Power board considers cyber security

Power board considers cyber security

Michele Ellson
Alameda Municipal Power

Image courtesy of Alameda Municipal Power.

The board that oversees Alameda’s power supply took in a presentation Monday on potential cyber threats to that supply and to financial information of Alameda Municipal Power’s customers.

Bruce Gordon of N-Dimension Solutions told the board about potential threats to the system during a presentation Monday, saying assessments, monitoring and deployment of software could meet it. But Gordon didn’t offer specifics, and the board hasn’t yet authorized action or established a timetable for putting security measures in place.

In the first six months of the 2012 fiscal year, which began in October 2012, the federal Department of Homeland Security’s cyber emergency response team responded to more than 200 cyber attacks on critical infrastructure – more than half of them to the nation’s energy supply.

The threats can range from simple, e-mail based phishing scams to malware like the Stuxnet worm discovered in 2010, which could infect and reprogram industrial control systems.

“Your utilities are a prime target,” Gordon said.

Gordon said hackers are focused on obtaining customers’ financial information – credit card and Social Security numbers and checking account information. But they can also attack the Island’s electric supply – as an armed group that attacked a San Jose power substation did in 2013, reportedly knocking out 17 transformers funneling power to Silicon Valley that took nearly a month to fix.

That attack prompted federal energy officials to tour the country warning utilities about the need for better security. President Barack Obama issued an executive order two months before the attack, in February 2013, seeking a framework for improving cyber security for energy grids and other critical infrastructure, and a voluntary framework was released this past February.

It wasn’t clear Monday what if any attacks Alameda Municipal Power’s network may have suffered or whether the utility has a plan for dealing with potential cyber threats. The utility’s website went down in May of 2012 after links to outside pages were inserted into its pages, but utility officials said customer data was on a separate, in-house server and that it had not been compromised.

Still, Gordon said “flat” networks like those belonging to power companies are easy to penetrate. His presentation – marked “Confidential & Restricted” – said that 30 days’ worth of monitoring logs for a trio of unidentified municipal utilities showed more than 6 million alerts to potential attacks on the systems and sensitive customer data.

He said utilities can “build a moat” around their systems by monitoring activity on them, testing and developing a security plan – and letting employees know how to avoid accidentally giving hackers access to a utility’s systems.

Board member Greg Hamm said he’d like more information about where the utility is on securing its systems from a cyber or other attack, though Gordon warned against being too specific. Board chair Madeline Deaton asked whether the issue of cyber security could be discussed in a more confidential setting than a televised public meeting.

“So the board has a better understanding, without putting it out in the newspaper,” Deaton said.