DHS Concerned over Threats to Electrical Grid

Oct. 1, 2007
DHS: Attacks on power grid could involve network and data system hacks

WASHINGTON -- The Homeland Security Department improperly disclosed details about a serious threat to the U.S. electrical grid to industry researchers just days after it produced a video showing simulated hackers remotely seizing control over a $1 million diesel-electric generator.

The equipment self-destructed in a cloud of smoke and flying parts.

Worried that technical details could leak among terrorists or unfriendly foreign governments before equipment makers could fix the problem, the Bush administration contacted the small group of researchers afterward and urged them not to reveal anything they had been told. People familiar with the miscue described it on condition of anonymity because they were not authorized to discuss it publicly.

The disclosures - made by a Homeland Security employee without authorization from his supervisors - occurred during private briefings in Atlanta at a trade conference in March.

The video, obtained late Wednesday by The Associated Press, was marked "Official Use Only." It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous generator - obtained from Alaska's power grid for testing purposes - shudders as pieces fly apart and it belches black-and-white smoke.

The video was produced for top U.S. policymakers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants.

The White House said Thursday it is working to improve cybersecurity with more coordination and cooperation among federal agencies, state and local governments and companies. "For example, with electrical grids, a lot of that security is handled by (the) private sector," White House spokeswoman Dana Perino said.

The electrical attack never actually happened.

The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was quietly fixed, and equipment makers urged utilities to take protective measures.

The technology industry has debated for years the timing of announcements that products may be vulnerable to attacks or break-ins. Disclosures made too quickly - before protective measures can be put in place - can increase risks by tipping off attackers. But warnings issued too slowly can leave utilities and customers unprotected.

The video was produced just days before the annual meeting of an organization of researchers, governments officials and equipment manufacturers. At invitation-only meetings at the conference, the Homeland Security Department described the threat and even aired the video showing the generator tearing itself apart, participants said. Realizing its mistake afterward, the government warned researchers not to discuss the threat and reminded them the video was intended for "Official Use Only."

There was no evidence any U.S. utility companies have suffered damage from hackers or terrorists using this technique, U.S. officials said. But these officials cautioned that affected systems are not monitored the same way that many modern corporate computer networks are, so there would be little forensic evidence to study after such a break-in.

President George W. Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation."

The Idaho National Laboratory - which produced the new video - has described the risk ominously as "the invisible threat."