×

Protecting America's power grid: Calls for action

Hal Bergman Photography | Flickr | Getty Images

Electronic attacks on banks, retailers and oil companies have amplified calls to fortify the U.S.'s aging electric grid, which some believe is more vulnerable than ever to terrorism.

For years, the more than 3,000 utilities that provide the United States with electricity have been the focus of security concerns. Yet in the shadow of the 13th anniversary of the Sept. 11 terror attacks, a growing threat from terrorists and multiple assaults on U.S. companies, risks to the energy grid appear to be multiplying.

Read MoreDouble threat: US grid vulnerable on two fronts

A sophisticated attack on the energy grid "is real and needs to be addressed urgently," said James Woolsey, chairman of the Foundation for the Defense of Democracies, in an interview. "A hacker could very seriously damage the grid."

Energy regulators: We get the message

For their part, utilities and regulators insist they are on the case, especially in the wake of two separate physical breaches at a Pacific Gas & Electric (PG&E) Silicon Valley substation that have heightened security fears within the industry. A PG&E spokesman told CNBC that the utility company plans to spend $100 million over the next three years "to enhance security at our critical facilities."

The Energy Policy Act of 2005 granted the Federal Energy Regulatory Commission (FERC) responsibility to work in tandem with power companies to improve the grid's reliability, and enforce standards to keep the power flowing in the event of any contingency.

Read MoreYou paid a fee for 31 years that went nowhere

In response to an inquiry from CNBC, Cheryl LeFleur of FERC said her agency "works continuously with the electric industry to assess and respond to the threats posed by physical attacks, cyber-intrusions, and severe weather," using mandates and voluntary initiatives.

'Chicken Littles and Dragonflies'

"I look at any vector of attack as troublesome," said Scott Aaronson, senior director of national security policy at the Edison Electric Institute, the association for all publicly traded electric companies.

"Given that you have all digital equipment helping to operate the grid … all threats are taken very seriously," Aaronson said in an interview. "But if you mandate a 10-foot wall, our adversaries will try to bring a 12-foot ladder."

However, he said that grid security has been on the industry's radar "for decades"—despite headlines that have only recently given the subject of technological breaches more attention.

"Our standards on cybersecurity were first drafted in 2007, before the urge to follow the shiniest object or Chicken Little with movie-script scenarios," he said.

Read MoreEnemy within: The danger of 'insider hacking'

"We're making sure people get the right intelligence at the right time, and that threats are mitigated in near-real time," he said, even as he acknowledged utilities aren't "pretending we can protect everyone from everything."

Still, fears about U.S. energy security are becoming more than just abstract theories, or movie scenarios.

A widely circulated white paper by Symantec in June cited an "ongoing cyber-espionage campaign" against the energy sector by a shadowy hacker group known as Dragonfly. The report added that energy grid operators, utilities, oil and gas firms were at risk—not just domestically, but abroad as well. Additionally, others say the industry has far more work to do in the face of rapidly multiplying challenges to U.S. interests.

Utilities and regulators "are doing a lot, but there's more to be done," said one official with knowledge of the industry's cybersecurity efforts, who spoke to CNBC on the condition of anonymity.

Read MoreSolar storm heading for earth

He said major population centers such as Washington, D.C., Los Angeles and New York City were always a big source of worry "not because of specific threats, but there's an elevated sense of a terrorist getting the biggest bang for the buck."

A grid hack "is certainly on people's radar, and it's a matter of how they address these risks internally," the official said. "It depends on what information you are getting, but nothing is being ignored, it's just a matter of how they prioritize it."

—By CNBC's Javier E. David