Security holes in power grid have federal officials scrambling
In Congress, the vulnerability of the nation’s power grid has emerged as among the most pressing domestic security concerns. It is also among the most vexing.
Tribune Washington Bureau
Tips to avoid potential marijuana-related stock scams
• Ask: “Why me?”
Why would a total stranger tell you about a really great investment opportunity? The answer is there likely is no true opportunity. In many scams, those who promote the stock are corporate insiders, paid promoters or substantial shareholders who profit if the company’s stock price goes up.
• Consider the source.
It’s easy for companies or their promoters to make exaggerated claims about lucrative contracts, revenue, profits or future stock price. Be skeptical about companies that issue a barrage of news releases and promotions in a short period of time. The objective may be to pump up the stock price. Likewise, be wary of information that only focuses on a stock’s upside with no mention of risk.
• Do your research.
Search the names of key corporate officials and major stakeholders, as well as the company itself. Proceed with caution if you turn up recent indictments or convictions, investigative articles, corporate name changes or any other information that raises red flags.
• Know where the stock trades.
Most unsolicited spam recommendations involve stocks quoted on an over-the-counter (OTC) quotation platform like the FINRA-operated Over-the-Counter Bulletin Board (OTCBB) and the platform operated by OTC Markets Group. Generally, there are no minimum quantitative standards that a company must meet to have its securities quoted in the OTC market.
• Read a company’s SEC filings.
Check the SEC’s EDGAR database — www.sec.gov — to find out whether the company files with the SEC. Read the reports and verify any information you have heard about the company.
• Be wary of frequent changes to a company’s name or business focus.
• Check out the person selling the stock or investment.
To check the background of a broker or investment adviser, use FINRA’s BrokerCheck. You can also call your state securities regulator. When using BrokerCheck, research the name of the person who contacted you, as well.
WASHINGTON — Adam Crain assumed that tapping into the computer networks that power companies use to keep electricity zipping through transmission lines would be nearly impossible in these days of heightened vigilance over cybersecurity.
To his surprise, it was startlingly easy.
When Crain, the owner of a small tech firm in Raleigh, N.C., shared the discovery with beleaguered utility security officials, the Homeland Security Department began sending alerts to power-grid operators, advising them to upgrade their software.
The alerts haven’t stopped, because Crain keeps finding new security holes he can exploit.
“There are a lot of people going through various stages of denial” about how easily terrorists, or anyone, could disrupt the power grid, he said. “If I could write a tool that does this, you can be sure a nation state or someone with more resources could.”
In Congress, the vulnerability of the power grid has emerged as among the most pressing domestic security concerns. It is also among the most vexing.
At times, lawmakers appear to be working at cross purposes. Some want to empower regulators to force specific security upgrades at utilities.
Others are attacking whistle-blowers and the media, demanding an investigation into disclosures of how easily the country’s power grid could be shut down.
The magnitude of the problem is underscored by insurance giant Lloyd's of London, whose appraisers have been making visits lately to power companies seeking protection against the risk of cyberattack. Their take-away: Security at about half the companies they visit is too weak for Lloyds to offer a policy.
“When Lloyds won’t insure you, you know you’ve got a problem,” said Patrick Miller, founder of the Energy Sector Security Consortium, a Washington, D.C.-based nonprofit that advocates for tougher cybersecurity measures for the electricity industry.
The challenges are compounded by lingering tensions between federal law enforcement and the industry. Each accuses the other of being territorial and evasive, neglecting to share confidential incident reports, intelligence analyses and other sensitive data.
Power companies, eager to keep regulators at bay, find themselves in a bind. They need to show quickly that they are equipped to protect the grid against outside attacks. They warn that the grid is so massive, complicated and fragile that any tinkering needs to remain the responsibility of those who operate it day to day, not well-intentioned but inexperienced federal regulators.
“The notion of ... a single government agency giving an order to direct changes in the grid is extremely dangerous,” said Gerry Cauley, chief executive of North American Electric Reliability, the quasi-governmental organization through which utilities manage the power grid.
Even security experts who criticize Cauley’s organization for moving too slowly agree his argument has merit. The problem, said Scott White, a security technology scholar at Drexel University in Philadelphia, is that “you are basically dealing with these monopolies that are determining for themselves which expenditures are a priority. Security has not generally been one.”
Utilities deny they’ve ignored the problem, pointing to the billions they say they’ve spent to upgrade outdated computer systems and close security holes.
They are signing contracts with security firms like Booz Allen Hamilton to investigate such things as to how to keep potentially mischievous devices out of the equipment they buy, often from foreign suppliers. The security firms help clients sift through reams of confidential intelligence provided by federal agencies. They simulate cyberattacks.
“It is the equivalent of war gaming, like the military does,” said Steve Senterfit, vice president of commercial energy at Booz Allen Hamilton.
But critics, including many in Congress, say more needs to be done to shore up a grid increasingly exposed to attacks. They note that so-called smart-grid technology, which allows operators to calibrate the flow of energy from an increasingly diverse pool of sources, has opened new security risks.
The technology relies on devices in remote locations that constantly send signals to substations to help control when juice needs to be brought on and offline. The smarter the grid becomes, though, the more entry points an attacker can exploit.
“The whole idea of a smart grid is to push equipment further and further away from the substations,” Crain said. “Some of it is even in people’s homes. It’s physically impossible to secure it all.”
The vulnerabilities Crain exposed, for example, had been overlooked because taking advantage of them requires an attacker to have access to closed, local networks. Now, a cyberterrorist with a little knowledge and the right laptop can gain that access and cause chaos in a regional power system merely by linking up with the control panel at a secluded electric-vehicle charging station.
Other attacks can take shape without computers.
A year ago, unknown assailants opened fire on a power station near San Jose, Calif., nearly knocking out electricity to Silicon Valley.
Last month, New Jersey’s Regional Operations Intelligence Center, a state agency that monitors security threats, published a report revealing constant breaches at power stations. The incidents involved people armed with such mundane equipment as false identification, wire cutters and crowbars.
The report, first disclosed in the Washington Free Beacon, a conservative newspaper, declared the grid “inherently vulnerable” to attack.
“Many of the grid’s important components sit out in the open,” it said, “often in remote locations, protected by little more than cameras and chain-link fences.”