After fending off cyber attack, FirstEnergy says government coordination lacking

Dive Brief:

Hackers attempted a denial of service attack on FirstEnergy's servers this week, but while information on the unsuccessful attempt was quickly shared with the industry and the U.S. government, company officials say there was no response from federal officials, EnergyWire reports.
FirstEnergy CIO Bennett Gaines told a House subcommittee this week that information sharing between industry and the government is essential to grid security, but he never heard back from federal officials after reporting the attack.
Cyber vulnerabilities are an increasing concern for the industry, amid increased attacks, known vulnerabilities and estimates that a widespread outage could cause catastrophic damage to the United States' economy.

Dive Insight:

FirstEnergy fended off the denial of service attack with relative ease, its firewalls shutting down the threat. But with attacks increasingly common, it is the response — or lack of one — that most concerns industry officials.

FirstEnergy's Gains testified before the House Science Subcommittee on Energy and the Subcommittee on Research and Technology this week, explaining that following the attack, the generator informed the Electricity Information Sharing and Analysis Center, sharing news of the attack across the industry. The company also informed the federal government, but Gaines said "24 hours later, I still don't have a response back from the government."

Cyber attacks on the U.S. power grid are an increasing threat, both as more of the economy becomes connected and hackers become more sophisticated. Physical vulnerabilities are widely known, albeit difficult to take advantage of, and EnergyWire points out that utilities face a tricky balancing act in sharing cybersecurity information with competitors without violating anti-trust laws or consumer privacy.

"Information sharing between the electric industry and the federal government is essential to maintaining a strong, effective and proactive approach to protecting our nation’s vital communications networks from potential cyber-attacks," Gaines said in his prepared testimony. "With every operational and technical advance that is made to improve productivity – including remote access, mobility and 'bring your own device' policies – organizations also are broadening their attack surface and exposure."

In 2014, the U.S. Department of Homeland Security responded to a Freedom of Information Act on an unrelated topic and released in error more than 800 pages related to the so-called “Aurora vulnerability,” including the location of sensitive pieces of infrastructure that could be disabled.

While the industry is working to close the vulnerability, Lloyd's of London estimated this summer that a widespread attack could cost the United States up to $1 trillion.

The firm found that a relatively small success rate from hackers could be devastating.

In its hypothetical attack, the firm found that “despite only achieving a 10% success rate, the malware successfully infects over 70 generators by exploiting the systemic importance of control rooms, with each control room typically managing several generators.” The scenario is a long-shot, but could leave more than 90 million without power, Lloyd's said.

While improbable, the scenario is “technologically possible” and the firm predicts “a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses.

This week, federal lawmakers led by Rep. Shelia Jackson Lee (D-TX) called on Congress to pass legislation to protect the U.S. grid from emerging cyber threats from the Islamic State, pushing the Terrorism Prevention and Critical Infrastructure Protection Act, introduced by Lee earlier this year.