Experts are also warning that the new breed of smart, highly-automated energy grids (clean energy-espousing "smart grids") could open the door to attackers, citing the growing use of remote access technologies such as Bluetooth within power plants. "It makes the grid more vulnerable, there's more points of attack," said Weiss.
Attempts to Protect Us
The North American Electric Reliability Corporation (NERC), an industry standards body that aims to keep the country's power systems up and running, proposes standards for approval by the Federal Energy Regulatory Commission (FERC), which it is then largely responsible for enforcing.
In an attempt to plug the power grid attack gap, NERC proposed a set of Critical Infrastructure Protection (CIP) standards to federal regulators earlier this year. The suggested solution covers areas like physical security, systems management, incident reporting and recovery plans. Who exactly will be covered by these standards, however, is controversial.
NERC's proposal to FERC calls for only power plants with a generating capacity above 1,500 megawatts to be covered by the cyber-security standards. NERC itself admits that this would cover just 29% of America's power generator capacity.
(By way of comparison, 1 megawatt is enough energy to power 1,000 average homes, according to
(ED - Get Report)
, which expects a peak demand 13,275 megawatts in its service area this summer.)
"This means that 70% of the power plants will not even be looking at cyber security," said Weiss. "NERC has effectively put out a roadmap for hackers to attack the grid."
Rep. Langevin also thinks that the grid needs better protection. "I don't think that that 1,500-megawatt standard is sufficient," he said. However, "it's a small step in the right direction."
"As a citizen, I would be happier if a clear majority of the power my society relies on was secured from at least opportunistic cyber-attacks," added Andrew Ginter, industrial security director at
Waterfall Security Solutions
recent blog post
. "The new ... rule will not bring this about."
The Commission, however,
questioned NERC on the 1,500-megawatt threshold, asking for more details in a filing earlier this year. In its response, NERC acknowledged that the proposal "does not capture all assets in North America," but maintained that this is still a "significant step" toward better security.
In a blog post last week, Weiss also argued that the number of facilities covered could be
less than the 29% cited by NERC.
Alluding to a recent survey of NERC's membership, Weiss said that, out of just under 11,000 power generating units, around 600 would be classified as "critical assets" that require cyber-security protection.
FERC declined to provide comment for this story, explaining that it is unable to discuss pending proposals. NERC has not yet responded to
request for comment.