We have reason to worry.
The U.S. electric power system is vulnerable to cyberattacks due to its two-part infrastructure and the mismatched standards of protection imposed on those parts. The U.S. system of electric delivery includes both transmission for long distance, very large-scale power delivery; and distribution for local delivery within cities and towns. (The transmission system feeds power to distribution, and the distribution system feeds it to all of us.) The transmission system is required to meet robust, audited, enforced federal cyberprotection standards—but the distribution system is not. Instead, the distribution system is regulated by state bodies with little to no cyberprotection standards, leaving it vulnerable.
Legislation was recently passed to protect the nation's electric grid against cyberattacks, but the new law doesn't go far enough and doesn't move fast enough to protect us from imminent attacks. Threats from Iran illustrate that more urgent action is needed.
The Securing Energy Infrastructure Act, which was included in the National Defense Authorization Act (signed by President Trump in December), establishes a two-year program "to develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities to secure the grid against cyberattacks."
Hackers are already taking advantage of the system's vulnerabilities. A recent news report described a targeted campaign aimed at distribution system utilities serving key facilities in 18 U.S. states. While these hackers' phishing attempts were not successful, the campaign serves as a clear example that cybervulnerability is real.
This is not the first time attackers have targeted critical electric distribution infrastructure. In 2015, 225,000 Ukrainian customers lost power for several hours when three regional distribution companies were attacked, presumably by Russia. Incident response teams subsequently reported that the attackers intended to disable the grid for a much longer period of time.
To gain an appreciation of just how dire the threat is, here's what the National Infrastructure Advisory Council (NIAC) said in their recent draft report: "Escalating cyberrisks to America's critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security. U.S. companies find themselves on the front lines of a cyberwar they are ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure."
The NIAC, made up of experts involved in critical infrastructure from industry as well as state and local governments, sounded the alarm loud and clear. "Bold action is needed to prevent the dire consequences of a catastrophic cyberattack on energy, communication, and financial infrastructures. The nation is not sufficiently organized to counter the aggressive tactics used by our adversaries to infiltrate, map, deny, disrupt, and destroy sensitive cybersystems in the private sector."
The report adds: "It is not a matter of if, but when, an attack will happen. Our window of opportunity to thwart a cyber 9-11 attack before it happens is closing quickly."
Threats from Iran underscore the validity of this report. In other words, waiting two years or longer for the proposed pilot program is not an option. We need to act immediately to extend federal cybersecurity standards to protect the entire power grid through each state, from the largest power generation and transmission facilities to the smallest municipal electric company.
©2020 Telegram & Gazette, Worcester, Mass. Distributed by Tribune Content Agency, LLC.
