Utility companies are spending millions annually in cyber security costs, and the trend will continue with investments in smart meters and other technology meant to bring the electric grid up to date.
The recent push to modernize the electric grid has increased communication between utilities and consumers, enhanced reliability and created more opportunities for green energy producers.
But it also has raised the risk of cyber attacks.
New technology, while largely beneficial for utility companies and their consumers, has created millions of new access points that make the grid vulnerable. Utility companies are spending millions annually in cyber security costs, and the trend will continue with investments in smart meters and other technology meant to bring the electric grid up to date.
Despite the enhanced risk, the effort to modernize the electric grid is largely a good thing, said Annabelle Lee, senior technical executive at the nonprofit Electric Power Research Institute, in Palo Alto, Calif.
New technology has opened the grid to a two-way flow of communication, as smart meters have promoted better communication among utility companies as well as between utilities and consumers. Such real-time information about usage will help to make the grid more efficient, she said.
Technology has allowed utilities to build more reliable power systems while lowering delivery costs, said Michael Assante, a board member for the Council on CyberSecurity in Washington, D.C. He is also the lead for training on industrial control systems and supervisory control and data acquisition security for the SANS Institute, a Bethesda, Md., computer security research and training center.
But, Mr. Assante said, “Technology is always a double-edged sword,” and the growth in reliance on technology comes with growing risk.
Large-scale blackouts and brownouts, communication failures and data theft are potential damages of any cyber event.
The issue drew a lot of attention late last month when U.S. security company Symantec reported that a group of hackers, known as “Energetic Bear” and “Dragonfly” had gained access to electric systems in the U.S. and Europe. Those hackers had Russian ties, according to Bloomberg.
The modern grid also includes more access points that allow renewable energy generators to provide energy. These are big changes from the past, when the grid was open to only a few participants. Now, it is open to thousands.
Previously, the technology used to control the grid was proprietary, often created specifically for electric utilities. But the technological overhaul that electric utilities are currently undertaking — often required by state governments — requires them to rely on commercially available hardware and software.
With more access and more common hardware and software, there are more opportunities for hackers to access the system, Ms. Lee said.
Unlike most cyber security incidents, which are motivated by monetary interests, the manipulation of the power sector often has geopolitical motivations, Mr. Assante said. The electric grid is an infrastructure asset, and its compromise could give an organization power, for lack of a better word.
Since the electric grid is a national security interest, Mr. Assante said the federal government and utility companies share responsibilities to protect it.
In February, President Barack Obama signed an executive order to assess the grid’s risk. In 2010, the National Institute of Standards and Technology released guidelines for smart grid cyber security, outlining precautions companies should take as they embrace a more modern system.
Last November, the Federal Energy Regulatory Commission approved a new series of critical infrastructure protection reliability standards, addressing the stability of electricity transmission. The new standards will take effect starting in 2016.
They require bulk electric system operators, which handle more than 100 kilovolts of electricity, to classify all assets as high, medium or low risk and to create security plans for each. The current standards require those operators to only identify critical assets.
Most cyber events, even those unrelated to the energy sector, are often accidents with no malicious intent, Ms. Lee said. But the damages are often just as severe.
A technician’s mistake in 2011, for instance, left 7 million people without power in the Southwest. Intentional attacks have yet to inflict that kind of harm.
In complex technological systems, a minor malfunction — or manipulation — can create widespread problems, Mr. Assante said.
A survey of 61 electric utilities conducted by Bloomberg indicated companies are investing an average of $3 million annually on cyber security.
Those investments need to be made in a coordinated way with any investment that companies make in new technology, as each component often carries with it certain security challenges, Mr. Assante said. And security risk — a measure of threat and vulnerability — changes often, so utility companies should constantly evaluate security needs, Ms. Lee said.
The best security investment, Mr. Assante said, is in personnel who can provide that type of evaluation.
He said businesses should be more willing to share information about security breaches so other companies can avoid similar problems. Currently, information about cyber attacks is often guarded to prevent copycat incidents.
Mr. Assante said companies should treat those attacks the same way airlines and plane manufacturers handle crashes, where the Federal Aviation Administration gathers and releases information in a very public manner to avoid repeat instances.
“Being able to learn how incidents are occurring — what was effective, what failed — that’s an important part of any security process,” he said.
©2014 the Pittsburgh Post-Gazette