Last year, I asked the question: How secure is our smart grid? The context was an alarming report claiming that the U.S. electric grid is in imminent danger from a cyberattack.
Has the situation improved one year later? The answer depends on who you talk with and the specific details discussed. What is very clear is that our nation still faces serious cyberthreats and vulnerabilities that are keeping experts up at night.
A U.S. Senate Energy and Natural Resources Committee hearing on March 1, 2018, addressed this very question and focused on effort to improve the resiliency and reliability of critical energy infrastructure.
That hearing included the following testimony which is well worth reading and viewing at the link above. The C-SPAN embedded video was not available at the time this blog was published, but may be added later.
Lisa Murkowski — Chairman Senate Committee on Energy and Natural Resources 03.01.18 — Murkowski's Opening Statement (as delivered) — Cyber Hearing.pdf
Witness Panel 1
Maria Cantwell — Ranking Member, Senate Committee on Energy and Natural Resources — (opening statement pdf not available) The Honorable Bruce Walker — Assistant Secretary of the Department of Energy Office of Electricity Delivery and Energy Reliability Walker Testimony 3-1-18 SENR Cmte Hrg.pdf
Barbara Endicott-Popovsky — Executive Director, Center for Information Assurance and Cybersecurity, University of Washington Endicott-Popovsky Testimony 3-1-18 SENR Cmte Hrg.pdf
Highlights from the Committee Hearing and Recent Energy Announcements
There was a sense of urgency throughout the hearing, and here are some of the highlights (and rough notes) that I took away, but I urge you to watch the hearing. There are more energy cyber-resources listed below.
Dr. Barbara Endicott-Popovsky
Everyone is your neighbor — we need to partner and work together across industries Rules + new tools — human training — can’t patch stupid Not enough talent — talent problems Cybersecurity has become a profession – ‘Balkanization’ of the field will not help. Dr. William Sanders
Protection alone will not work Cyber-resiliency is key and research must include: Continuous collection of sensor data to gauge status Fusion of sensor data with other intelligence information Visualization techniques Analytics Restoration techniques Creation of post event tools The cyberthreat is real. Time to act is now Grid resilience is not the same as cybersecurity Research and development are needed with academia, government and private sector Mr. Robert M. Lee — (Note: He has a great background at NSA finding the leading nation state cyberattack vectors. Energy is near the top of the list)
Recent incidents show cyberthreat topic is serious.
Ukraine power grid attack Malware in Middle East deployed to target human life His company offering three reports on industrial control threats (see below).
Silver bullets are not real NERC CIP standards — regulations are base-level security Halt new regs. Workforce development needs to catch up Senator questions:
Could we have a ‘Black Swan’ event — energy system complexity? Interdependency — gas infrastructure North America model
Answer: We need to understand our single points of failure and weaknesses.
What keeps Mr. Lee up at night? Disparity between various industries. Smaller events + U.S. response
Major Problems Discussed (by all):
Background checks of people Getting specific cyberthreat information to companies in a timely manner Timely response to incidents Arms Race — both cyberattacks and our defenses are getting better. Back on Feb. 14, Energy Secretary Rick Perry announced a new cybersecurity office — the Office of Cybersecurity, Energy Security, and Emergency Response. The department is seeking $96 million in funding for fiscal 2019 for coordinating preparation for physical and cyberthreats to critical infrastructure.
At the March 1 hearing of the Senate Energy and Natural Resources Committee, members were skeptical that the new office dovetailed with government-wide efforts to incorporate cybersecurity across all system operations.
Assistant Secretary Bruce Walker, head of DOE's Office of Electricity and Energy Reliability, said the proposed office is "distinct" because the program is meant to be "actionable, near-term and highly responsive," while the rest of the Energy Department's reliability efforts focus on longer-term strategies and research and development.
The NY Post commented on a Senate Armed Services Committee hearing in which: “A second top cyber-security official is sounding the alarm over the US’s inadequate response to Russian and other cyberattacks.
Army Lt. Gen. Paul Nakasone told the Senate Armed Services Committee that adversaries that include Russia, China, North Korea and Iran are not facing retribution for their cyberattacks on the US.”
Resources to Help on Energy Infrastructure Policy and Cyberprotections
The Department of Energy (DoE) offers this website on Cybersecurity for Critical Energy Infrastructure, which is a good place to start. The website states: “Office of Electricity Delivery and Energy Reliability (OE) is to make the nation’s electric power grid and oil and natural gas infrastructure resilient to cyber threats.
The vision of OE’s cybersecurity program is that, by 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. OE’s cybersecurity program supports activities in three key areas:
Strengthening energy sector cybersecurity preparedness Coordinating cyber incident response and recovery Accelerating research, development and demonstration (RD&D) of game-changing and resilient energy delivery systems Some excellent reference reports were just issued by Dragos that cover various aspects of cyber vulnerabilities, metrics and insights into industrial control systems. The reports also cover threat activity groups and incident response highlights form the past year.
I also encourage readers to visit the Electricity Information Sharing and Analysis Center (E-ISAC) resources available online.
This North American Electric Reliability Corp. (NERC) website describes the role of the E-ISAC is:
Identifies, prioritizes, and coordinates the protection of critical power services, infrastructure service, and key resources; Facilitates sharing of information pertaining to physical and cyber threats, vulnerabilities, incidents, potential protective measures, and practices; Provides rapid response through the ability to effectively contact and coordinate with member companies, as required; Provides and shares campaign analysis, which includes capturing, correlating, trending data for historical analysis, and sharing that information within the sector; Receives incident data from private and public entities; Assists the Department of Energy, the Federal Energy Regulatory Commission, and the Department of Homeland Security in analyzing event data to determine threat, vulnerabilities, trends and impacts for the sector, as well as interdependencies with other critical infrastructures (this includes integration into the DHS National Cybersecurity and Communications Integration Center); Analyzes incident data and prepares reports based on subject matter expertise in security and the bulk power system; Shares threat alerts, warnings, advisories, notices, and vulnerability assessments with the industry; Works with other ISACs to share information and provide assistance during actual or potential sector disruptions whether caused by intentional, accidental, or natural events; Develops and maintains an awareness of private and governmental infrastructure interdependencies; Provides an electronic, secure capability for the E-ISAC participants to exchange and share information on all threats to defend critical infrastructure; Participates in government critical infrastructure exercises; and Conducts outreach to educate and inform the electricity sector. You may also want to check out the Global Energy Institute’s cyberpages from the U.S. Chamber of Commerce. They offers reports and statistics to help protect the energy grid, including comments on the cybersecurity incident reporting reliability standards.
So what is the answer? Can the grid be hacked?
It seems like the easy (lawyer-type) answer is best: “It depends.”
The hearings and experts seem to think that smaller regional outages are very possible, and perhaps even probable over the next few years. Their emphasis on reliability and resiliency is constant, and they point out that weather-related electricity outages happen all the time.
However, the feeling of most of the experts seems to be that a nationwide “major grid outage” is very unlikely. They say: “Great work is ongoing. However, many of the smaller utilities have a long way to go.”
I recent report out of GCHQ in the United Kingdom claimed that "energy smart meters could expose millions of Bretons to hack." The story highlighted concerns about energy bills being modified, "Trojan Horse" hacks to infiltrate other home networks or even "nation-state actors could exploit the flaws in the energy smart meters to create a power surge that would damage the National Grid."
After reading numerous reports and watching hours of testimony on the grid being hacked in the USA, I remain unconvinced either way. Most experts are holding back and saying there is a lot of work left to be done. The teamwork and partnerships are certainly front and center at the moment, and the new DOE efforts will certainly help.
And perhaps having more humility regarding potential new cyberattacks on the grid is a good place to be right now, since the testimony of experts reconfirmed that the hackers and defenders are both getting better at the same time.