Hackers taking down the U.S. electricity grid may sound like a plot ripped from a Bruce Willis action movie, but the Department of Homeland Security has recently disclosed new details about the extent to which Russia has infiltrated “critical infrastructure” like American power plants, water facilities and gas pipelines.
This hacking is similar to the 2015 and 2016 attacks on Ukraine’s grid. While DHS has raised the number of the Russian utility-hacking incidents it detected from dozens to hundreds, it still maintains that this infiltration has not risen beyond scouting mode. Russia denies having any role in the hacking, yet the specter of Russian sabotage in the U.S. now seems more realistic than it used to.
Clearly, there’s no time to waste in shoring up the grid’s security. Yet getting that done is not easy, as I’ve learned through my research regarding efforts in to stave off outages in hurricane-prone Florida.
There is no way to completely protect the grid. Even if that were possible, utilities tend to adopt new and better security procedures after mishaps, boosting the chance that some attacks will succeed.
Say, for example, a power company is building a substation. The utility would disclose what it spent on construction, prove that it picked its contractors responsibly and explain how this new capacity is enhancing its service. The regulator then must decide what rate hikes, if any, would be reasonable – after hearing out everyone with something at stake.
Following this routine is harder with cyberdefense spending. Security concerns make it tough if not impossible for utilities to say what they’re doing with that money. Regulators, therefore, have a hard time figuring out whether utilities are spending too much or too little or maybe even wasting money on an unnecessary expense.
If regulators blindly approve these rate hikes, it can be an abdication of their duties. If they reject them, utilities get penalized for shoring up their security and then lose an incentive to keep doing the right thing.
To err is human
Even though the idiosyncrasies of utility regulation make cyberdefense a more complicated issue than it might otherwise be, tools to manage this risk are available.
Mitigating the damage that human error can cause in response to malicious attacks, for example, may not demand any spending beyond what it costs to teach workers at utilities and their contractors to refrain from blindly opening perilous email attachments, the avenue into the electricity system used by hackers in the 2015 Ukraine attacks and in the system breaches the government recently disclosed.
They also need to guard against so-called watering-hole attacks. According to the new DHS revelations, Russian hackers set traps in websites that utility vendors were known to frequent – many of which had insufficient cybersecurity measures in place. They then leveraged that access to steal the credentials they needed to worm their way into utilities’ systems.
Indeed, hackers delivered almost 94 percent of all malware in 2016 through email systems. Clearly, more widespread awareness of the need to keep an eye out for phishing attacks will help secure infrastructure.
Regulators have been studying strategies that might enhance cybersecurity. Standards are already in place in the U.S., Canada and part of Mexicofor utilities to assess their capability to prevent or detect cyberattacks.
It’s also important that regulators recognize that securing systems is an ongoing process. It can never really end because as system security measures change, hackers devise new ways to circumvent them.
Grid resilience strategies can help to maintain service regardless of the source of the outage. For example, many utilities have invested in “self-healing” systems that isolate glitches in the grid and quickly restore service amid outages.
Here’s an example of how that works. During Hurricane Matthew in Florida, in 2016, Florida Power and Light identified a threatened substation and isolated it from the rest of the grid. This measure protected its customers by ensuring that outages at that substation would not spread.
Utilities can also create microgrids, or portions of the grid that can be isolated from the rest of the system in the event of an attack. Most of these systems have been designed to improve resilience in the event of natural disasters and storm events. But they can help defend the grid against cyberattacks as well.
Public concerns over grid security are more justified than ever. But I believe that minimizing the risk of a catastrophic infrastructure attack is within reach. All it will take is for utilities to educate their workers on system security while the government updates its rules and practices – and for everyone involved to keep doing what they can to avert outages of all kinds and to restore power as quickly as possible when outages occur despite those efforts.
Editor’s note: This article was updated on July 24, 2018 to add news regarding the scale of the hacking and the discovery that hackers used watering-hole attacks.