[ISN] Congress Alarmed At Cyber-Vulnerability Of Power Grid

From: InfoSec News (alerts@private)
Date: Mon May 26 2008 - 23:09:46 PDT


By Andy Greenberg

Last June, the Department of Homeland Security leaked a video 
documenting a disturbing experiment. Using only digital means, 
researchers hacked into a power plant's generator and caused it to cough 
and shake before shutting down in a cloud of black smoke.

That clip, demonstrating what has since become known as the Aurora 
vulnerability, served as a wake-up call for regulators, highlighting the 
need to guard against cyber-security threats to critical infrastructure 
like power plants and the telecom system. But at a hearing Wednesday, 
members of the House Committee on Homeland Security warned that those 
regulatory bodies aren't moving fast enough.

"I think we could search far and wide and not find a more disorganized 
response to a national security issue of this import," said Rep. James 
Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology. He pointed a finger to several 
groups: the DHS for giving scanty details of its video-taped simulation; 
the power industry for working too slowly to mitigate the threat; and 
the North American Electric Reliability Corporation, an industry group, 
for failing in its role as the self-regulatory body assigned to ensure a 
consistent national power supply. "Everything about the way this 
vulnerability was handled . leaves me with little confidence that we're 
ready or willing to deal with the cyber security threat," he said.

The House's criticisms focused primarily on the electric utility 
industry group, NERC. They argued that the advisories issued by NERC are 
ineffective and that it has repeatedly misled the House in its 
investigation of the Aurora vulnerability.

Rep. Bill Pascrell (D-N.J.) recalled that in a subcommittee hearing last 
October on the Aurora vulnerability, a NERC representative told him that 
75% of the nation's power plants had made progress in securing their 
systems against cyber threats. But when the subcommittee requested that 
survey, Pascrell said, it became clear that NERC had only performed the 
research two days after the subcommittee hearing.

"You are not going to sit there and waste my time telling us you're 
doing the job you're supposed to do," Pascrell said. "Who do you think 
we are, a bunch of jerks?"


Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 26 2008 - 23:23:48 PDT