How Secure Is Our Smart Grid?

The U.S. Department of Energy released an alarming report in January 2017, saying that the U.S. electric grid is in imminent danger from a cyberattack. So where have we been, where are we now, and where are we going regarding smart grid security?

  • Facebook
  • LinkedIn
  • Twitter
  • linkText
  • Email
Shutterstock/monicaodo
Over the past several months, alarm bells have been going off regarding potential attacks against the U.S. electrical grid. Consider these recent media headlines:

The Wall Street Journal: Cyberattacks Raise Alarm for U.S. Power Grid — Excerpt: “Cyberattacks that have knocked out electric utilities in Ukraine, including one suspected hack earlier this month, have renewed concern that computer criminals could take down portions of the U.S. power grid.”

U.S. News & World Report: Cybersecurity of the Power Grid: A Growing Challenge — Excerpt: "Until 2015, the threat was hypothetical. But now we know cyberattacks can penetrate electricity grid control networks, shutting down power to large numbers of people. It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too."

BuzzFeed News: Here’s Why Trump Takes The Blackout Doomsday Scenario Seriously — Excerpt: “The Obama administration’s Energy Department announced $3.9 billion in ‘smart grid’ funding available to the nation’s utilities in 2009, largely for upgrades to defeat normal blackouts and permit home meters to talk back to power companies, but these EMP hawks still warn the overall grid is vulnerable to a knockout punch. Now under President Trump, who is eager to build infrastructure and appear strong on national security, they may finally have an ally in the White House.”                                                                                       
Bloomberg News: U.S. Grid in ‘Imminent Danger’ From Cyber-Attack, Study Says — Excerpt: “The U.S. Energy Department says the electricity system ‘faces imminent danger’ from cyber-attacks, which are growing more frequent and sophisticated, but grid operators say they are already on top of the problem.
In the department’s landmark Quadrennial Energy Review, it warned that a widespread power outage caused by a cyberattack could undermine 'critical defense infrastructure' as well as much of the economy and place at risk the health and safety of millions of citizens. The report comes amid increased concern over cybersecurity risks as U.S. intelligence agencies say Russian hacking was aimed at influencing the 2016 presidential election.”

The U.S. Energy Department’s 494-page report was released during the final days of the Obama administration, and it offered this clear warning for 2017 and beyond: "Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency. The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures."

The new report offered a long list of key findings for policymakers, and here are a few:

  • Advanced metering infrastructure has had a significant impact on the nature of interactions between the electricity consumer and the electric system, allowing two-way flow of both electricity and information and enabling the integration of assets behind the meter into the larger electric grid.
  • Interconnection standards and interoperability are critical requirements for seamless integration of grid connected devices, appliances, and building energy management systems, without which grid modernization and further energy efficiency gains may be hindered.
  • Evolving consumer preferences for electricity services are creating new opportunities.
  • The convergence of the electric grid with information and communications technology creates a platform for value creation and the provision of new services beyond energy.
  • There is enormous potential for electric end-use efficiency improvement based on (1) technical analyses, and (2) the differences in energy efficiency performance between states and utilities with and without ambitious electric end-use efficiency policies and programs.
  • There are no commonly used metrics for measuring grid resilience. Several resilience metrics and measures have been proposed; however, there has been no coordinated industry or government initiative to develop a consensus on or implement standardized resilience metrics.
  • Low-income and minority communities are disproportionately impacted by disaster-related damage to critical infrastructure. These communities with fewer resources may not have the means to mitigate or adapt to natural disasters and disproportionately rely on public services, including community shelters, during disasters.
How Did We Get Here? A Short Smart Grid History Lesson

Back in 2010, Scientific American, in an article on Securing the Smart Grid, articulated the new cybersecurity challenges posed by our 21st-century power distribution: “Unlike the traditional power grid, a 'smart' grid is designed to accommodate a two-way flow of both electricity and data. This creates great promise, including lower energy prices, increased use of renewable resources and, it is hoped, fewer brownouts and blackouts. But a smart grid also poses several potential security problems — networked meter data, power companies' computers and those of customers could all be vulnerable to tampering.”

Maintaining resilient electrical power generation and distribution are essential elements in protecting every critical infrastructure area. The Department of Homeland Security houses the national response plans for critical infrastructure protection, and all of the sector-specific plans are inter-related in some way with the use of electrical power.  

I wrote a CSO Magazine blog on how the federal government promised smart grid security back in 2009, and the key questions still remain the same in 2017 — even if the hacker scope of challenges have evolved.

Eight years ago I wrote: “One central question remains: Will the ‘smart grid’ be smart enough to stop hackers? Or in pragmatic layman's terms, can those ‘smart customer meters’ conserve energy,  eliminate the need for the ‘meter man’ to keep running around our neighborhoods, allow us to turn down the home air conditioning from work and allow us to remotely start our ovens to get casseroles ready for dinner — without creating any ‘back doors’ for the inevitable bad guys?"

While there are tremendous global opportunities for smart grid advances and smart city innovations, the hackers could derail progress very quickly causing a major setback in smart grid technology adoption.

An Industry Discussion on YouTube

This past week, I was given the honor and privilege of participating in an online discussion led by IBM on 'Keeping the Lights On — Cybersecurity and the Power Grid.' The questions discussed included:

 — What emerging technologies and factors make power grid security such a priority today?

 — What are some of the challenges utilities face when trying to secure the power grid and how can they overcome them?

 — As utilities incorporate sensors and data from outside their private supervisory control, how do they manage the trust factor?

 — How to best incorporate cybersecurity concerns into the overall security plan for energy and utility companies.

 — What’s the role of government in helping to secure our power grids?

Besides myself, the roundtable discussion participants included:

— Steven Collier, Director of Smart Grid Strategies, Milsoft Utility Solutions

— Morgan Wright, Cyberterrorism and Cybercrime Analyst, and Principal, Morgan Wright LLC

— Bob Stasio, Senior Product Manager of Cyber Analysis with IBM i2 Safer Planet 



Final Thoughts

The U.S. Department of Energy report highlighted the fact that the majority of electric outages in the USA come from weather-related incidents.

Indeed, I remember the follow-up actions that we took after the northeast power outage of 2003 (in Michigan), such as installing two new data center generators for critical systems, were essential steps to keeping the lights on during weather-related outages in 2004. I recapped some of these actions in 2013.

But many experts believe that the next round of grid outages could look more like the recent Shamoon malware attacks that hit Gulf State organizations from November 2016 to January 2017.

I am not prepared to predict a major power outage this year, since many cyberexperts have been wrong about this for several years now. Nevertheless, public- and private-sector organizations need to be preparing now for this likely incident.

We cover many smart grid opportunities, challenges and recommendations in the YouTube panel, so I urge you to listen and learn about what your government can be doing now to prepare.

  • Facebook
  • LinkedIn
  • Twitter
  • linkText
  • Email
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.