The U.S. Department of Energy released an alarming report in January 2017, saying that the U.S. electric grid is in imminent danger from a cyberattack. So where have we been, where are we now, and where are we going regarding smart grid security?
Over the past several months, alarm bells have been going off regarding potential attacks against the U.S. electrical grid. Consider these recent media headlines:
The Wall Street Journal: Cyberattacks Raise Alarm for U.S. Power Grid — Excerpt: “Cyberattacks that have knocked out electric utilities in Ukraine, including one suspected hack earlier this month, have renewed concern that computer criminals could take down portions of the U.S. power grid.”
U.S. News & World Report: Cybersecurity of the Power Grid: A Growing Challenge — Excerpt: "Until 2015, the threat was hypothetical. But now we know cyberattacks can penetrate electricity grid control networks, shutting down power to large numbers of people. It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too."
In the department’s landmark Quadrennial Energy Review, it warned that a widespread power outage caused by a cyberattack could undermine 'critical defense infrastructure' as well as much of the economy and place at risk the health and safety of millions of citizens. The report comes amid increased concern over cybersecurity risks as U.S. intelligence agencies say Russian hacking was aimed at influencing the 2016 presidential election.”
The U.S. Energy Department’s 494-page report was released during the final days of the Obama administration, and it offered this clear warning for 2017 and beyond: "Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency. The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures."
The new report offered a long list of key findings for policymakers, and here are a few:
How Did We Get Here? A Short Smart Grid History Lesson
Back in 2010, Scientific American, in an article on Securing the Smart Grid, articulated the new cybersecurity challenges posed by our 21st-century power distribution: “Unlike the traditional power grid, a 'smart' grid is designed to accommodate a two-way flow of both electricity and data. This creates great promise, including lower energy prices, increased use of renewable resources and, it is hoped, fewer brownouts and blackouts. But a smart grid also poses several potential security problems — networked meter data, power companies' computers and those of customers could all be vulnerable to tampering.”
Maintaining resilient electrical power generation and distribution are essential elements in protecting every critical infrastructure area. The Department of Homeland Security houses the national response plans for critical infrastructure protection, and all of the sector-specific plans are inter-related in some way with the use of electrical power.
I wrote a CSO Magazine blog on how the federal government promised smart grid security back in 2009, and the key questions still remain the same in 2017 — even if the hacker scope of challenges have evolved.
Eight years ago I wrote: “One central question remains: Will the ‘smart grid’ be smart enough to stop hackers? Or in pragmatic layman's terms, can those ‘smart customer meters’ conserve energy, eliminate the need for the ‘meter man’ to keep running around our neighborhoods, allow us to turn down the home air conditioning from work and allow us to remotely start our ovens to get casseroles ready for dinner — without creating any ‘back doors’ for the inevitable bad guys?"
While there are tremendous global opportunities for smart grid advances and smart city innovations, the hackers could derail progress very quickly causing a major setback in smart grid technology adoption.
An Industry Discussion on YouTube
This past week, I was given the honor and privilege of participating in an online discussion led by IBM on 'Keeping the Lights On — Cybersecurity and the Power Grid.' The questions discussed included:
— What emerging technologies and factors make power grid security such a priority today?
— What are some of the challenges utilities face when trying to secure the power grid and how can they overcome them?
— As utilities incorporate sensors and data from outside their private supervisory control, how do they manage the trust factor?
— How to best incorporate cybersecurity concerns into the overall security plan for energy and utility companies.
— What’s the role of government in helping to secure our power grids?
Besides myself, the roundtable discussion participants included:
— Steven Collier, Director of Smart Grid Strategies, Milsoft Utility Solutions
— Morgan Wright, Cyberterrorism and Cybercrime Analyst, and Principal, Morgan Wright LLC
— Bob Stasio, Senior Product Manager of Cyber Analysis with IBM i2 Safer Planet
The U.S. Department of Energy report highlighted the fact that the majority of electric outages in the USA come from weather-related incidents.
Indeed, I remember the follow-up actions that we took after the northeast power outage of 2003 (in Michigan), such as installing two new data center generators for critical systems, were essential steps to keeping the lights on during weather-related outages in 2004. I recapped some of these actions in 2013.
But many experts believe that the next round of grid outages could look more like the recent Shamoon malware attacks that hit Gulf State organizations from November 2016 to January 2017.
I am not prepared to predict a major power outage this year, since many cyberexperts have been wrong about this for several years now. Nevertheless, public- and private-sector organizations need to be preparing now for this likely incident.
We cover many smart grid opportunities, challenges and recommendations in the YouTube panel, so I urge you to listen and learn about what your government can be doing now to prepare.