In March, the Department of Homeland Security and the Federal Bureau of Investigation released a joint alert that revealed Russian government hackers have attacked and gained access to U.S. government infrastructure, including the electrical grid, for at least the last two years. The report was released amid mounting concerns of a foreign or domestic cyberattack capable of turning the lights out against our will.
“Electrical power grid stakeholders should approach cybersecurity with the same mindset as a natural disaster,” said Philip Bezanson, managing partner with Seattle-based law and government relations firm Bracewell. “It might not happen for a long period of time, but, if it does happen, the organization should be prepared to respond and meet any challenges head-on.”
For electrical contractors, cyberthreats demand a heightened awareness. ECs should know the risks better than their customers who will interface with electrical grids and face potential damage should an all-out attack occur.
“As with most cyberthreats, there are key preparations that anyone can take to help prevent these attacks and/or mitigate the fallout from such an attack,” said Erin Illman, an attorney and partner with Bradley Arant Boult Cummings LLP, Charlotte, N.C. “Preventing an attack will require not only improving the security of the power grid but understanding the vulnerabilities both from a human and technical perspective. For example, attackers can use social engineering techniques to gain information about systems, networks and controls relating to power generation, transmission or distribution.”
These techniques are used to deceive and manipulate individuals into divulging confidential or personal information, which is then used for fraudulent purposes. One example, spear phishing, involves attackers sending legitimate-looking emails that release malicious software into a network and can gain direct access to controls within a system or gather information for the attacker.
Illman said many initial attacks, such as this one, can be cut off simply by educating everyone involved on the potential threats and how to deal with each. In this case, teaching users to inspect emails carefully and detect illegitimate emails could thwart a spear-phishing attack.
How great is the risk?
Michela Menting, research director for ABI Research in France, said risk of a cyberattack on electrical power grids within the United States is high. Increasingly vulnerable to cyberattacks are power-control systems in electrical grids, from energy-management systems to supervisory control and data acquisition (SCADA), as well as all the components that form part of the evolving smart grid, such as intelligent electronic devices and advanced metering infrastructure.
Information and communication technology has opened up previously isolated industrial control systems (ICS) into connected environments.
“Malicious attacks or even technical failures could have a significant knock-on effect on ICS and affect the performance of the electrical grid,” Menting said. “SCADA system vulnerabilities can be found in the [operating system], authentication procedures, wireless communications, remote processors, access and interconnection, network design and system monitoring. Employee mistakes and accidental errors still account for the larger part of SCADA system failures, although this is now quickly being overshadowed by external threats.”
The IoT and cyber risk
The internet of things (IoT) and enabled devices may play a role in cyberthreats to electrical grids. Many large cybersecurity breaches have been attributed to IoT devices as a gateway into critical and private networks.
“Security standards used for traditional devices or endpoints (think desktops, laptops and servers) are simply not practical for IoT devices due to memory, computational power and the amount of network communication required,” said Rene Kolga, senior director of project management at Nyotron, an endpoint cybersecurity firm in Santa Clara, Calif.
The sheer number of IoT devices poses its own set of problems.
“No matter how seriously you take security into consideration during the design and development phase of a device, there will always be bugs and vulnerabilities that require patching or even a complete replacement of vulnerable devices,” Kolga said. “At the scale of the power grid, this is a tremendously challenging and expensive undertaking.”
There is bipartisan support in the U.S. House of Representatives’ Energy and Commerce Committee for advancing a series of cybersecurity laws that specifically address the electrical grid.
“The grid is large and complicated; securing all of it, all of the time, is difficult,” said Andrew Howard, chief technology officer, Kudelski Security, Atlanta. “The good news is that the awareness … is growing. There is industry and government momentum on protecting these vital assets.”