and civil security," the report's authors write, referring to the idea that a country that will always be outmatched militarily by the United States will look for unconventional ways to attack. Cyberweapons, which can include malicious programs written by individual hackers, offer just such a relatively cheap and easier way of hitting the United States.
U.S. intelligence officials are increasingly concerned about the threat that Iran poses to critical infrastructure, including the power grid and the financial sector, because of rapid advances in Tehran's cyberattack capabilities. In 2012, U.S. intelligence officials say, hackers in Iran launched a series of debilitating assaults on the websites of major U.S. banks. Disabling an electrical grid would require a more sophisticated kind of attack, but U.S. officials and security experts say that Iran is on a path to acquire the means and the know-how to target the power grid.
"Although Iran does lack technological sophistication when compared to other threat actors, such as China or Russia, Iran's diligence and tenacity make it just as formidable an opponent," the report's authors write. "Overall, Iran and government sponsored organizations throughout the country are continuing to expand their ability to conduct a major cyberattack."
The report emphasizes that it's not just cyber-intruders that threaten the U.S. power grid. Electrical systems are also vulnerable to "physical attack, electromagnetic pulse (EMP), geomagnetic storm, and inclement weather.… Focusing on one event or one type of attack fails to account for the overlapping nature of many of these threats," the report's authors write.
The threat of a physical attack was underscored in April 2013 when at least one gunman used a high-powered assault rifle to disable 10 transformers at an electrical facility near San Jose, California, which had few protective measures in place to deter potential intruders.
During the attack, cooling oil leaked from a transformer bank, causing it to overheat and shut down. State regulators urged customers in the area to conserve energy over the following days, but no long-term damage was reported at the facility and there were no major power outages.
Still, the attack gave policymakers in Washington a vivid reminder that electrical facilities are vulnerable to both cyberattacks and physical attacks. In response, the report's authors call on Barack Obama's administration to use more executive actions -- such as presidential orders and recommended industry standards -- to heighten cybersecurity and to work with Congress to pass laws that make it easier for companies to share information about vulnerabilities in their networks with each other and with the government.
Many companies are concerned that if they do share information about potential hacker activity on their computer networks with U.S. law enforcement or intelligence agencies, they could violate privacy laws. That's because monitoring networks for cyberthreats may require examining information about a company's customers, and companies may not be authorized to voluntarily give such information to the government.
The Obama administration has recently tried to assuage companies' concerns and encourage them to share more information with each other, which officials say is essential to preventing attacks. In April, the Justice Department and the Federal Trade Commission announced that companies sharing cyberthreat information, so that they could learn from each other and cooperate on putting defensive measures in place, would not violate federal anti-trade laws.
"Cyberthreats are increasing in number and sophistication, and sharing information about these threats, such as incident reports, indicators, and threat signatures, is something companies can do to protect their information systems and help secure our nation's infrastructure," Assistant Attorney General Bill Baer, who heads the Justice Department's antitrust division, said at the time. "With proper safeguards in place, cyberthreat information sharing can occur without posing competitive concerns."
Photo by Justin Sullivan / Getty Images News