From Scott Carlberg

Cyber threats to the U.S. power grid are in the headlines following military action in Iran. The power system may be a target of hackers. “Cyber warfare has proved particularly attractive to Iran, since a four-decade arms embargo has kept its conventional military from keeping up with other powers in the region,” said the Christian Science Monitor.

ECC wrote about power industry cyber security in December, here and here.

Iranian military action brings the cyber threat into focus. “A country that might not be able to attack the United States with an aircraft, missile or submarine can use a cyber-attack to strike targets on American soil. And as the most common targets are civilian — electrical grids, hospitals, water supplies, transportation infrastructure — cyber-warfare disproportionately threatens citizens, linking American foreign policy with the everyday lives of ordinary Americans. It has the power to transform overseas crises into urgent domestic concerns.” That from the NY Times.

Even without the recent activity attention to cyber threats in the power industry has been high. “A Microsoft researcher presented evidence that an Iranian hacker group has narrowed its choice of infiltration targets to those linked to industrial control systems, the computers that operate facilities such as power plants and factories. …industry and federal security leaders were urging power companies on Friday to practice heightened vigilance about potential cyber vulnerabilities, including remote-access tools that could already be compromised.” (Source)

Password spraying is a hacker tactic that throws many possible passwords at computer systems to try and gain entry. WIRED magazine reported on January 9: “By all appearances, Iranian hackers don’t currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head.”

Industry and trade groups work together on security. Organizations such as the National Association of Regulatory Utility Commissioners – well-known and respected – has developed a Cybersecurity Manual to help state public utility commissions and utilities understand and mitigate cyber risk, for instance. (NARUC cyber report)

The North American Electric Reliability Council, NERC, develops and enforces power industry reliability standards. It has been working with the industry to establish guidelines and processes for cyber protection.

The energy industry has been busy tightening up its systems, but it is a continual effort. Hackers have not caused big U.S. power disruptions, but, “America’s critical infrastructure is increasingly under attack by foreign adversaries,” testified Neil Chatterjee, Chairman of Federal Energy Regulatory Commission to Congress last year. “Physical and cyber-attacks on our critical infrastructure systems have the potential to create significant, widespread, and potentially devastating effects that threaten the health, safety, and economic prosperity of the American people whom we serve.”

Seems bigger than any one person or family. What to do?

If you have a small business, this item from CPO – Chief Privacy Officer – magazine can give you some ideas.

For individuals, the best ideas may already be out there to practice smart anti-cyber practices for home computers and other gear that links to the internet. Since a blackout from a cyber incident would possibly be much like an outage from a storm, consider using good storm prep as one avenue to consider. The U.S. government has this cyber-security website with a basic overview of the issue.

  ***

An FYI: A Vox magazine podcast called RESET released a 21-minute podcast about this issue, called, The other Iranian threat: cyberwarfare. The release date is January 9. It does a nice job on a summary of the issue. The RESET podcast is on the link we have above or iTunes or Stitcher.