Nationwide rolling blackouts could have a devastating impact on the economy, but experts also fear that the stress being placed on the nation's power grid could make it more susceptible to disruptions from hackers.
In California's Silicon Valley, large Internet data centres have been blamed for stressing the region's power grid beyond what its Korean War-era design can handle. Now other states, including Oregon, Utah and Washington, are preparing for possible rolling blackouts.
"From a cyber security perspective, the electric power grids in the West are now more fragile, [and] margins for error are significantly less," said Tim Bass, CEO of The Silk Road Group, a network security consulting firm in Virginia. "With diminishing margins and power reserves, the probability for cascading catastrophic effects are higher," said Bass, who is also a longtime information security consultant for the US Air Force.
The recent power shortages come as the Critical Infrastructure Assurance Office (CIAO) of the US Department of Commerce on February 22 delivered to Congress the first status report on private sector efforts to bolster cyber defences for systems that run critical sectors of the economy. Although progress has been made in improving information sharing, officials acknowledged that they still know very little about how failures in one sector could affect the others.
"In the context of broader infrastructure assurance, the scale and complexities of the energy infrastructure and their impact on infrastructure security and reliability are not fully understood," the report states.
The energy industry continues to be the target of Internet-based probes and hacker attacks that seek to exploit known vulnerabilities in off-the-shelf software and systems that are increasingly being used to control and manage the power grid, according to the CIAO report.
Likewise, the sector continues to fall victim to poor personnel security practices, ports and services that are open to the Internet, outdated software without current security patches and improperly configured systems.
"With the system itself teetering on the brink of collapse, it becomes easier for a smaller incident to have a wider impact," said David Thompson, a security analyst at PricewaterhouseCoopers. "For instance, if someone were to find a way to force the shutdown of a single power plant or a section of the power grid, the results would be much more devastating, since there is not enough reserve capacity to take up the slack."
In addition to the technical risks, analysts said they're also concerned about the publicity generated by the recent crisis in California and the possibility that hackers may try to exploit known vulnerabilities to make a bad situation worse.
"One risk with a situation like this is that it exposes the flaws of the system to public scrutiny," said Thompson. "It shows everyone how vulnerable our economy is to a power disruption. Like it or not, there are people in the world [who] pay attention to such revelations."
"Any time the visibility of a system is raised, it acts as an attack magnet," said John Pescatore, an analyst at Gartner Group. Pescatore recommended that companies, particularly utility companies, treat the power crisis as a signal to begin stepping up network monitoring and security operations. Although he downplayed the likelihood that a cyber attack could lead to widespread power failures, Pescatore characterised the link between the stress level on the power grid and its vulnerabilities as "like blood in the water to a shark".
"Hackers smell weakness and a chance for their 15 minutes of fame," said Pescatore.
But electric companies have made significant progress in stepping up their security preparedness and have also set up an Information Sharing and Analysis Center to enable system administrators to share information with the FBI's National Infrastructure Protection Center, said Gene Gorzelnik, a spokesman for the North American Electric Reliability Council in New Jersey.
"When a transmission system is stressed, the system operators and security coordinators are operating at a heightened level of alert so they can quickly address and return the transmission system to normal from any situation that may occur," said Gorzelnik. "The electric system can withstand sudden disturbances such as electric short circuits or unanticipated loss of system elements. This was the case decades ago, and it is still true today."