Computer hackers have stopped access to Yahoo and EBay, blocked orders to Amazon.com, inflicted a plague of data-consuming viruses on corporate America and defaced thousands of Web sites with graffiti, including many sites operated by the U.S. Department of Defense.
And their next target may be the nation's energy utilities.
For two weeks last spring, hackers wormed their way inside a computer system that plays a key role in moving electrical power where it is needed around the state. The computers belong to the California Independent Service Operator, an agency that oversees much of the state's electricity transmission grid--including the massive complex of power plants and transmission lines.
Cal-ISO patched the flaw that allowed hackers to roam through portions of its network before power supplies were affected. But the episode sent shock waves throughout the energy industry.
So far, no utility has blamed computer hackers for a power disruption. But two trends may soon change that, experts say.
Deregulation of the energy industry has led to the formation of dozens of online energy trading networks where buyers and sellers manage real-time sales of electricity over the Internet. Experts believe that such trading networks are less secure than computer networks maintained by utility companies and if hacked into could disrupt power transfers.
They also warn that increasing links between computers that control the grid and those used for administration, Internet e-mail or Web surfing make hacker-induced blackouts likely.
Riptech Inc., a security company in Alexandria, Va., has tested security for dozens of energy-industry clients. In every case, the firm penetrated Internet-connected corporate networks--and often hopped from those networks into supposedly sealed grid-control systems, according to Riptech's president, Amit Yoran.
Other security companies report similar experiences, suggesting there has been scant progress since 1997, when Defense Department engineers successfully hacked into control systems for the nation's electrical grid in a security trial. Once inside a power-control network, hackers could find diagrams of switches and power supplies that could enable widespread sabotage.
"You can black out whole cities," said Anjan Bose, a power-grid expert and dean of the College of Engineering and Architecture at Washington State University. Other specialists said that hackers could cause physical damage to generating plants or other energy-industry facilities.
"I'm not sure that any [network] manager is totally confident. Those hackers are sharp. If there's a way to get in, they usually try to figure it," said Carl Lindau, director of computer information systems for South Mississippi Electrical Power Assn., a small co-op in Hattiesburg, Miss. "We all worry about it." Lindau said he monitors his network constantly and plans to upgrade security software.
Security Shortfalls Left Door Open
Even major energy-industry companies have committed missteps that amount to leaving out a virtual welcome mat. The computer network that operates the Alaska oil pipeline was found by its own security experts to be "in great jeopardy."
According to 1997 court documents, "a decent hacker--[could] get into that system and actually burst or cause the pipeline to--to stop its flow," said Alan Gibson, a consultant for the Alyeska Pipeline Service Co., which runs the oil pipeline.
In a recent interview, Gibson said Alyeska allowed contractors direct access to its internal computer networks, opening security holes that could have led to environmental disaster.
Alyeska declined to comment on past conditions. But Erv Barnes, the company's chief information officer, said improvements and rigorous testing have made the pipeline nearly impervious to hacking.
In a separate case last year, an audit found that the electrical transmission network at ISO New England, a group similar to California's, permitted computer access passwords to be blank, with no expiration date, leaving it open to anyone who got into the system. And the system's lockout settings were disabled, opening the door to virtually anyone who sat down at the computer, which was in an unsecured area.
An ISO New England representative said the problems have been corrected.
Utilities historically have maintained security of their power supply by isolating and strictly controlling access to computers used to monitor and manage power flow. But increasingly, administrative and supervisory computers are linked for efficiency. Security officials normally use computer firewalls to protect their grid-control systems, but hackers have been able to defeat almost any firewall.
And supervisory computer systems used by utilities often are equipped with dial-up modems so that engineers can monitor the grid remotely. But modem access opens serious security holes, experts say.