US power plants vulnerable to cyberattack

When federal researchers discovered that outside hackers could take control of the generators used to produce electricity in the US and destroy them, analysts warned that a co-ordinated assault on the grid could blackout large regions and cause devastation akin to scores of hurricanes striking at once.

Regulators asked utilities to fix that design flaw, as they have with others discovered later.

Now, four years since that first warning, experts say that power plants – along with financial institutions, transportation systems and other infrastructure – have become even more vulnerable.

“The next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental system,” Leon Panetta, US defence secretary, said at his June confirmation hearing.

The economic damage from a single wave of cyberattacks on critical infrastructure could exceed $700bn – or the cumulative toll of 50 major hurricanes ripping into the nation simultaneously, wrote Stanton Sloane when he was chief executive of SRA International.

Sceptics argue that the dangers are being talked up by those eager to be hired to help. Other countries, such as the UK, are also exposed, but officials agree that the US is the most vulnerable to cyberattack because its companies and people are so dependent on the internet.

Many of the utilities that generate the electricity essential for preserving food and maintaining social order could be shut down by even a small team of committed hackers, researchers say. Attacks on military communications, banks and telecoms companies could be even easier, recent espionage cases suggest.

“There are still huge holes in security in energy and other systems, because they were not designed at the beginning with security in mind,” said retired Lt. Gen. Harry Raduege, a former commander of the US military’s network operations task force who is now with Deloitte.

The utilities say that they have a good record on reliability and are improving. But a joint security “road map” issued last month by the US industry and its regulators conceded that threats are evolving “faster than the sector’s ability to develop and deploy countermeasures”. The plan aims to deploy cyber-secure systems by 2020.

In the US and other countries, the grid is divided up by regions, which in theory should limit potential damage to a single region at a time. But a prolonged blackout in New York, Washington or other major hubs could still have a devastating impact – with pronounced food shortages after a week – and malicious software that works in one region could also work in others.