Skip to main content

Hackers reportedly have embedded code in power grid

  • Story Highlights
  • 2 ex-federal officials say U.S. electrical grid, other infrastructure targeted
  • Homeland Security doesn't confirm a breach, says no damage caused by one
  • Expert says this kind of code could be difficult to detect
  • Next Article in Technology »
From Jeanne Meserve
CNN
Decrease font Decrease font
Enlarge font Enlarge font

WASHINGTON (CNN) -- Computer hackers have embedded software in the United States' electricity grid and other infrastructure that could potentially disrupt service or damage equipment, two former federal officials told CNN.

The ex-officials say code also has been found in computer systems of oil and gas distributors.

The ex-officials say code also has been found in computer systems of oil and gas distributors.

The code in the power grid was discovered in 2006 or 2007, according to one of the officials, who called it "the 21st century version of Cold War spying."

Department of Homeland Security Director Janet Napolitano would not confirm such a breach, but said Wednesday that there has been no known damage caused by one.

"There have been, to my knowledge, no disruptions of power on any grid caused by a deliberate cyberattack on our infrastructure -- on the grid," Napolitano said. "Nonetheless, we remain in constant protection, prevention, education, resiliency mode and we work with the utility sector particularly on that." Video Watch security officials explain threat »

The U.S. power grid isn't the only system at risk. The former officials said malicious code has been found in the computer systems of oil and gas distributors, telecommunications companies and financial services industries.

Napolitano said the vulnerability of the nation's power grid to cyberattacks "has been something that the Department of Homeland Security and the energy sector have known about for years," and that the department has programs in place to fight such attacks.

Security experts say such computer hacking could be the work of a foreign government -- possibly Russia or China -- seeking to compromise U.S. security in the event of a future military conflict.

Former CIA operative Robert Baer said he is not aware of a specific breach like the one the former officials describe. But he said people in the intelligence community assume that such attacks from countries like China go on all the time.

"Their foreign intelligence service has been probing our computers, our defense computers, our defense contractors, our power grids, our telephone system. ... I just came from a speech at the national defense university and they were hit by the Chinese trying to get into their systems," Baer said.

"They are testing and have gotten in portals. It's a serious threat."

Baer said if the software was embedded by a foreign government, he doubts it would be used to launch a surprise attack. Instead, he said, that government likely would keep the bugs in place in case of a future conflict with the United States.

"It's deterrence in the event of war," he said. "They will have another weapon at their disposal, which will be to turn off our power."

When the coding is found, it can be destroyed. But experts said that's easier said than done.

"If you have somebody who knows what they're doing writing that code and embedding it in a clever way, you can look right at it and not recognize it," said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research institute.

And even when it's found, Borg said, confirming the source of a cyberattack can be next to impossible.

"Anonymity is a fact of life in the cyberworld," he said. "It's very easy to run an attack through somebody else's computer. It's very easy to embed code in Russian or Chinese when you're not Russian or Chinese.

"So it's very difficult to be confident on where anything like this comes from."

Critics of the utilities industry have accused it of not doing enough in the past to defend against cyberassaults. But Ed Legge, spokesman for the Edison Electric Institute, which represents shareholder-owned electric companies, said the industry takes the threat seriously and has made progress in closing some of the loopholes that would allow such attacks.

President Obama has started a 60-day review of all the nation's efforts at cybersecurity that is expected to be completed by April 17, Napolitano said.

While utility grids are owned by industries, not the government, Napolitano said her department will continue working with power companies and other industries to help prevent an attack that could cripple power or other vital services.

advertisement

"Can we continue to work to enhance efforts within critical infrastructure like the utility grid? Yes," she said. "Are we continuously looking for ways to enhance and educate for the prevention and protection of the cyberworld? Absolutely.

"Is this a priority of the president's and of all of us that are involved with safety and security? You bet."

  • E-mail
  • Save
  • Print
Today's Featured Product:
2011 BMW Z4 sDrive35is
 8.0 out of 10
Recent Product Reviews:
RIM BlackBerry Torch 9800 (AT&T)
 8.0 out of 10
Motorola Rambler - black (Boost Mobile)
 7.0 out of 10
Samsung UN46C6500
 6.9 out of 10