The Department of Homeland Security identifies 16 critical infrastructure sectors which are considered so vital to the United States that their incapacitation or destruction “would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Although the Energy Sector by itself is included as one of those sectors, EACH of those sectors is heavily dependent on electrical generation and distribution. Disabling or otherwise interfering with the power grid in a significant way could thus seriously harm the United States.
Cyberattacks on the energy sector and power distribution systems are not an imaginary threat. Although an article published in 2016 claiming that a Vermont power company had been targeted for disruption by Russian hackers was proven to be inaccurate, successful cyberattacks HAVE been carried out in the past. In 2015, an attacker took down parts of a power grid in Ukraine. Although the source of the attack could not be proven, evidence suggests Russian involvement. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.
In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before the U.S. Congress that China and a few other countries likely could shut down the U.S. power grid. Iran, as an emergent cyber actor, could acquire such capability. Rapid digitization combined with low levels of investment in cybersecurity and a weak regulatory regime suggest that the U.S. power grid is as vulnerable—if not more vulnerable—to a cyberattack as systems in other parts of the world.1
“Rapid digitization combined with low levels of investment in cybersecurity and a weak regulatory regime suggest that the U.S. power grid is as vulnerable—if not more vulnerable—to a cyberattack as systems in other parts of the world.”
While the sophisticated actions required to carry out a successful attack would require extensive planning willing to devote many months to the effort, the likelihood that an attack carried out would be blocked by security measures is low. While some utilities may be successful in blocking initial attempts to gain access or detect intrusion, many lack the tools to respond. In a scenario for an attack developed by insurance underwriter Lloyd’s of London, only 10% of targeted generators need to be affected to cause a widespread blackout.
Because such a significant impact to the distribution system can be made by affecting only a small number of generating units, improving the security of individual utilities alone is unlikely to significantly deter attackers. Although a minimum standard – the Critical Infrastructure Protection Standards established by the North America Electric Reliability Council (NERC)—has been in place for over a decade, the Government Accountability Office GAO has found that many standards remain voluntary and the extent to which utilities have implemented these standards is unknown. Further, current federal requirements do not extend to power distribution, which is regulated unevenly at the state level.
Actions taken now could significantly reduce the effects of a large-scale blackout caused by a cyberattack on the energy sector. Maintaining and exercising manual operations of the power grid, planning and exercising recovery operations, and continually expanding distributed power could significantly shorten the duration of any blackout and reduce economic damage. Periodic demonstration of the ability to shift to manual control (to establish capability, proficiency, and exercise controls) may be one key to the rapid restoration of power. The effects of the attack on Ukraine’s power grid (mentioned earlier) were mitigated because operations could be returned to manual control.
There was more than a 100% increase in malicious cyberattacks on organizations around the world in January 2018 as compared to January 2017. As the geo-political landscape continues to evolve, more and more adversaries may develop the technology necessary to conduct a successful cyberattack on the U.S. Energy Sector. What tools do you have in place to detect and stop an intrusion? What tools do you have in place to operate manually if an attack removes the ability to perform automatic operations?
References