The U.S. needs to be more aggressive in putting critical energy infrastructure out of reach of cyberattacks, a top official of the government’s Idaho National Laboratory warned lawmakers.
Brent Stacey, the lab’s associate director, told a pair of House subcommittees Wednesday that the problem is bad and getting worse.
“The dynamic threat is evolving faster than the cycle of measure and countermeasure, and far faster than the evolution of policy,” he said.
There are more cyberattacks against the energy sector than any other industry. Energy companies say they are under constant assault, and the Department of Homeland Security’s Cyber Emergency Response Team responded to 79 attacks on American energy assets last year.
“Reported incidents affecting the electricity subsector have had a variety of impacts, including hacks into smart meters to steal power, failure in control systems devices requiring power plants to shut down, and malicious software disabling safety monitoring systems,” according to a U.S. Government Accountability Office statement released Wednesday.
A study this summer by the insurance company Lloyd’s of London and the University of Cambridge found that a major cyberattack on the U.S. power grid has the potential to cause a trillion dollars in damage.
“The scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses,” according to the report from Lloyd’s and Cambridge.
The scenario described in their report involves an electricity blackout that plunges New York City, Washington, and 15 states into darkness, leaving 93 million people without power.
“The scenario, while improbable, is technologically possible,” according to the report.
Bennett Gaines, senior vice president of FirstEnergy Service Co., said Wednesday that utilities have been effective at blocking attacks but that greater efforts will be needed. Those include the faster sharing of information between government and the industry, he said.
Cyberattacks are on the rise and the behavior of cyberterrorists has become increasingly destructive.
Bennett Gaines, senior vice president of FirstEnergy Service Co.
FirstEnergy has 10 electric companies in the Midwest and Mid-Atlantic.
“Cyberattacks are on the rise and the behavior of cyberterrorists has become increasingly destructive,” Gaines told the House subcommittees on energy and science at a joint hearing on the threat.
The Idaho National Laboratory, the government leader in cybersecurity, said there are big challenges to preventing attacks.
Those include a lack of security experts and a widespread but mistaken belief that physically isolating a computer system from the Internet will make it invulnerable to hackers.
“The demand for trained cyber-defenders with control systems knowledge vastly exceeds the supply,” Stacey said.
He said the nation has to go beyond “measures and countermeasures” – dealing with the daily bombardment of attacks – and needs to figure out how to protect critical energy assets for the long term.
The Idaho National Laboratory is “pursuing a grand challenge to develop novel and deployable solutions to take a set of high-value infrastructure assets off the table as targets,” Stacey told the members of Congress.