The advanced age of the U.S. electricity grid, which has been retrofitted with technology over the years to balance supply and demand, poses the biggest cybersecurity threat to the power sector, a new report by the computer security firm McAfee warns.
"An estimated 70% of the existing energy grid is more than 30 years old. In the effort to update it and integrate it with more modern installations, connecting aging systems to the internet without the benefit of encryption, security has largely been an afterthought," says the analysis by McAfee Inc., the security software firm acquired by Intel in 2010 for nearly $7.7 billion. According to the report, "more malware was detected on computer networks in 2011 than in all previous years combined, with critical infrastructure a prime target."
Attackers are gaining access to smart grids by penetrating the myriad ways workers remotely operate control systems, commonly used by electric utilities and natural- gas-pipeline companies to "run turbines, generators and other heavy-duty equipment," the McAfee report says. Other key vectors are found at the interconnection of embedded software and devices directing the flow of energy as utilities use more off-the-shelf software that is easier to penetrate than proprietary software. "Of particular concern in the power sector is the vulnerability posed by smart meters," which often have few security features and are easily accessed, says Eric Knapp, critical infrastructure director at McAfee.
Smart-grid metering was vulnerable, says Dan Rueckert, associate VP for compliance, security and risk at consulting firm Black & Veatch.
"We've advised some utilities to stop metering activities until systems are upgraded, and we have stopped a few projects until it was done," Rueckert says. "There are a lot of checks and balances."