While black-clad ISIS terrorists may seem far away, security experts here at home are sounding warning bells that ISIS-sponsored hackers are probing the nation's electric grid. FBI experts say the attempts haven't had much success, but Congress is concerned enough to hold hearings on the topic this morning in Washington.
"Strong intent. Thankfully, low capability," John Riggi, a section chief at the FBI's cyber division, told a conference of utility cybersecurity experts last week. "But the concern is that they'll buy that capability."
The FBI worries that terrorists can purchase black market malware or destructive software from the same organized crime groups that commit financial fraud by stealing credit cards or bank account information.
American energy infrastructure, including power plants, transmission and distribution lines, oil and gas pipelines, and transformers and substations remain vulnerable to cyber attack, according to a report by the House Science Committee last month.
Over the past five years, utilities have been rolling out components of the "smart grid," which allows more information to flow between customers and energy providers, but also includes more entry points for possible hackers.
For example, while the smart grid has made it easier to read meters either remotely or by driving through a neighborhood, it also means that the Internet connection between consumer and utility is more open to attacks.
Convenience and efficiency can lead to more security problems, according to Jason Christopher, senior lead technical leader of cybersecurity for the Electric Power Research Institute.
"There will be more trajectories to attack," he said.
A USA Today investigation earlier this year found that the United States power grid "faces physical or online attacks approximately ‘once every four days.'"
And while there has been no reported cyber-attack that has resulted in widespread loss of power, there have been many attempted attacks by as-yet-unknown groups trying to obtain information about power grid layout and operations.
Data theft is common these days, with everyone from the CIA director to customers at Target getting hacked, but actually breaking into a power plant is another matter, according to EPRI's Christopher.
That's because operational technology, the stuff that moves levers, gears, pumps and devices that transmit energy, is different than your laptop or cellphone.
"You can't put an anti-virus system on some of this equipment," Christopher said.
"We need to focus more of our attention to get ahead of the threat instead of reacting," said Bennett Gaines, senior vice president at FirstEnergy Services, a utility that provides power to six mid-Atlantic states. Gaines said that federal officials take weeks or months to inform utilities about attacks around the country, which is too late for utilities to react.
Brent Stacey, associate lab director at Idaho National Laboratory, said one solution is to develop new kinds of hack-busting communications technology, such as custom analog circuits made with 3-D printer technology that can be stuck between the control network and the part of the power plant being targeted.
At the Capitol Hill hearing, experts told members of the House Science and Technology committee that cyberattacks on the electric grid are on the rise, but many utilities aren't able to share information with each other because of federal security and liability laws.
He also said that some parts of the power grid may have to be taken off-line from Internet connections to keep them truly safe.
Asked whether he would be surprised if a major U.S city electric grid could be brought down by cyberattack, Stacey replied no. "Our monitoring and our detection of these kinds of events is not sophisticated enough to give an answer of yes."