WASHINGTON — Adam Crain assumed that tapping into the computer networks used by power companies to keep electricity zipping through transmission lines would be nearly impossible in these days of heightened vigilance over cybersecurity.
To his surprise, it was startlingly easy.
When Crain, the owner of a small tech firm in Raleigh, N.C., shared the discovery with beleaguered utility security officials, the Homeland Security Department began sending alerts to power grid operators, advising them to upgrade their software.
The alerts haven’t stopped because Crain keeps finding new security holes he can exploit.
“There are a lot of people going through various stages of denial” about how easily terrorists — or anyone — could disrupt the power grid, he said. “If I could write a tool that does this, you can be sure a nation state or someone with more resources could.”
In Congress, the vulnerability of the power grid has emerged as among the most pressing domestic security concerns. It is also among the most vexing.
At times, lawmakers appear to be working at cross purposes. Some want to empower regulators to force specific security upgrades at utilities. Others are attacking whistleblowers and the media, demanding an investigation into disclosures of how easily the country’s power grid could be shut down.
The magnitude of the problem is underscored by insurance giant Lloyds of London, whose appraisers have been making visits lately to power companies seeking protection against the risk of cyberattack. Their take-away: Security at about half the companies they visit is too weak for Lloyds to offer a policy.
“When Lloyds won’t insure you, you know you’ve got a problem,” said Patrick Miller, founder of the Energy Sector Security Consortium, a Washington-based nonprofit that advocates for tougher cybersecurity measures for the electricity industry.
The challenges are compounded by lingering tensions between federal law enforcement and the industry. Each accuses the other of being territorial and evasive, neglecting to share confidential incident reports, intelligence analyses and other sensitive data.
Power companies, eager to keep regulators at bay, find themselves in a bind. They need to show quickly that they are equipped to protect the grid against outside attacks. They warn the grid is so massive, complicated and fragile that any tinkering needs to remain the responsibility of those who operate it day to day, not well-intentioned but inexperienced federal regulators.
“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous,” said Gerry Cauley, chief executive of the North American Electric Reliability Corp., the quasi-governmental organization through which utilities manage the power grid.
Even security experts who criticize Cauley’s organization for moving too slowly agree his argument has merit. The problem, said Scott White, a security technology scholar at Drexel University in Philadelphia, is that “you are basically dealing with these monopolies that are determining for themselves which expenditures are a priority. Security has not generally been one.”
Utilities deny they’ve ignored the problem, pointing to the billions of dollars they say they’ve spent to upgrade outdated computer systems and close security holes.
They are signing contracts with security firms like Booz Allen Hamilton to investigate such things as to how to keep potentially mischievous devices out of the equipment they buy, often from foreign suppliers. The security firms help clients sift through reams of confidential intelligence provided by federal agencies. They simulate cyberattacks.
“It is the equivalent of war gaming, like the military does,” said Steve Senterfit, vice president of commercial energy at Booz Allen Hamilton.
But critics, including many in Congress, say more needs to be done to shore up a grid increasingly exposed to attacks. They note that so-called smart grid technology, which allows operators to calibrate the flow of energy from an increasingly diverse pool of sources, has opened new security risks.
The technology relies on devices in remote locations that constantly send signals to substations to help control when juice needs to be brought on and offline. The smarter the grid becomes, though, the more entry points an attacker can exploit.
“The whole idea of a smart grid is to push equipment further and further away from the substations,” Crain said. “Some of it is even in people’s homes. It’s physically impossible to secure it all.”
The vulnerabilities Crain exposed, for example, had been overlooked because taking advantage of them requires an attacker to have access to closed, local networks. Now, a cyberterrorist with a little knowledge and the right laptop can gain that access and cause chaos in a regional power system merely by linking up with the control panel at a secluded electric vehicle charging station.
Other attacks can take shape without computers.
A year ago, unknown assailants opened fire on a power station near San Jose, nearly knocking out electricity to Silicon Valley.
Last month, New Jersey’s Regional Operations Intelligence Center, a state agency that monitors security threats, published a report revealing constant breaches at power stations. The incidents involved people armed with such mundane equipment as false identification, wire cutters and crowbars.
The report, first disclosed in the Washington Free Beacon, a conservative newspaper, declared the power grid “inherently vulnerable” to attack.
“Many of the grid’s important components sit out in the open,” the report said, “often in remote locations, protected by little more than cameras and chain-link fences.”