Power companies struggle to maintain defenses against cyber-attacks.

• Author: Magnuson, Stew

(*) When experts rank U.S. industries' abilities to ward off potentially damaging cyberattacks, the electric utilities are normally near the bottom.

And that is troubling, these same network security professionals say. Taking down an electric grid, especially one thatserves a major city, could do real damage to die economy and may indirecdy cost lives.

One of the issues is diat there is no sense of alarm. A terrorist group or nation state has heretofore not switched offa power grid.

That doesn't mean that they aren't vulnerable, said Curt Aubley, chief technology officer and North American vice president at McAfee.

"The good news is that the energy companies and power companies recognize this and they are putting plans in place and forming security partnerships," he said in an interview.

But at this point, the industry is lagging, others interviewed agreed.

And new smart power grids, which will rely on Internet protocols to connect homes and businesses to the energy plants, may complicate matters.

Maria Horton, CEO and founder of EmeSec, a network security firm that works with the Department of Homeland Security and odier government agencies, said part of the problem is cultural change.

The energy grid is one of die nation's oldest pieces of critical infrastructure, she noted.

"Many of the folks who have worked in energy believe that they have designed a system that has worked very well for 40,50, 80 years since the delivery of national electricity. They are not necessarily comfortable with modern day information systems," she said.

The supervisory' control and data systems, or scada - the specially designed computer programs that operate industrial machines - have been since tiieir creation unconnected to networks. But they are being modernized through attrition, she said. Many of the technicians who operate the systems are reluctant to update the software because they don't know what thefull impact will be on the grids they run, she said.

Aubley said this is just how die industry grew over time. Power plants have separate network and control systems created just to operate that infrastructure.

To infiltrate such a stand-alone system, die perpetrator of an attack would have to physically install rogue software in the system, similar to what happened in Iran when the Stuxnet virus was allegedly placed by an insider in the scada systems that ran the centrifuges for that nation's uranium enrichment program.

"In some ways that is a little...