Ken Silverstein EnergyBiz Insider Editor-in-Chief

While the department has taken major steps to avoid those kinds of problems, it has been the target of several "cyber attacks" that amount to a national security threat, say witnesses who testified before Congress. A report issued last year by the inspector general's office found that the Energy Department was susceptible to computer hackers.

"Results of our independent oversight activities have identified weaknesses that lead us to conclude that the department's unclassified information assets have been operating at an elevated level of risk for compromise and disruption, given today's threat environment," says Glenn Podonsky, director of the office of security and safety at the Energy Department. "The effectiveness of the unclassified cyber security program has varied across the department and is often dependent on the knowledge and initiative of key network personnel utilizing expert-based approaches."

Podonsky went on to say that the firewalls set up to prevent the hacking of "classified" materials are stronger now than ever before. But, witnesses at a hearing held by a House Energy and Commerce subcommittee testified that cyber intruders have had success getting "unclassified" materials. Altogether, the Energy Department allocates $140 million a year on cyber security, although it admits that weaknesses are still present.

The most recent incident came to light in June when an undersecretary for nuclear security said that such things as social security numbers and security codes had been stolen from 1,500 employees and contractors of the agency in September 2005. And, contrary to federal law, critical people were not notified -- including affected workers, Secretary of Energy Sam Bodman, or anyone with congressional oversight responsibilities.

Inspector General Gregory Friedman told lawmakers that the department has failed to report roughly half of those cyber attacks that it is required to under federal law. While he did not try to defend those actions, he did say that employees have generally thought they could fix the problems themselves -- not understanding just how serious the matters were. In the case of the 1,500 stolen personnel files, lawmakers have asked for the resignation of top officials who knew of the event but did not tell the appropriate authorities.

Along those lines, Friedman says that the Federal Energy Regulatory Commission should provide more effective safeguards for its information systems, although he adds that it has made a lot of progress in recent years. The commission, which spends about $720,000 annually on cyber security, must still improve access controls to prevent unauthorized access to delicate information.

"These tests also revealed that improperly configured system servers provided higher-level privileges to users than was necessary for them to perform their duties," Friedman wrote in a report. "As noted in guidance developed by the National Institute of Standards and Technology, individuals should generally be provided with the least privileged access consistent with their assigned duties to help minimize the risk of unauthorized or malicious use."

No Guarantees

Individual utilities remain vulnerable. An increasing number of customers, for instance, are paying their bills online. As a result, power companies now possess vital information, such as bank account data and in some cases, credit card numbers. Some businesses use outdated software that can be breached. And, utilities often have enemies, such as angry former employees, customers or landowners as well as anti-utility organizations. At the same time, hackers may steal the information and sell it over the Internet.

The risks are greater now than ever before. The total interconnectivity of networks through the Internet has given hackers new ways to get critical information. That's why the North American Electric Reliability Council has developed standards for utilities when it comes to protection of their information systems. Indeed, power grids are susceptible to not just worms and viruses that can disrupt business but also to large-scale onslaughts intent on completely shutting down systems.

Each year, power companies are now supposed to certify with FERC that they have developed robust systems that can continue to generate and deliver power if attacked. A failure to meet that target could result in being denied the privilege of participating in the wholesale market, or the right to buy and sell power as well as interface with systems that do transact commerce.

The specific steps that individual utilities are taking are highly secretive because they would not want for any intruder to infringe on their security. But according to papers filed by the reliability council, each company should prioritize its facilities and assets as well as characterize potential risks based on historical accounts.

Even then, no guarantees exist. As for the 1,500 stolen files, experts say that the hacker gained access by penetrating a number of firewalls. "There is no such thing as no risk and no such thing as perfect cyber security," says Chief Information Officer at the Energy Department Tom Pyke, in congressional testimony.

Undeniably, sophisticated cyber attackers could get access to information systems that control the electric power grid -- all within the comfort of their living quarters. It's a danger in which energy companies are learning to cope. But the utility industry has responded successfully to such physical perils as hurricanes and ice storms. And there's every reason to believe it will rise to this "modern" challenge as well.

For far more extensive news on the energy/power visit:  http://www.energycentral.com .

Copyright © 1996-2005 by CyberTech, Inc. All rights reserved.