• nick little
  • Business Impact

    Patching the Electric Grid

    Our electric supply is increasingly vulnerable to cyberattack, and new technologies aim to sound the alarm earlier.

    Electric grids worldwide are increasingly vulnerable to attack as new technologies like smart meters and analytical software are added to them, with mature systems like North Americas at particular risk, according to the World Energy Council.  

    Pressure to make older equipment in utilities, transformers, and transmission lines compatible with newer, more efficient Internet-connected equipment at the lowest possible cost has too often made security an afterthought, according to a recent report from MIT’s Center for International Studies.   

    That creates juicy targets for hackers.     

    “For the sake of efficiencies … we have created tremendous risk for ourselves,” warns Joel Brenner, the principal author of the MIT report.

    Most utilities deal with two or three incidents a year that require investigation, but the probability of some kind of attack happening in a given year “is 100 percent,” says Leo Simonovich, director of global cyber strategy at Siemens. About 30 percent of attacks are on the systems that operate the physical plants, whether it be switches or older on-site controls that may not be connected to central operations. That’s up from about 5 percent two years ago, Simonovich says.     

    Now, says MIT’s Brenner, people are waking up to the danger. President Donald Trump last week signed an executive order to speed coördination and enforcement for cybersecurity across agencies, including those that oversee the electric grid. The order builds on moves by the Obama and Bush administrations to better coördinate authority across state lines. One requirement: an assessment of the U.S. ability to withstand a major grid attack.  

    The U.S. grid isn’t a single cohesive entity. Before electricity is delivered to your wall outlet, it flows along a network from power plants through substations, transformers, and power lines into one of five main connections, which themselves interlock with systems in Canada and a small part of Mexico. Overseeing this complex array are eight regional councils, run under National Electric Reliability Council, the federal government, 50 state and five territorial commissions, public and private companies, and even small cities and towns.     

    Vulnerability can come in a variety of forms, from an unsuspecting field operator clicking on malicious software in an e-mail attachment to malware that can detect vulnerabilities in generating and transmission equipment (see “Cybersecurity Risk High in Industrial Control Systems”). Or it might come from skilled hackers targeting systems with outdated software. Worries about grid hacks have spiked since a 2015 strike on Ukraine’s electric grid. Attackers spent months undetected learning Ukraine’s system, probing the networks, stealing credentials, and planning a coördinated assault that eventually cut power to 225,000 people. Ukraine blamed Russia for the attack and for a second event about a year later (see “Ukraine’s Power Grid Gets Hacked Again”), but Ukraine’s utilities lacked some basic security features, like two-factor password authentication, and used duplicated software in some cases, something that carries a federal fine in the U.S. for larger companies.

    Alerted to their vulnerabilities, larger power companies are improving their cybersecurity and adding training. Industry researcher IDC estimates that utilities will spend $4.6 billion a year by 2020 on security hardware, software, and services, rising from $3.5 billion this year.     

    Historically, technology such as the actual switches and physical controls inside a power plant has been upgraded every 15 to 20 years. That’s much slower than the pace in the IT sector, where new generations of technology are installed every three to five years.   

    “My primary concern underlying this whole thing is the pace at which adversaries move,” says Manimaran Govindarasu, an engineering professor at Iowa State University who has studied the vulnerability of the electric grid. “How do we bridge that gap?”

    The Edison Electric Institute estimates that its member companies spent $52.8 billion to modernize transmission and distribution infrastructure in 2016, twice the amount spent a decade ago.     

    Subscribe to The Download
    What's important in technology and innovation, delivered to you every day.
    Manage your newsletter preferences

    Companies including General Electric, Siemens, and Honeywell, whose systems and equipment serve utilities and grid operators, are selling new software, training packages, and data-capturing technologies that they say will help identify threats and prevent damage. Siemens is working with Darktrace, an artificial-intelligence firm with which it recently partnered, to design a system that learns what it calls “a pattern of life” in electricity networks, devices, and the people operating the equipment.     

    By combining all this data and comparing it with typical patterns, Siemens says, it can help an operator detect a problem and quickly dispatch a remedy, giving the utility a better chance of containing the attack.

    GE, the world’s largest maker of power generation equipment, is developing a program designed to recognize issues even earlier, by detecting anomalies in data coming from sensors inside gas turbines and other electricity-generating equipment. If a temperature reading in a turbine doesn’t make sense, the sensors will alert operators to investigate, says Colin Parris, who oversees development at GE’s R&D center. Picking up on the fact that a turbine is being tampered with could help avoid shutdowns, which are expensive because turbines can take up to six weeks to restart. In the long term, GE sees a potential $13 billion market for these types of services.       

    Not fixing these issues could be even more costly. Lloyd’s of London has estimated that the lasting damage from a major attack could exceed $1 trillion in the most extreme case.

    State commissioners, who approve rate hikes, are more concerned with how a utility is managing risk than with meeting a specific spending target, says Miles Keogh, director of the research lab at the National Association of Regulatory Utility Commissioners. Among utilities, there’s “absolutely the will” to spend on cyber defenses, he says.        

    Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

    Subscribe today

    Uh oh–you've read all of your free articles for this month.

    Insider Premium
    $179.95/yr US PRICE

    More from Business Impact

    How technology advances are changing the economy and providing new opportunities in many industries.

    Want more award-winning journalism? Subscribe to Insider Basic.
    • Insider Basic {! insider.prices.basic !}*

      {! insider.display.menuOptionsLabel !}

      Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

      See details+

      What's Included

      Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

      The Download. Our daily newsletter of what's important in technology and innovation.

    /
    You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.