Ukrainian power system operators were surprised on Dec. 23, 2015, when outside operators seized control of their computers and began opening breakers to cut power to thousands of residents in the western part of the country. Service was restored within six hours, but it took investigators, including multiple U.S. agencies, months to figure out what happened. They concluded the outages were the result of an effort begun months earlier, and their report illuminated ways in which U.S. power transmission and distribution systems could be vulnerable to similar attacks.
Recognizing these risks, in January 2023, the Federal Energy Regulatory Commission (FERC) issued new regulations requiring the North American Electric Reliability Corp. (NERC)—the agency charged with protecting the reliability of the North American grid—to develop new internal network security monitoring standards for utilities.
A second FERC ruling in April outlined incentive-based rate treatments to encourage utilities to invest in cybersecurity improvements. But the U.S. electrical grid, sometimes called the world’s greatest machine, remains vulnerable to malicious actors due to a combination of age, complexity and increasing operational connectivity. Defending it has become a significant priority for security agencies across the U.S. government.
“The Ukraine utility attack was a wake-up call for not only the global utility sector, but also the significant role defending critical infrastructure plays in national security,” said Robert Nawy, co-founder, chairman and CEO of IPKeys Power Partners, Tinton Falls, N.J., a provider of distributed energy resource management systems. IPKeys Power Partners helps monitor and control the various solar arrays, battery systems, microgrids and other equipment that might support a utility’s grid.
“It underscored the need for robust cybersecurity measures, continuous monitoring and rapid-response protocols,” he said.
Understanding varied risks
Obviously, the ability to take control of a local distribution system poses significant threats to health and safety, but that extreme example is just one form a cyberattack might take. Threats run the gamut from inconvenient to catastrophic.
“When we’re talking about a cyberattack, this could be anything from a kid in the parents’ basement who’s messing around, to organized crime groups, to highly sophisticated nation-state attacks—those are very different types of attacks,” said Nate Gleeson, program leader for Lawrence Livermore National Laboratory (LLNL).
“We’re typically thinking about nonkinetic activities that disrupt the control systems of critical infrastructure, either manipulating the ability to control the system, get information from the system or the ability to access the system,” he said.
Nick Leiserson, assistant national cyber director for cyber policy and programs in the U.S. Office of the National Cyber Director (ONCD), said he prefers to avoid the word “cyberattack” because it can be so broadly applied.
“In the lexicon that gets used in Washington a lot, there’s an idea of computer network exploitation versus computer network attack,” he said. “In an attack, we generally mean that we’re actively disrupting the equipment in some way, and the operation of it, versus exploitation might be we’ve hacked into the system so that we can steal emails or customer records or payment information—where you’re not affecting the operations of the system, but you do have unauthorized access.”
The opportunity to gain unauthorized access to utility systems has increased in the last couple decades as the internet has become ubiquitous and as utility operations have become increasingly automated and digitized.
New ties are being created between networks that used to be digitally and physically separated, which can enable pathways for intruders to access controls that were nearly impossible to create before.
Information technology—the hardware and software that help utilities manage their businesses—and the operational technology behind how power is generated and delivered are becoming more integrated. This enables important new capabilities, such as using smart meters to monitor various grid conditions and inform operations of local transformers and substations. Each meter in turn could become an access point to more centralized controls if adequate protections aren’t in place.
“There are huge benefits both for companies themselves and society when we have things that are more connected—we can provide power cheaper, we can provide new types of power like distributed generation,” Leiserson said. “But with that connectivity comes some risks. And what we need to focus on is ways to mitigate the risks so we can get the benefits of having a more connected grid.”
The age of equipment, especially on the operations side, also can raise concerns. U.S. substations and transformers now average 40 to 50 years old, according to U.S. Department of Energy figures. Gleeson sees this statistic as a double-edged sword when it comes to cybersecurity. In Ukraine, for example, many of the affected grids’ systems were manual, which protected them from the software-focused attacks.
“But a lot of times, those legacy systems are also not frequently patched,” Gleeson said, meaning the software they are running might be decades old. “A lot of these systems have known vulnerabilities in them, and so, if you’re not taking care of those, then you’re giving low-tier adversaries a pathway.”
Keeping the sky from falling
LLNL’s mission focuses on security and defense issues, with cybersecurity now high on its priorities list. The facility’s Skyfall laboratory (yes, named for the James Bond film) has become a critical resource for helping LLNL’s researchers better understand and protect against grid-threatening attacks. The facility connects real-world equipment, including a grid-scale power substation, with high-performance computers to model how transmission and distribution systems might respond to a broad range of power irregularities caused by bad actors (or just really bad weather).
“The Skyfall laboratory allows us to merge our high-performance computing simulation capabilities with the actual hardware that is being used on the electric grid,” Gleeson said, describing work his group carried out to help California utilities understand the possible damage cyber criminals could cause to the state’s power system.
“We started with a high-performance computing simulation of California’s grid, and then Pacific Gas & Electric gave us the control system equipment they typically have in their transmission substations so we could install it in Skyfall” to create a simulated California network and a physical representation of actual PG&E gear, Gleeson said. “Basically, those devices believe that they are on the broader electric grid, and we can get much more realism into the simulation to understand what the effects are and how those devices will behave.”
LLNL’s Skyfall lab includes a substation programmed to behave as if it were connected to a live power grid. Researchers can feed signals on voltage, current and other characteristics as though they were coming from the grid itself to model possible distribution, transmission and communications implications of a cyberattack. Photo courtesy of LLNL.
The growing adoption of phasor measurement units (PMUs) to monitor waveforms in grid currents is another area where Skyfall aids utility managers. These units are synchronized to GPS satellite clocks, and incorrect GPS signals will throw off their operations.
Skyfall researchers used data from an accidental GPS-related outage in the Pacific Northwest to prove these signals could be spoofed in a cyberattack. The U.S. Department of Homeland Security has used the lab’s findings to work with PMU manufacturers to help harden products against future events.
Utilities will also soon see new monitoring requirements to help ensure their ability to spot possible encroachments into their operations before damage spreads. Under FERC’s January 2023 directive, NERC is expanding its Critical Infrastructure Protection reliability standards to detect situations where trusted vendors or others with authorized system access could still introduce security risks.
This could be by installing hardware or software that has been compromised. This scenario played out in the 2020 hack of IT management software from SolarWinds, which had been widely deployed across corporate and government networks. Russian hackers got access to a routine security update and gave themselves a doorway.
Nawy sees this directive having a significant effect on utility cybersecurity.
“These standards will provide a consistent framework for identifying, assessing and managing cybersecurity risks across the electric utility sector,” he said. “By having a standardized approach, utilities can ensure they are all adhering to a high level of security, making the entire grid more resilient to potential attacks.”
A strategy for protection
Of course, identifying possible vulnerabilities is only the first step toward better-protected grids—utilities then must pay for needed improvements. Historically, state-level regulators didn’t see such investments as eligible for cost recovery from ratepayers. That changed with FERC’s April 2023 rule that established incentive-based rate treatments to encourage utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information-sharing programs.
The agency oversees transmission rates in most regions as part of its role as a wholesale power regulator. According to Leiserson, this issue has been raised in national cybersecurity circles for some time, including at ONCD, which advises the president on cybersecurity and strategy.
“Our former national cyber director Chris Inglis talked to state public utility commissioners about the importance of ensuring that investments in cybersecurity can be amortized in a way that reflects the importance of this mission,” Leiserson said. “We recognize that the improvements in cybersecurity that we need to see are going to cost money, so incentives to get there are an important part of anything that we do.”
Allowing utilities to recover the expense of such investments—and earn money on them, as they would on new physical infrastructure—might have an effect on customer rates, he said. But such expenditures could be significantly lower than what might be needed if a missed intrusion leads to prolonged outages.
“Part of what we’re trying to do is shift some of that cost and spend a couple dollars now on cybersecurity by design,” he said. “This could save you hundreds of dollars later, when you might have to rip and replace if, heaven forbid, we get attacked in some way and significant portions of the grid are negatively impacted.”