The Wall Street Journal published an interesting article today covering the penetration of the U.S. electrical grid by spies from China, Russia and other countries. According to the report, the spies also installed malicious software that could be used to disrupt operations if instructed to do so.
From the article:
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
This coincides with a letter (PDF) sent out by NERC VP and CSO Michael Assante yesterday (dated April 7) which called for better identification and reporting of critical assets by the entities responsible for the nation?s Bulk Electric System as required by CIP Standard 002-1 Critical Cyber Asset Identification. Apparently many of these entities under-reported their Critical Assets (CA) and associated Critical Cyber Assets (CCA) in a recent self-certification survey:
Closer analysis of the data, however, suggests that certain qualifying assets may not have been identified as 'Critical'. Of particular concern are qualifying assets owned and operated by Generation Owners and Generation Operators, only 29 percent of which reported identifying at least one CA, and Transmission Owners, fewer than 63 percent of which identified at least one CA.
Over at the Digital Bond blog, Jason Holcomb offers up some quality analysis of Assante's letter:
But he then addresses the reality that many of the entities may(sic) not have gotten the "cyber security paradigm" that always comes up in the philosophical discussions of CIP-002. He puts it very eloquently but here's the one sentence version: it's not just about the loss of an asset, it's about what happens if an attacker gains control of that asset. (emphasis added)
This isn't the first time that major news reports have put the spotlight on the threat to the critical infrastructure of the U.S. Progress has been made in recent years, but based on the WSJ article it's clear that too little has been done so far to provide sufficient protection for the power grid. The optimist in me hopes that this new report will tip the scales where it counts and lead to stronger public and private efforts to do what is necessary for the greater good.