It isn’t too far-fetched to say that the U.S. electrical grid underpins our modern life. Lights are on, cars are made, food is refrigerated and shipped, cell phone towers work, and a million other things run – like stoplights, banks, blenders and the internet. Yes, the grid going down would definitely knock out a few servers and render us connectionless for who knows how long. So, what’s the contingency plan? How are we preparing for this eventuality, and more importantly, how is the U.S. electric sector?
Cyberattacks targeting critical national infrastructure
The risks to the grid are real, and attacks on electric grids worldwide have already occurred. A European transmission system spanning 35 countries was hacked in 2020. Over 200,000 Ukrainians lost power in 2015 due to another hack and cybercriminals hacked Korea Nuclear Power in 2014, resulting in leaked plans for two reactors. The energy sector is under siege, and bad actors are testing their strengths (and our weaknesses) in isolated incidents.
“Our national critical infrastructure is extremely hackable,” said Tortuga Logic CEO Andreas Kuehlmann. “If I find a vulnerability in a power meter, I can knock out your power. But I also can knock out everything connected to it.” Attackers are targeting the Supervisory Control and Data Acquisition (SCADA) systems that control many critical national industry (CNI) sectors, and it was reported that 84% of CNI sectors experienced a cyberattack in 2020 alone. Stuxnet, a worm that targeted programmable logic controllers (PLCs), was one of the first cyberthreats to impact the “real world,” destroying one-fifth of Iran’s uranium enrichment centrifuges by recoding them to spin to the breaking point. Then there was Colonial Pipeline, the ransomware attack on the oil industry, and of course, SolarWinds, which was a suspected Nation State job. As incidents happen in more and more U.S. CNI sectors, it’s a tense game of Russian Roulette waiting to see which will get hit next.
When asked if U.S. adversaries currently have the power to disrupt the grid, U.S. Energy Secretary Jennifer Granholm answered simply, “Yes they do”. She added, “I think there are very malign actors who are trying. Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector, generally”. In a near echo of Secretary Ganholm’s words, when reporter Ted Koppel asked then-White House advisor on cybersecurity Howard Schmidt, “is there a way we can guarantee that a cyberattack won’t knock out one of our power grids?” – Schmidt answered plainly, “Absolutely not.”
The tenuous safety of the grid
Late last year, U.S. officials privately warned utilities that they could be in the line of fire if conditions with Russia went south and that their security teams should not take the holidays off. Is it possible that the safety of the U.S. power grid, the domain of one of the nation’s largest utilities, could hang on to warnings such as these?
According to some, yes. In his New York Times bestseller Lights Out, journalist Ted Koppel uncovered some shocking worst-case scenarios in the event of a debilitating cyberattack on the grid – and, how underprepared we might be. In the event of a weeks-long lack of power, FEMA would step in, said then-FEMA administrator Craig Fugate as recorded in Lights Out. “That means we need to have enough power to pump, treat, and distribute water through the system. You have to keep the water system up…We [would be] trying to hang on and keep as many people [as possible] from dying until the system comes back,” he said. A pretty dire situation. So how would such an attack start? One likely guess is that cyberattackers would mess with the delicate balance required to keep the grid in play, disrupting the computers that keep the input and outflow of power even (considering usage by businesses, households and cities). Said Eric Hittinger, associate professor at Rochester Institute of Technology and expert in energy policy, “If that balance is disrupted badly enough, everything starts to fall apart. Different parts of the system will start to turn off in unpredictable ways. You end up with cascading failures. You fall off the bike.”
To mitigate the eventuality of this future attack – most in the know say it’s not if, but when – the Pentagon implemented drills on Plum Island, an isolated stretch of land on the northeastern tip of Long Island back in 2015. Carried out by the Defense Advanced Research Agency (Darpa), “the Pentagon’s moonshot research arm,” drills were designed to expose utilities to the realities of getting the power back up in the event of a cyberattack that could shut it down. The results were interesting. “When it comes to cyber, it’s like you’re repairing the damage from the hurricane while it’s still on top of you,” said Brian Lynn, lead trainer for PJM Interconnection LLC, the nation’s largest grid operator. “And I just can’t fix it and know it’s going to hold. I’ve got to keep asking, ‘Did I miss something? Is something still infected?’” This is no surprise given the rising sophistication of attack methods. “What an attacker can do to these embedded devices today makes Stuxnet look like caveman technology,” said Ang Cui, founder of Red Balloon Security and a participant of the exercises. The current skill level of nation-state attacks and APTs is worth noting, and the NSA, FBI, Department of Energy and CISA did just that.
Any summarizing conclusions from the Pentagon-led disaster-day training of U.S. power utilities? Says Cui, “I think it’s pretty clear that we haven’t done nearly enough.”
How the energy sector can prepare
How can we do more? Let’s look at what has already been done. Last year, President Biden signed an Executive Order to improve the nation’s cybersecurity in the aftermath of the Colonial Pipeline incident. What followed was a 100-day sprint to shore up the cybersecurity defenses of the grid, which was a huge step in the right direction.
On a ground level, the zero-day training on Plumb Island did mine some insights we can learn from. Said one consultant on the project, “You have to get your systems operations guys, who don’t speak cyber, to talk to your cyber guys, who don’t speak systems operations.” He admits, “that’s just very challenging,” but it can be overcome, as trainings saw. Noted Donnie Bielak, a colleague at PJM, “Eventually, the utility workers who initially brushed off the cybersecurity experts began to work closely with them. Defenders had to come up with procedures to clean each substation of malware, for instance, before connecting it to the larger grid.” And that is where it starts.
When it comes to battling vulnerable OT, the suggestion of a Smart Grid has been made (hey, there’s a “smart” everything else) but it will take some time before it’s commercially viable or safe enough to use. Besides, whatever new energy infrastructure is coming next, it needs to be able to handle the different cybersecurity requirements brought on by the growing market of renewables as well as the current and expanding needs of the grid itself.
Major grid overhauls aside, what’s going to make a difference right now to electric utilities is the right technology to defend against cyberattacks in the first place. And for that, it’s not one size fits all. You have to consider your current security maturity, establish realistic goals to prevent predefined risk, and work with a trusted advisor who knows the critical national infrastructure landscape – and can build your cyber resilience against mandated national standards in your industry. ITEGRITI specializes in programs that help CNI sectors detect breaches, avoid hacks, reduce recovery time and minimize overall business impact in the event of a cyber emergency. Learn more about how ITEGRITI can help you defend your critical infrastructure and improve your cybersecurity posture.