Last year, I asked the question: How secure is our smart grid? The context was an alarming report claiming that the U.S. electric grid is in imminent danger from a cyberattack.
Has the situation improved one year later? The answer depends on who you talk with and the specific details discussed. What is very clear is that our nation still faces serious cyberthreats and vulnerabilities that are keeping experts up at night.
A U.S. Senate Energy and Natural Resources Committee hearing on March 1, 2018, addressed this very question and focused on effort to improve the resiliency and reliability of critical energy infrastructure.
That hearing included the following testimony which is well worth reading and viewing at the link above. The C-SPAN embedded video was not available at the time this blog was published, but may be added later.
Highlights from the Committee Hearing and Recent Energy Announcements
There was a sense of urgency throughout the hearing, and here are some of the highlights (and rough notes) that I took away, but I urge you to watch the hearing. There are more energy cyber-resources listed below.
Dr. Barbara Endicott-Popovsky
Dr. William Sanders
Mr. Robert M. Lee — (Note: He has a great background at NSA finding the leading nation state cyberattack vectors. Energy is near the top of the list)
Recent incidents show cyberthreat topic is serious.
His company offering three reports on industrial control threats (see below).
Could we have a ‘Black Swan’ event — energy system complexity? Interdependency — gas infrastructure North America model
Answer: We need to understand our single points of failure and weaknesses.
What keeps Mr. Lee up at night? Disparity between various industries. Smaller events + U.S. response
Major Problems Discussed (by all):
Back on Feb. 14, Energy Secretary Rick Perry announced a new cybersecurity office — the Office of Cybersecurity, Energy Security, and Emergency Response. The department is seeking $96 million in funding for fiscal 2019 for coordinating preparation for physical and cyberthreats to critical infrastructure.
At the March 1 hearing of the Senate Energy and Natural Resources Committee, members were skeptical that the new office dovetailed with government-wide efforts to incorporate cybersecurity across all system operations.
Assistant Secretary Bruce Walker, head of DOE's Office of Electricity and Energy Reliability, said the proposed office is "distinct" because the program is meant to be "actionable, near-term and highly responsive," while the rest of the Energy Department's reliability efforts focus on longer-term strategies and research and development.
The NY Post commented on a Senate Armed Services Committee hearing in which: “A second top cyber-security official is sounding the alarm over the US’s inadequate response to Russian and other cyberattacks.
Army Lt. Gen. Paul Nakasone told the Senate Armed Services Committee that adversaries that include Russia, China, North Korea and Iran are not facing retribution for their cyberattacks on the US.”
Resources to Help on Energy Infrastructure Policy and Cyberprotections
The Department of Energy (DoE) offers this website on Cybersecurity for Critical Energy Infrastructure, which is a good place to start. The website states: “Office of Electricity Delivery and Energy Reliability (OE) is to make the nation’s electric power grid and oil and natural gas infrastructure resilient to cyber threats.
The vision of OE’s cybersecurity program is that, by 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. OE’s cybersecurity program supports activities in three key areas:
Some excellent reference reports were just issued by Dragos that cover various aspects of cyber vulnerabilities, metrics and insights into industrial control systems. The reports also cover threat activity groups and incident response highlights form the past year.
I also encourage readers to visit the Electricity Information Sharing and Analysis Center (E-ISAC) resources available online.
This North American Electric Reliability Corp. (NERC) website describes the role of the E-ISAC is:
You may also want to check out the Global Energy Institute’s cyberpages from the U.S. Chamber of Commerce. They offers reports and statistics to help protect the energy grid, including comments on the cybersecurity incident reporting reliability standards.
So what is the answer? Can the grid be hacked?
It seems like the easy (lawyer-type) answer is best: “It depends.”
The hearings and experts seem to think that smaller regional outages are very possible, and perhaps even probable over the next few years. Their emphasis on reliability and resiliency is constant, and they point out that weather-related electricity outages happen all the time.
However, the feeling of most of the experts seems to be that a nationwide “major grid outage” is very unlikely. They say: “Great work is ongoing. However, many of the smaller utilities have a long way to go.”
I recent report out of GCHQ in the United Kingdom claimed that "energy smart meters could expose millions of Bretons to hack." The story highlighted concerns about energy bills being modified, "Trojan Horse" hacks to infiltrate other home networks or even "nation-state actors could exploit the flaws in the energy smart meters to create a power surge that would damage the National Grid."
After reading numerous reports and watching hours of testimony on the grid being hacked in the USA, I remain unconvinced either way. Most experts are holding back and saying there is a lot of work left to be done. The teamwork and partnerships are certainly front and center at the moment, and the new DOE efforts will certainly help.
And perhaps having more humility regarding potential new cyberattacks on the grid is a good place to be right now, since the testimony of experts reconfirmed that the hackers and defenders are both getting better at the same time.