US utilities under daily, constant cyberattacks: report

US utilities under daily, constant cyberattacks: report

Summary: A new report claims that a number of U.S.-based utilities are fending off cyberattacks on a daily basis.


A report issued by U.S. Congressmen Ed Markey and Henry Waxman says that the number of cyberattacks focused on core infrastructure continues to rise, with one utility facing roughly 10,000 assaults every month.

Within the "35-page "Electric grid vulnerability" report (.pdf), out of 160 surveyed U.S. utilities, over a dozen indicated they face "daily," "constant," or "frequent" cyberattacks against their systems. These attacks comprise of "phishing to malware infection to unfriendly probes."

One power provider said it was under "constant cyber attack from cybercriminals including malware and the general threat from the Internet," and another commented that the company was "subject to ongoing malicious cyber and physical activity." Network probes that look for vulnerabilities in systems and applications are a daily problem, and much of this activity is automated and dynamic in nature.

The report says:

"Grid operations and control systems are increasingly automated, incorporate two-way communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

According to the research, grid vulnerabilities have major economic ramifications -- as well as the possibility of blacking out cities dependent on power grids. It is estimated that power outages and disturbances cost the U.S. economy between $119 to $188 billion per year, and a single event -- such as a successful cyberattack -- can cost upwards of $10 billion.

In March, U.S. intelligence officials said that cybercrime is more of a threat than terrorism, and the constant evolving nature of cybercrime makes it difficult to keep up and make sure critical services and infrastructure are adequately protected.

The Department of Homeland Security has confirmed that in 2012, the number of cyberattacks centered around Federal agencies, critical infrastructure and industrial bodies have risen in frequency by 68 percent in comparison to 2011.

While the report's tone rings alarm bells, none of the surveyed utilities reported a successful breach of their systems, and most attacks did not even constitute the need for a report. According to Reuters, a number of utilities believe the report is "overblown," and that systems are adequately protected through the mandatory standards set by the North American Electric Reliability Corp (NERC).

Arkansas Electric Cooperative Corporation Chief Executive Duane Highley told the publication:

"The majority of those attacks, while large in number, are the same attacks that every business receives. Those are very routine kinds of attacks and we know very well how to protect against those. Our control systems are not vulnerable to attack."

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Daily attack

    Any always on internet connection is under daily attack. With hundred of thousands of already infected computer sending out regular attacks with worms is it a rare day that any server is not attacked at some level. Very basic protections will fend off most of these attacks.
  • Vague to the point of uselessness.

    "General threat of the internet."


    Automated probes and malware attempts are common throughout internet connected devices. Why are we specifically excited about utilities?
    • In the dark??

      I certainly am concerned about persistent attacks on our utilities. All the standards, firewalls, and just plain common sense won't stop a dedicated attack; it just slows down the attacks' potential successes. Maybe the collective "WE" should be considering a solution similar to the military 'sipernet' for connecting electric, gas, water and sewage controls to make it even more difficut for the eventual success of a cyber breach!
      • Common Sense

        1. ANY device connected to the internet is subject to attack. It's the nature of the beast.
        2. If a utility has critical systems accessible from the public internet, there's a problem with the utility's management.

        So yeah, a private network makes some sense.
  • I have to agree

    I completely agree with the first to replies. Useless, fear-mongering congressional report - shame on ZDNet for lending this any technical credibility by allowing it to be mentioned in the blog.

    Bryce White
    • oops

      First two replies, not to replies :) My ocd kicked in, sorry :(
  • Cyber Kung-fu

    its time to put our hands up and fight back. I'm tired of America trying to play nice when the rest are not. its time to lead, follow, or get the hell out of the way!
  • That is quite a boast

    Arkansas Electric Cooperative Corporation Chief Executive Duane Highley told the publication:

    "... Our control systems are not vulnerable to attack."

    Overconfidence here would be a disaster!
  • Managing the risk in your favour

    In my view security is largely about Risk management.
    I'm not sure that the report was gathered by those with the understanding of either the risk perspective or the technical perspective - but I have not read the report.

    Yes every node on the internet is subject to probing and automated attacks. These generic attacks can be defeated with basic precautions. The volume and/or frequency of most automated attacks is almost irrelevant to someone with protection in place.
    This is no surprise and should not warrant a mention in such a report.

    In jargon buzzword fear mongering an Advanced-Persistent-Threat is the higher risk: IE an adversary with resources, and dedication to a specific target.
    This is where the report should be focussed.

    @ Common Sense,
    I would question your point 2, Where there are sufficient controls in place there should be no problem with having critical infrastructure available from public internet.
    To my mind if it is unacceptable for critical infrastructure to be accessible from the public internet, then it is unacceptable for critical infrastructure to be accessible by public roads. There can be gateways that form acceptable barriers in both the physical and virtual spaces.

    I am vaguely concerned by comments suggesting there is a quick fix by taking these facilities off public networks. That alone is only a part of a solution, and yes false confidence here could be disastrous.
    Please consider that there appear to be recent cases of infections across air-gap security: IE systems kept off networks. The need to program or control a system can tempt the use of a device crossing the quarantine of an air-gap. Where a zero-day (unpatched) exploit exists then the clean environment can then become infected, and there is no possibility for anyone to have mitigated the attack since it comes via a zero day exploit. The attack may even succeed without the victim being aware.

    Walled gardens, air gaps, dedicated networks - all these fall under the same paradigm of protection and they are not a panacea. They do not stop vulnerabilities, if they mitigate vulnerabilities it is only until the first time they are incorrectly maintained. Iran's nuclear program was hit, I have my doubts that the lessons from this have been learned.

    It is always an uneven playing field, but as the owner of a resource you have control over how that works.
    If an attacker can afford to fail time after time and the defender cannot afford a failure, then it is stacked in the attacker’s favour.
    Layering defences moves the balance towards the defender’s favour. If the layers regularly change then the attacker gets a time limit on the value of a success. Hence a layered approach with regular change becomes a much more defensible position. If your defence learns and evolves at a similar rate to an attacker’s capability, then your outlook improves significantly, and it starts looking like attackers can be kept at bay indefinitely.
  • Is there a good offense?

    "The best defense is a good offense!" We've been doing a lot of defense against attacks. I see or hear of no offensive measures being taken to track and trace the offenders. Maybe we're more interested in crying over spilled milk than to take the battle to the criminals? Where are the deterrents? How many businesses employing hundreds of people have failed because of the losses incurred by even one successful attack? Is there a disaster recovery plan in place that will match or exceed your recovery plans for fire, flood, storm and burgulary?
  • Why are our utilities control systems online?

    I'm not sure if I understand why the control systems to our utilities are online in the first place. What benefit are we getting from that? Wouldn't a private network be a better idea?