Skip to Content

Patching the Electric Grid

Our electric supply is increasingly vulnerable to cyberattack, and new technologies aim to sound the alarm earlier.
nick little

Electric grids worldwide are increasingly vulnerable to attack as new technologies like smart meters and analytical software are added to them, with mature systems like North Americas at particular risk, according to the World Energy Council.  

Pressure to make older equipment in utilities, transformers, and transmission lines compatible with newer, more efficient Internet-connected equipment at the lowest possible cost has too often made security an afterthought, according to a recent report from MIT’s Center for International Studies.   

That creates juicy targets for hackers.     

“For the sake of efficiencies … we have created tremendous risk for ourselves,” warns Joel Brenner, the principal author of the MIT report.

Most utilities deal with two or three incidents a year that require investigation, but the probability of some kind of attack happening in a given year “is 100 percent,” says Leo Simonovich, director of global cyber strategy at Siemens. About 30 percent of attacks are on the systems that operate the physical plants, whether it be switches or older on-site controls that may not be connected to central operations. That’s up from about 5 percent two years ago, Simonovich says.     

Now, says MIT’s Brenner, people are waking up to the danger. President Donald Trump last week signed an executive order to speed coördination and enforcement for cybersecurity across agencies, including those that oversee the electric grid. The order builds on moves by the Obama and Bush administrations to better coördinate authority across state lines. One requirement: an assessment of the U.S. ability to withstand a major grid attack.  

The U.S. grid isn’t a single cohesive entity. Before electricity is delivered to your wall outlet, it flows along a network from power plants through substations, transformers, and power lines into one of five main connections, which themselves interlock with systems in Canada and a small part of Mexico. Overseeing this complex array are eight regional councils, run under National Electric Reliability Council, the federal government, 50 state and five territorial commissions, public and private companies, and even small cities and towns.     

Vulnerability can come in a variety of forms, from an unsuspecting field operator clicking on malicious software in an e-mail attachment to malware that can detect vulnerabilities in generating and transmission equipment (see “Cybersecurity Risk High in Industrial Control Systems”). Or it might come from skilled hackers targeting systems with outdated software. Worries about grid hacks have spiked since a 2015 strike on Ukraine’s electric grid. Attackers spent months undetected learning Ukraine’s system, probing the networks, stealing credentials, and planning a coördinated assault that eventually cut power to 225,000 people. Ukraine blamed Russia for the attack and for a second event about a year later (see “Ukraine’s Power Grid Gets Hacked Again”), but Ukraine’s utilities lacked some basic security features, like two-factor password authentication, and used duplicated software in some cases, something that carries a federal fine in the U.S. for larger companies.

Alerted to their vulnerabilities, larger power companies are improving their cybersecurity and adding training. Industry researcher IDC estimates that utilities will spend $4.6 billion a year by 2020 on security hardware, software, and services, rising from $3.5 billion this year.     

Historically, technology such as the actual switches and physical controls inside a power plant has been upgraded every 15 to 20 years. That’s much slower than the pace in the IT sector, where new generations of technology are installed every three to five years.   

“My primary concern underlying this whole thing is the pace at which adversaries move,” says Manimaran Govindarasu, an engineering professor at Iowa State University who has studied the vulnerability of the electric grid. “How do we bridge that gap?”

The Edison Electric Institute estimates that its member companies spent $52.8 billion to modernize transmission and distribution infrastructure in 2016, twice the amount spent a decade ago.     

Companies including General Electric, Siemens, and Honeywell, whose systems and equipment serve utilities and grid operators, are selling new software, training packages, and data-capturing technologies that they say will help identify threats and prevent damage. Siemens is working with Darktrace, an artificial-intelligence firm with which it recently partnered, to design a system that learns what it calls “a pattern of life” in electricity networks, devices, and the people operating the equipment.     

By combining all this data and comparing it with typical patterns, Siemens says, it can help an operator detect a problem and quickly dispatch a remedy, giving the utility a better chance of containing the attack.

GE, the world’s largest maker of power generation equipment, is developing a program designed to recognize issues even earlier, by detecting anomalies in data coming from sensors inside gas turbines and other electricity-generating equipment. If a temperature reading in a turbine doesn’t make sense, the sensors will alert operators to investigate, says Colin Parris, who oversees development at GE’s R&D center. Picking up on the fact that a turbine is being tampered with could help avoid shutdowns, which are expensive because turbines can take up to six weeks to restart. In the long term, GE sees a potential $13 billion market for these types of services.       

Not fixing these issues could be even more costly. Lloyd’s of London has estimated that the lasting damage from a major attack could exceed $1 trillion in the most extreme case.

State commissioners, who approve rate hikes, are more concerned with how a utility is managing risk than with meeting a specific spending target, says Miles Keogh, director of the research lab at the National Association of Regulatory Utility Commissioners. Among utilities, there’s “absolutely the will” to spend on cyber defenses, he says.        

Keep Reading

Most Popular

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Sam Altman says helpful agents are poised to become AI’s killer function

Open AI’s CEO says we won’t need new hardware or lots more training data to get there.

An AI startup made a hyperrealistic deepfake of me that’s so good it’s scary

Synthesia's new technology is impressive but raises big questions about a world where we increasingly can’t tell what’s real.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.