[Update: thoughts from John Quarterman below]
[Update2: notes from a friend with some insider info]
This tale of extortionists taking power plants off-line by attacking their computer systems is getting a lot of play right now, at least in the InfoSec press.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” he said in a statement posted to the Web on Friday by the conference’s organizers, the SANS Institute. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

This whole thing seems light on fact and long on titillating detail to me personally–more the realm of Movie Plot Threats than an unacceptable risk. Even a casual (google news search for “power outage”) didn’t produce any hints–everything was either domestic to the U.S. or localized and the cause explained (worker electrocuted himself and his body shorted out the grid, etc.).

Nevertheless, people are coming out of the woodwork to defend the speaker as credible:

Having worked with Tom Donahue on these and related issues in the past, I regret to inform conspiracy theorists that he is virulently allergic to hyperbole. That he might be making these statements lightly are about as likely as any sane person playing Russian roulette with a semi-auto pistol.

But this leads to an interesting question, namely, Is the power grid vulnerable to a systems-level attack against it? We know that the United States’ 2003 blackout of the Midwest and Northeastern US and parts of Canada was caused by a cascading failure of SCADA systems essentially making the system unmanagable and taking it off-line.

So what is the level of risk? According to Alan Paller, Director of Research at NIST,

The prospect of cyberattacks crippling multicity regions appears to have prompted the government to make this information public. The issue “went from ‘we should be concerned about to this’ to ‘this is something we should fix now,’ ” said Paller. “That’s why, I think, the government decided to disclose this.”

Assuming that we use the 2003 outage as the potential impact, make some conservative assumptions that the state of security awareness and systems resilience has not improved materially since that incident, then we must assume one of two things: Either the threat has escalated or The Experts are playing FUD games with us.

We have an issue which has been known since at least 2003, when we suffered the first major incident, where suddenly all sorts of “credible” experts (or so we’re told). What are they hoping to accomplish by suddenly going public with a vulnerability that was effectively defined in the aftermath of the 2003 outage? Is this effectively a form of disclosure similar to public software vulnerability reporting as a tool of last resort to drive improvements in the electrical generation system?

Personally, I suspect an evolution in the Threat–a position that John Robb seems to have reached as well. He’s written extensively about the evolution of systems disruption attacks. Now imagine the synergy of the kidnapping-for-ransom/extortion business models so common in Latin and South America these days combined with the technical expertise that’s producing work like the Storm worm and an outdated, under-maintained IT infrastructure directly tied to real-world impact, and the threat seems increasingly credible.

Just because it sounds dramatic doesn’t mean it isn’t so. As the old saying reminds us, “Just because you’re paranoid doesn’t mean that no one is out to get you.”

So will I be researching options for going “off the grid” in response to this? No. Actually, I’ve already been looking at off-the-grid options for economic and environmental reasons, but this is something I might factor in to my ultimate decision.

[Update: An additional theory on motivations:]
As Adam pointed out, John Quarterman suggested on Dave Farber’s Interesting People mailing list that this might be a used to create a threat whose solution will turn out to be more monitoring of Internet Traffic. I already deleted the message, but had to agree that it might make sense, given the strong pro-wiretapping agenda of the agencies now propagating and vouching for one another, combined with the Urban Legend-/Weekly World News-grade facts that allegedly support the story.

[Update2: Notes from a friend with some insider info]
On the power grid thing. I have done a bit of a study of some control networks and there is quite a bit of risk out there. They have been taking old systems and just will-nilly adding them on to IP networks. this stuff used to all be dialup. They run 20 year old OS’s or worse. I do not know about all the current noise in the press. I am part of a team with [a friend] working in the industry to start making changes. There is a lot of crazy stuff. Operations and IT do not talk to each other….

John Quarterman had a post to Dave Farber’s IP list this morning that asserted this was a pawn move in the “monitor the internet” game.

Can’t find it on the public archive just yet.

I saw that go by on IP as well, but hadn’t had a chance to add an update to my post (yet).

Another option - the feds aren’t thrilled with the commitment US companies are making towards NERC and this was leaked to try and get more visibility to the issue.

Invoking Newton’s take on Ockham, however, I’d say the least complex explanation is that the threat landscape is changing.