Cyber attacks on American energy firms possible
According to a report by a Federal supervisory authority, the Tennessee Valley Authority (TVA), the largest state-owned energy firm in the USA, is vulnerable to electronic attack. The Washington Post today reported that the Government Accountability Office (GAO) considers it possible for crackers to sabotage important systems that are responsible for supplying power to approximately 8.7 million Americans.
The GAO report was requested by a House of Representatives Homeland Security panel on cyber security. Since the energy firm's network is connected to the internet, says the GAO, access is theoretically possible to systems that control the generation of energy. Security holes that have been discovered on the company's computers and networks - mainly blamed on poor antivirus protection and easily overcome firewalls - could be exploited to "manipulate or destroy vital control systems". "As a result", says the GAO report, "systems that operate TVA's critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats."
Some experts blame the level of risk on "Supervisory Control and Data Acquisition (SCADA)" systems, which enable technical processes to be remotely monitored and controlled. Security holes have very recently been discovered again and again in these systems. At the beginning of the year, moreover, the CIA reported cyber attacks on energy suppliers – though all the targets were outside the USA.
The Washington Post also quotes arguments of other security experts who don't paint such a black picture. According to them, it isn't easy for crackers to find their way around control systems that are written using custom protocols tailored to individual clients and are embedded in systems they have never previously seen. They claim this is an example of "security by obscurity". Any protection this gives is however, likely to be gradually undermined because the operators of many such facilities are migrating from tailor-made legacy systems to commonly used and well known operating systems such as Microsoft Windows or Linux.
It was possible to discover the security holes at the TVA because it is a state-owned company and is therefore subject to public checks. In the case of private energy suppliers, there are far fewer opportunities for public scrutiny, so greater risks may going undetected.