Hacking fears spark power-plant security clampdown

US power plants may have to tighten security against malicious hackers bent on wreaking havoc, according to a new federal law.

Part of the 1,724-page energy bill that President Bush signed last week calls for federal bureaucrats to create an "electric reliability organisation" that would draft mandatory standards - including cyber-security guidelines - for electric power system operations.

The Federal Energy Regulatory Commission, or Ferc, would be tasked with setting standards to prevent system instability or failures that can be tied to a "sudden disturbance, including a cyber-security incident". Ferc may impose penalties for violations and has 180 days to begin the process of certifying the reliability organisation.

The new regulations come about three months after a Government Accountability Office (GAO) report cited "a general consensus - and increasing concern" among officials that systems controlling utility infrastructures face real threats of attack.

A visit from the Slammer worm, for instance, may have been in part to blame for failures at a nuclear power plant in 2003, the report said. And in March, electric industry security consultants reported numerous intrusions into control systems. No serious damage was done, they said, but the activity "heightened concerns" about future foul play.

One of the reasons why the control systems are so vulnerable is that they're increasingly being connected to private networks that use the internet, so that they can be managed remotely, the GAO report said.

The current computer system used by utilities and public transportation facilities was not designed with the internet in mind, said Clarence Morey, senior manager for product strategy at Internet Security Solutions, a company that counts public utilities among its clients.

Morey said: "As companies connect these systems to the net to allow remote access or drive efficiency, they're opening themselves up to risk."

Morey said his company supported the new legislation, adding that a "three-legged stool" composed of technology, legislation and good policy is the way to fend off attacks.

Right now, no mandatory cyber-security standards exist for power grid operators but many of them adhere to voluntary ones set by the North American Electric Reliability Council (Naerc), said a council spokeswoman. The council, which first adopted 24 pages of cyber-security guidelines in 2003, is on its third draft of permanent, "more defined" standards, she said.

The spokeswoman said she expects Ferc will certify the council as its official Electric Reliability Organization. The US Department of Energy has already designated the council as co-ordinator of infrastructure protection for the electric sector, and the council works closely with Homeland Security.

Ferc did not return calls for comment on Tuesday.

The Naerc spokeswoman added: "We pushed the legislation through, and we're the only entity out there developing reliability standards. So we're really the only entity out there qualified to perform such a role."

Anne Broache writes for CNET News.com