"Campaigns are widening to include a successful attack against a key supplier of energy control systems and attempts to compromise a sector security consortium," writes Michael Assante, former chief security officer at the North American Electric Reliability Council, whose member companies run the nations' power grid, in an online comment on the DHS report. "Energy will continue to be an attractive target."
Despite increasing awareness of the threat, companies that rely on computerized systems for production – especially those in the energy sector – have a long way to go to defend themselves against sophisticated cyberspies, who are practically unimpeded in their efforts to map networks, set up digital beachheads inside networks, and steal e-mail, data and passwords, experts in industrial control system security say.
"Unfortunately, most utilities just aren't prepared from a resources perspective for the coming threats," says Robert Huber, a principal at Critical Intelligence, a cybersecurity firm in Idaho Falls, Idaho, that specializes in protecting critical infrastructure. "They have neither the necessary people, nor the budget."
Debate has been rising over how best to protect "critical infrastructure" companies, including those that operate the power grid, gas pipelines, transportation, water, chemical, financial, and other networks. But awareness of the depth of the problem is giving at least some company officials a fresh perspective on the risks involved.