Skip to Content

Old-Fashioned Control Systems Make U.S. Power Grids, Water Plants a Hacking Target

Critical infrastructure is at risk of a cyberattack because of systems that haven’t kept pace with Internet threats.
October 12, 2012

U.S. defense secretary Leon Panetta warned this week that successful attacks have been made on computer control systems of American electricity and water plants and transportation systems. Panetta didn’t give details about those incidents, but he said they showed that foreign nations or extremist groups could use such tactics to derail trains or shut down power grids. Computer-security experts say those claims are plausible—even if the scenario is not necessarily likely to happen—because of the outdated technology used to operate critical infrastructure.

“Power and water systems have had an entirely different mindset [than] the IT industry,” says Chris Blask, founder and CEO of ICS Cybersecurity, a company that helps infrastructure companies secure their systems. “Stability and reliability are more important than anything—you have to keep the lights on.” That means that while homes and businesses embraced the Internet in the 1990s, and learned to deal with security threats that change rapidly, the operators of power grids and water plants just kept using the same software that had always worked.

Applying software updates was frowned on, leaving vulnerabilities unpatched. And those unpatched systems are not always isolated from the Internet, says Blask. The reason: companies, contractors, and employees have pushed for remote access to their control systems for reasons of convenience and efficiency. “It could be a power engineer who wants to manage a substation without driving through the snow,” says Roy Campbell, who researches the security of critical-infrastructure systems at the University of Illinois at Urbana-Champaign.

Attacks could take many different forms, says Campbell. Some might simply shut down systems, while others can cause physical and sometimes irreversible damage. In 2007 the Department of Homeland Security released a video apparently demonstrating how a power-generating turbine self-destructed in an exercise that illustrated what an attacker could do after gaining access to a control system.

In the case of the power grid, some vulnerabilities arise from the way that different components locally, regionally, and nationally are linked up, says Campbell. For example, the pattern of connections between different parts of the grid can create weak spots that would make it relatively easy for a hacker to bring down a wide area, perhaps for some time. “If you can isolate a power station, for example, it can be difficult to turn it back on because you need power to do that,” says Campbell.

Work to patch up the vulnerabilities in control software and the computer networks around them has been under way for some years now, even before the discovery of the Stuxnet worm designed to target Iranian industrial control systems in 2010, says Campbell. “The major companies are backfilling very rapidly,” he says. But closing every weak point in a complex mix of control software and infrastructure companies’ computer networks is challenging.

One bright spot is that infrastructure-control systems are in some ways less complex than business or home computers, says Blask. “The advantage we have in this area over IT is that industrial networks are relatively static,” he says. “New applications and devices don’t crop up very frequently, so anything else that happens should stand out.”

Keep Reading

Most Popular

The inside story of how ChatGPT was built from the people who made it

Exclusive conversations that take us behind the scenes of a cultural phenomenon.

Sam Altman invested $180 million into a company trying to delay death

Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.

ChatGPT is about to revolutionize the economy. We need to decide what that looks like.

New large language models will transform many jobs. Whether they will lead to widespread prosperity or not is up to us.

GPT-4 is bigger and better than ChatGPT—but OpenAI won’t say why

We got a first look at the much-anticipated big new language model from OpenAI. But this time how it works is even more deeply under wraps.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.