Summary: Cyber threat actors are targeting the capacity of the US energy grid to maintain consistent supply at an affordable cost. In an evolving global landscape, concerns of a potential attack from a foreign nation are increasing. However, protecting the grid is a tough act that requires both federal guidance and the introduction of novel security technologies.

On Plum Island, a remote outcrop of land off Long Island, New York, a tragic scenario has occurred five times in the past three years. The population is now in the dark, and vital facilities like hospitals are in severe need of power because a significant portion of the electrical grid has failed. While attackers attempt to keep the grid down, a team of utility operators and cybersecurity professionals work frantically to restore service.

Fortunately, that was only the scenario of a Defense Advanced Research Projects Agency (DARPA) drill. Its objective was to show utilities used to battling hurricanes, blizzards, and other difficulties what it would be like to successfully hack the American electricity grid.

The importance of energy security

Energy is one of the 16 sectors that the Department of Homeland Security has identified as key infrastructure in the United States, and it may perhaps be the most important because it supplies the energy required to power every other essential infrastructure sector. However, the U.S. power grid, which serves as the backbone of the energy industry, is supported by an aged skeleton that is deteriorating daily. The electricity grid is vulnerable to both physical attacks and cyber intrusions, whether from domestic terrorists or nation-states like China and Russia. However, if the United States takes the necessary actions to protect the power infrastructure and avert a potential catastrophe in the future, much of this threat can be reduced.

Energy Grid Infrastructure

Figure 1: Energy Grid Infrastructure, Photo Credit US Senate Republican Policy Committee. Source: American Security Project

The ability to maintain a consistent supply of energy at a sustainable price is known as energy security. In this definition, “consistent supply” and “sustainable price” are the words of importance. Anything that compromises the United States’ capacity to store or distribute energy is a threat to energy security.

A winter storm in February 2021 brought down the Texas electricity grid. 702 people died as a result of the storm, which caused millions of Texans to go without electricity for several days in the cold weather. The energy infrastructure was not created to maximize alternative energy sources, and the Department of Energy has acknowledged that the clean energy transition is already pushing the grid to its breaking point. There are dangers outside the grid as well. Wildlife, cybersecurity, domestic terrorism, and extreme weather are some of the biggest dangers.

The increasing cyber threat of foreign actors

After the cyberattack that targeted the Ukrainian system in 2015, worries about a prospective attack by a foreign nation-state on the electric grid began to grow. Using its BlackEnergy malware, the Russian cyberthreat group Sandworm hacked Ukrainian computer systems that allow for remote control of the country’s power infrastructure. Cyber specialists expressed alarm about the same malware already present in NATO and the U.S. power networks after this attack and another one in 2016 both left Kyiv’s capital city without electricity.

Then-National Security Agency Director Mike Rogers testified before Congress that hackers had been breaking into American power companies to look for vulnerabilities and that Russia had been discovered installing malware in the same kind of industrial computers that power companies use.

How a hack on the grid might play out

Figure 2: How a hack on the US grid might play out. Source: Bloomberg.

China is a significant threat to the energy infrastructure of the United States since it is another country with the capacity to target vital energy facilities. Christine Wormuth, the secretary of the Army, recently informed reporters that in a conflict with China over Taiwan, the electrical system would also be a target.

The Mission Support Center at Idaho National Laboratory characterized these attacks as “multiple intrusions into US ICS/SCADA and smart grid tools [that] may be aimed more at intellectual property theft and gathering intelligence to bolster their own infrastructure, but, likely, they are also using these intrusions to develop capabilities to attack the [bulk electric system], as well.”

Threat vectors: software, networks, and hardware

The rising use of remote-control technologies to run crucial machinery and regulate energy loads all the way from power generation to transmission adds to the vulnerability of the energy infrastructure. The more connected critical energy infrastructure is to a network, the more vulnerable it becomes to cyberattack.

The Mission Support Center further described this vulnerability, stating that due to the growth of networks and communication protocols used throughout ICS networks, vulnerabilities will continue to present attack vectors that criminals will seek to exploit for the foreseeable future. The cyberattack surface will keep growing as a result of the interoperable technologies developed for the transition to a smart grid.

Cyberattacks can use more than just software and networks. In fact, hardware like transformers and ICS also presents a huge opportunity for cyberattack. The additional risk posed by this channel is that ICS controls may be impacted without the monitors’ knowledge. In the case of STUXNET, Iranian engineers could detect that something was off but were unable to identify the source in time to prevent the centrifuges from being destroyed.

Protecting the US grid is a tough task

Plum Island’s consequences are being felt today. The National Rural Electric Cooperative Association, whose members are primarily small, not-for-profit operators, recently started employing a new security tool that it originally tested on Plum Island. However, a lot of substations continue to be weak points.

The American electrical grid is the largest machinery in human history. There are 3,000 distinct public and private companies that own or run small portions of the electric system. Even if a large portion of the country’s key infrastructure has been privatized, it nevertheless serves a vital public purpose that must be upheld. The federal government is ultimately responsible for protecting such infrastructure because the general public relies heavily on it for not only business and communication but also existence.

The federal government must lead a top-down effort to secure the electricity grid. According to President Biden’s homeland security adviser Dr. Liz Sherwood-Randall, the issue is that the federal government cannot enforce rules. However, regulations and standards adopted by the whole electric industry that fortify the power grid against cyber threats would be a more effective means of attaining this goal.

Utilizing “microgrids,” which are defined as “grid architecture that could manage electricity generation and demand locally in sub-sections of the grid that could be automatically isolated from the larger grid to provide critical services even when the grid at large fails,” is another option that might be used to prevent a cascading failure. Mass power outages can be reduced by adding microgrids to the main grid as a redundancy. Even though they are not the ideal option, microgrids do offer a potential way to prevent a catastrophic failure of the US electrical infrastructure.

Risks associated with cyber systems controlling Critical Infrastructure such as the US electric grid, are growing as regulations mount, hacking tactics evolve, and bad press meets social media.  The Federal Government and the public demand protection of these assets, and these regulations can carry civil, operational, and financial penalties.  And companies are becoming keenly aware that compliance does not alone provide cybersecurity.

ITEGRITI’s team members have served in operational, management, and auditor roles and have deep experience in regulatory compliance and affairs, internal compliance program development, cybersecurity, training development, and delivery. To learn how we can help you, contact us and we will be glad to listen to you.