U.S. concerns about the potential for cyber-attacks on critical infrastructure extended to the American electrical power grid on Wednesday and experts pointed the finger anew at Chinese hackers, among others.
U.S. Homeland Security Secretary Janet Napolitano told reporters the power grid is vulnerable to potentially disabling computer attacks, while declining to comment on reports that an intrusion had taken place.
The vulnerability is something that the Department of Homeland Security and the energy sector have known about for years, she said. We acknowledge that ... in this world, in an increasingly cyber world, these are increasing risks.
Napolitano spoke after the Wall Street Journal reported that cyberspies had penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system.
The Journal said the intruders have not sought to damage the power grid or other key infrastructure but could try during a crisis or war.
The United States for several years has accused the Chinese and Russians, among others, of using cyber-attacks to try to steal American trade secrets, military secrets and government secrets.
The Chinese have been particularly active, a former U.S. security official told Reuters.
They are all over the place, said the official, who spoke on condition of anonymity. They're getting into university systems, contractor systems, hacking government systems. There's no reason to think that the electrical system would be immune as well.
Eric Rosenbach, executive director for research at Harvard University's Kennedy School of Government's Belfer Center, said that if true, it showed that the Chinese and Russians are thinking strategically about how to either constrain the United States or inflict more damage if they ever felt they needed to do so.
I think that China recognizes if in a very strategic sense you want to ensure you have the ability to exploit another country's potential weakness or vulnerability but do it in a way that isn't confrontational or cause an international crisis, then this is a very good way of doing that, he said.
President Barack Obama, aware of the concerns about the vulnerability of infrastructure, has launched a cyber review that is expected to be completed in the coming weeks.
The president takes the issue of cybersecurity very seriously, which is why he ordered a top-to-bottom review shortly after taking office, said White House spokesman Nick Shapiro.
He said the White House was not aware of any disruptions to the power grid caused by deliberate cyber-activity here in the United States.
The Department of Homeland Security works with industry to identify vulnerabilities and to help industry enhance the security of control system networks. The federal government is also working to ensure that security is built in as we develop the next generation of 'smart grid' networks, Shapiro said.
Mississippi Democratic Representative Bennie Thompson, chairman of the House of Representatives Homeland Security Committee, said he would introduce legislation to address the grid's vulnerability to cyber-attack.
Our electric system is critical to our way of life, and we cannot afford to leave it vulnerable to attack. Our oversight indicates there is a significant gap in current regulation to effectively secure this infrastructure, he said.
The United States is not alone. CIA analyst Tom Donahue told a power-industry conference last year that we have information from multiple regions outside the United States, of cyber-intrusion into utilities followed by extortion demands.
The North American Electric Reliability Corp, the industry group with responsibility for grid reliability and security for the United States and Canada, said it was unaware of any cyber-attacks that have led to disruptions of electric service. The group has been working for several years with the industry to create and implement cybersecurity measures.
NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyberthreats, the group said. There is definitely more to be done.
American Electric Power Co spokeswoman Melissa McHenry said the utility takes security and reliability of the grid seriously.
We long ago identified that there are numerous scans and probes of our networks from external sources and have put in place a very comprehensive multilayered security system to protect it from internal and external intrusion attempts, she said.
Still, she said, We realize that there are no guarantees that you can always be completely safe from a cyber-attack. We continually monitor the effectiveness of our systems and seek to enhance them.
(Additional reporting by David Alexander in Washington, Michael Erman in New York and Eileen O'Grady in Houston; Editing by Will Dunham)