Electric grids worldwide are increasingly vulnerable to attack as new technologies like smart meters and analytical software are added to them, with mature systems like North America’s at particular risk, according to the World Energy Council.
Pressure to make older equipment in utilities, transformers, and transmission lines compatible with newer, more efficient Internet-connected equipment at the lowest possible cost has too often made security an afterthought, according to a recent report from MIT’s Center for International Studies.
That creates juicy targets for hackers.
“For the sake of efficiencies … we have created tremendous risk for ourselves,” warns Joel Brenner, the principal author of the MIT report.
Most utilities deal with two or three incidents a year that require investigation, but the probability of some kind of attack happening in a given year “is 100 percent,” says Leo Simonovich, director of global cyber strategy at Siemens. About 30 percent of attacks are on the systems that operate the physical plants, whether it be switches or older on-site controls that may not be connected to central operations. That’s up from about 5 percent two years ago, Simonovich says.
Now, says MIT’s Brenner, people are waking up to the danger. President Donald Trump last week signed an executive order to speed coördination and enforcement for cybersecurity across agencies, including those that oversee the electric grid. The order builds on moves by the Obama and Bush administrations to better coördinate authority across state lines. One requirement: an assessment of the U.S. ability to withstand a major grid attack.
The U.S. grid isn’t a single cohesive entity. Before electricity is delivered to your wall outlet, it flows along a network from power plants through substations, transformers, and power lines into one of five main connections, which themselves interlock with systems in Canada and a small part of Mexico. Overseeing this complex array are eight regional councils, run under National Electric Reliability Council, the federal government, 50 state and five territorial commissions, public and private companies, and even small cities and towns.
Vulnerability can come in a variety of forms, from an unsuspecting field operator clicking on malicious software in an e-mail attachment to malware that can detect vulnerabilities in generating and transmission equipment (see “Cybersecurity Risk High in Industrial Control Systems”). Or it might come from skilled hackers targeting systems with outdated software. Worries about grid hacks have spiked since a 2015 strike on Ukraine’s electric grid. Attackers spent months undetected learning Ukraine’s system, probing the networks, stealing credentials, and planning a coördinated assault that eventually cut power to 225,000 people. Ukraine blamed Russia for the attack and for a second event about a year later (see “Ukraine’s Power Grid Gets Hacked Again”), but Ukraine’s utilities lacked some basic security features, like two-factor password authentication, and used duplicated software in some cases, something that carries a federal fine in the U.S. for larger companies.
Alerted to their vulnerabilities, larger power companies are improving their cybersecurity and adding training. Industry researcher IDC estimates that utilities will spend $4.6 billion a year by 2020 on security hardware, software, and services, rising from $3.5 billion this year.
Historically, technology such as the actual switches and physical controls inside a power plant has been upgraded every 15 to 20 years. That’s much slower than the pace in the IT sector, where new generations of technology are installed every three to five years.
“My primary concern underlying this whole thing is the pace at which adversaries move,” says Manimaran Govindarasu, an engineering professor at Iowa State University who has studied the vulnerability of the electric grid. “How do we bridge that gap?”
Companies including General Electric, Siemens, and Honeywell, whose systems and equipment serve utilities and grid operators, are selling new software, training packages, and data-capturing technologies that they say will help identify threats and prevent damage. Siemens is working with Darktrace, an artificial-intelligence firm with which it recently partnered, to design a system that learns what it calls “a pattern of life” in electricity networks, devices, and the people operating the equipment.
By combining all this data and comparing it with typical patterns, Siemens says, it can help an operator detect a problem and quickly dispatch a remedy, giving the utility a better chance of containing the attack.
GE, the world’s largest maker of power generation equipment, is developing a program designed to recognize issues even earlier, by detecting anomalies in data coming from sensors inside gas turbines and other electricity-generating equipment. If a temperature reading in a turbine doesn’t make sense, the sensors will alert operators to investigate, says Colin Parris, who oversees development at GE’s R&D center. Picking up on the fact that a turbine is being tampered with could help avoid shutdowns, which are expensive because turbines can take up to six weeks to restart. In the long term, GE sees a potential $13 billion market for these types of services.
Not fixing these issues could be even more costly. Lloyd’s of London has estimated that the lasting damage from a major attack could exceed $1 trillion in the most extreme case.
State commissioners, who approve rate hikes, are more concerned with how a utility is managing risk than with meeting a specific spending target, says Miles Keogh, director of the research lab at the National Association of Regulatory Utility Commissioners. Among utilities, there’s “absolutely the will” to spend on cyber defenses, he says.