NEW YORK (CNNMoney) — The nation’s energy grid is constantly under attack by hackers.
In fiscal year 2014, there were 79 hacking incidents at energy companies that were investigated by the Computer Emergency Readiness Team, a division of the Department of Homeland Security. There were 145 incidents the previous year.
The outermost defenses aren’t holding up. Between April 2013 and 2014, hackers managed to break into 37% of energy companies, according to a survey by ThreatTrack Security.
Cybersecurity firm FireEye identified nearly 50 types of malware that specifically target energy companies in 2013 alone, according to its annual report. Energy firms get hit with more spy malware than other industries, according to a 2014 study by Verizon.
In March, TrustedSec discovered spy malware in the software that a major U.S. energy provider uses to operate dozens of turbines, controllers and other industrial machinery. It had been there for a year — all because one employee clicked on a bad link in an email.
And just last month, CERT revealed that a Russian malware called BlackEnergy had found its way onto the software that controls electrical turbines in the United States.
Investigators didn’t see any attempts to damage or disrupt machines. But the malware gives hackers a backdoor to plant destructive code in the future.
So far, no computer virus has shut down any portion of the grid. But hackers are still breaking in, giving them the potential to flip switches off.
“Our grid is definitely vulnerable,” said David Kennedy, TrustedSec’s CEO. “The energy industry is pretty far behind most other industries when it comes to security best practices and maintaining systems.”
No utility provider contacted by CNNMoney was willing to comment.
Why are energy companies so vulnerable? One reason is that these industrial systems rely on 1970s-era technology. It doesn’t get upgraded, because doing so would interrupt service, Kennedy said.
At a power grid security conference in San Antonio, Texas in October, NSA director Admiral Mike Rogers told energy companies the power infrastructure just wasn’t designed to stand up to today’s attacks.
“Power… is one of the segments that concerns me the most,” he said, according to a transcript obtained by CNNMoney.
So serious are the implications that DHS and FBI are now touring 12 American cities, hosting classified meetings with energy providers and utility companies to brief them on the danger.
So, why haven’t hackers been able to turn off the lights yet?
Energy companies do take precautions. They have cybersecurity teams, and they separate their Internet-connected corporate computers from the stations that control critical machines. Firewalls and passwords help.
And energy companies use so many different types of machines that taking out a city’s power would take a calculated, coordinated effort by an army of hackers.
David Whitehead is a research executive at Schweitzer Engineering Laboratories, which builds devices that monitor electrical current. He said it’s easier to cause damage by shooting at power transformers with rifles — like snipers did last year in Silicon Valley.
Storms also currently pose a more potent threat of power outages than hackers.
“There’s all this doom and gloom about how fragile the grid is. But what do we have to fear in terms of power disruption? It’s not a terrorist attack,” Whitehead said. “It’s mother nature.”
The-CNN-Wire
™ & © 2014 Cable News Network, Inc., a Time Warner Company. All rights reserved.