WASHINGTON—A cybersecurity breach to the nation’s electric power grid could be very disruptive to the economy and our daily lives. So far, it hasn’t happened, but not for the lack of trying. The experts said that the threat is increasing as we modernize the electric grid—the transmission and distribution systems—to a more interconnected “smart” grid.
To discuss the growing threat of cyberattacks to the nation’s electric grid and preventive measures the subcommittees on Energy and Research and Technology held a joint hearing titled Cybersecurity for Power Systems on Wednesday, Oct. 21. The focus of this hearing was to examine how federal agencies and the Department of Energy national labs can work with industry to protect the security of the nation’s electric grid from cyberattack and physical attack.
“Small-scale cyber and physical attacks to our electric grid are estimated to occur every four days. And in over 300 cases of significant cyber and physical attacks since 2011, suspects have never been identified,” said Randy Weber (R-Texas), chairman of the Subcommittee on Energy in his opening statement. Others at the hearing also used the four-day estimate, which is based on analysis of federal energy records that USA Today conducted and published on March 24.
Ranking Member Suzanne Bonamici (D-Ore.) of the Subcommittee on Energy said that the energy sector reported more cyberattacks than any other critical infrastructure sector. “In just one month, PJM Interconnection, which coordinates electricity transactions in 13 states and D.C., experienced 4,090 documented cyberattempts to attack their system. That’s more than five and half attacks on their electrical market system per hour.”
“As the electric power industry modernizes to a more interconnected smart grid, the threat of a cybersecurity breach significantly increases in that sector,” said Subcommittee on Research and Technology Chairwoman Barbara Comstock (R-Va.).
While not a cyberattack, gunmen attacked the Pacific Gas and Electric’s Metcalf substation in northern California on April 16, 2013. After severing six underground fiber-optic lines, the attackers fired more than 100 rounds of ammunition at the substation’s transformers, causing the loss of 17 transformers and more than $15 million in damage, according to the USA Today article. The culprits were never caught.
Due to the power rerouting by the Metcalf operators, the community never suffered a loss of power. But the scale and sophistication of the Metcalf attack was unprecedented and it served as a wake-up call to the power industry.
In 2007, the Department of Homeland Security conducted an experiment, named Aurora, at the Department of Energy’s Idaho National Laboratory (INL). According to PBS’s Nova program “Cyberwar Threat” that aired Oct. 14, the experiment sought to answer the question, “Could a purely digital cyberattack disrupt or disable a large generator connected to the power grid? The INL engineers hacked a 27-ton, heavy duty diesel generator, and not only knocked it off INL’s power grid, but rendered it completely inoperable.
It demonstrated a cybervulnerability in the electric power system, testified Brent Stacey, associate lab director for national & homeland science & technology at INL. CNN reported that the hackers “changed the operating cycle of the generator, sending it out of control.”
Gregory Wilshusen, director of information security issues at the Government Accountability Office, enumerated several cyberthreats and vulnerabilities. He said that this year, the director of national intelligence testified that foreign hackers were developing means to access electric power grids remotely, and that the threat will continue to grow as networked operations become more standard.
Wilshusen’s written testimony was a formal GAO report, portions of which he read.
“So far no physically reported cyberevents have resulted in an electricity outage in the United States. But the sophistication of attacks on industrial controls systems is increasing,” said Bonamici.
More Points of Exposure
The electric industry has been upgrading itself with IT (information technology) systems and networks, working toward a more reliable and efficient grid. Wilshusen explained in written testimony that the use of IT systems and networks and two-way communication “automate actions that system operators formerly had to make manually.”
He mentions two initiatives that can make the system more vulnerable: “smart meters” that enable communication between the utility and customer; and “smart” components that provide the system operator detailed data on the transmission and distribution system.”
Smart grid systems have a number of benefits, “including improved reliability with fewer and shorter outages … and an improved ability to detect and respond to potential attacks on the grid,” Wilshusen states in written testimony, but warned at the hearing, “if not implemented securely, modernized electricity grid systems will be vulnerable to attacks that could result in widespread loss of electrical services.”
While we can’t stop progress, the new IT systems and the increased interconnection of the grid have created new points of vulnerability. One of the hearing’s witnesses, Bennett Gaines, is responsible for ensuring the security of the cyberassets and physical assets of FirstEnergy Service Company, which controls an interconnected network of power plants, transmission lines, and distribution facilities, serving 6 million electric customers in six states. Gaines said, “Operational and technical advances have created broader surfaces that are more vulnerable to attack.”
The aforementioned Nova program stated the problem simply and concretely. It said that before the new technology, controls at power stations were mechanical switches and immune to cyberattack. Today, the movement to put everything online has created a multitude of vulnerabilities.
“With the increase in the use of digital devices and more advanced communications and IT, the overall attack surface has increased. For example, substations are modernized with new equipment that is digital, rather than analog,” testified Annabelle Lee, senior technical executive, from the Electric Power Research Institute. The members of EPRI represent approximately 90 percent of the electricity generated and delivered in the United States.
Recommendations for the Future
Stacey said that the constant daily bombardment of cyberthreats requiring measures and countermeasures is taking up most of the resources of securing a utility. He said research dollars should be allocated to define the “critical assets” vulnerable to cyberintrusions, and “take them off the table.” For example, “analytical circuits” allow only electrons to pass through and do one thing only. Unless the cyberhackers have access to the other side, they can’t do damage, he said.
Stacey recommended that research be conducted on intrusion detection technology. In his written testimony, he wrote, “The average length of time for detection of a malware intrusion is four months and typically identified by a third party.”
Gaines made a strong case for the federal government doing a better job in the sharing of incident information, which he said was not “actionable.” The data provided on cyberattacks in the industry are “historical,” and not in “real time.” There can be a lag of three to six months after the incident occurs. The malware can lie dormant unknown when your facility could have been alerted months earlier, he said.
Gaines acknowledged that the Department of Homeland Security, which is the government entity that has overall responsibility for power grid security, provides briefings every three months, but he said the sharing of information “is not good enough.” It’s neither timely nor detailed, he said. One impediment to companies sharing threat information that he mentioned is the concern about liability.
Gaines may get his wish. Any day now, the Senate is set to vote on the Cyber Security Information Sharing Act (CISA) of 2015 (S. 754) that would improve the sharing of threat information among private industry and the federal government. In April, the House of Representatives, with bipartisan support, passed its version of the bill. The bill grants immunity to participating companies of some antitrust and privacy laws. Some tech companies, including Apple, Dropbox, Twitter, Reddit, and Yelp oppose CISA, and have raised concerns that the information shared could be used for purposes other than cybersecurity, and provide the government a tool for surveillance.