The foundation around which the U.S. economy runs, the power grid makes an intriguing target for hackers.
After it came to light this summer that hackers had infiltrated the computer networks of two U.S. power companies – at a time the country was still reeling from Russian cyberattacks aimed at influencing the 2016 election – the possibility of hackers taking down the U.S. power grid and sending the nation into chaos suddenly seemed a very real possibility.
The companies pledged there was no danger. Senators called hearings and wrote letters to the White House demanding to know what it was doing about it.
But to the teams of cybersecurity analysts charged with protecting the world’s industries from a rapidly evolving deluge of malware, viruses and other tools of the hacker trade, it was just the latest in an escalating cyberwar against power grids and other critical infrastructure around the globe.
“The message that I’d like to communicate, intrusions, spear-phishing and other (hacking attacks),” said Mark Bristow, deputy division director of the Department of Homeland Security’s Hunt and Incident Response Team. “It happens every day.”
The foundation around which the U.S. economy runs, the power grid makes an intriguing target for hackers – whether it’s foreign governments, criminals looking for a big payday or hackers just seeing what mischief they can cause. And as attempts to infiltrate computer networks that control the grid and other industrial systems escalate, cybersecurity experts and some government officials are increasingly concerned that a large-scale, well-financed and coordinated cyberattack is coming, risking the sort of widespread blackouts that hit Ukraine in 2015 after hackers broke into the systems of three power plants.
Last year, members of DHS’ Industrial Control Systems Cyber Emergency Response Team recorded 290 cases of hackers gaining access to systems at everything from power plants to telecommunications systems. Considering companies are not required to report such incidents unless they lose control of critical infrastructure – to date something that has never been publicly reported in the United States – that number is likely far lower than the reality. Still, it represented more than twice as many incidents as were reported in 2011.
“What the electric industry folks tell me is, ‘We lay awake at home every night thinking about this,’ ” said a former top energy official in the Obama administration, who declined to be identified because those conversations were private. “Someone from one of the nation’s largest utilities, and I can’t say who, told me they had hackers trying to get into their system 3,000 times a day.”
The break-ins disclosed by Burlington Electric in Vermont and the Wolf Creek Nuclear Operating Co. of Kansas – which the companies maintain did not breach the networks that control the grid – have begun to raise debate in Washington over whether the government is doing enough. Federal authority over the power grid essentially stops where transmission lines end, leaving security over the vast complex of neighborhood power lines, transformers, smart meters and other digital controls largely to utilities and power generators.
That has left the grid a technological patchwork, with some companies failing to meet the elemental standards for cybersecurity, nearly a dozen government and private-sector experts said.
“Something needs to change because right now we’re sitting ducks,” said Sujeet Shenoi, a computer science professor at the University of Tulsa who trains students for cybersecurity careers with the National Security Agency, FBI and other intelligence and law enforcement agencies.
Where once countries fought over land and waterways, the ability to control and protect the world’s digital systems is fast becoming a new arms race. In countries like Israel, Shenoi said, cybersecurity standards for power grids, pipelines, telecommunications and other vital systems are set by the government’s intelligence and security officials. And in leaving it in the hands of the private sector, he warned, the U.S. is falling behind.
Cyberttack in Ukraine
The cautionary tale is Ukraine, where in late 2015 operators at electric utilities watched helplessly as hackers took control of their systems, shutting down one breaker after another, knocking out power to some 230,000 customers for up to six hours. In the aftermath, a team from the U.S. Department of Homeland Security investigated the attack, finding the Ukrainians did not have basic cyberdefenses in place.
Computer systems that controlled the grid were not properly separated from those handling emails and other information technology functions, providing hackers easier access to the networks, the U.S. investigators discovered. On top of that, the Ukraine network was not using the latest techniques to verify users trying to log in from outside.
The U.S. grid is widely described as considerably more advanced those in Eastern Europe, but some of those same security failures in Ukraine could very well be found here, said Homeland Security’s Bristow, who was part of the team that traveled to Ukraine.
“I’ve definitely seen some with very, very robust security postures, and I’ve seen some that definitely could use some improvement,” he said. “It really depends utility to utility.”
In his final weeks in office before the inauguration of President Donald Trump, former Energy Secretary Ernest Moniz urged Congress to consider expanding federal authority over cybersecurity for energy infrastructure, arguing it was “inherently a federal responsibility when one talks about a national security concern.” That echoed recommendations made in 2014 by Gen. Michael Hayden, the former CIA and NSA director during the George W. Bush administration. Hayden called for a significant expansion of federal powers to dictate standards protecting the grid from cyberattack.
Democrats are demanding that Trump order a review of Russia’s capability to launch a cyberattack against U.S. energy infrastructure, specifically looking at the malware CrashOverride, which is believed to have been used in the attack on Ukraine in 2015. But whether members of Congress of either party would go so far as advocate for the federal government to dictate cybersecurity standards on the power grid remains a sensitive topic, raising the prospect of an expansion of federal powers, which many state governments, including Texas, are bucking.
Even legislation to improve data sharing between utilities during cyberattacks faces opposition from utilities worried that they might have to raise rates to cover the costs of better cybersecurity, said Rep. Jerry McNerney, D-Calif., a sponsor of the bill.
“It would have pushback,” he said. “(Utilities) want to have security, and privately they’ll admit it’s good to have standards. But they have to answer to ratepayers, and publicly they’re saying they don’t want it.”
The industry argues that unlike foreign countries – where the grid is often controlled by a single state-owned utility – the U.S. grid is a kaleidoscope of hundreds of different utilities and power companies of varying size and wealth, making the creation of a single federal standard difficult to implement, said Scott Aaronson, executive director of security and business continuity at the Edison Electric Institute, a trade group.
“What happened in Ukraine is a lot harder to perpetrate here in North America,” Aaronson said, adding utilities have an economic incentive to keep hackers out of their systems. “If our equipment’s not spinning, were not making money.”
To what degree utilities are taking adequate steps to protect themselves is difficult to assess. The North American Electric Reliability Corporation, the quasi-governmental agency that oversees utilities, performs regular cybersecurity audits, but those findings are kept private, as are the names of the companies it penalizes for not meeting its standards.
A nightmare scenario
Cybsecurity experts say utilities, particularly larger, publicly traded ones like Centerpoint of Houston and Oncor of Dallas, have made great strides strengthening cybersecurity in the past few years. But, they added, just as utilities improve defenses, hackers come up with new and ever more complex means of attacks.
Lately, Shenoi, the University of Tulsa professor, said he’s thinking about smart meters, the digital electric meters installed at tens of millions of homes and buildings across the country over the past decade. They save the utility sending out crews to read meters, but also give hackers new and numerous avenues of attack, Shenoi said.
To explain the implications, he pointed to 2003, when a failure of a cluster of power lines in Ohio cascaded into a blackout across the Northeast, Midwest and parts of Canada, knocking out power to 55 million people.
“There were a few points of failure, but still it took six days to two weeks to restore power,” Shenoi said. “Imagine if you have 2 million smart meters and imagine you were able to damage or destroy through cyberspace every one of those meters. Where are you going to get the millions of smart meters to replace them? It’s going to take a year.”
Such a scenario has long been taken seriously by the federal government. A 2013 report by the Department of Defense, imagining a cyberattack on the power grid and other critical infrastructure, predicted the following:
“In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods.”
Utilities themselves are not writing off the possibility. During the cyberattack on the Ukraine, one of the saving graces was utilities were still digitizing control systems. When hackers breached their systems, utilities fell back on old-manual breakers and other controls to minimize the damage. Some U.S. utilities are developing similar plans in which they, too, could essentially abandon digital devices and fall back on old analog equipment, said Aaronson, of the Edison Institute.
“We operated the grid for the better part of the 20th century without smart infrastructure,” he said.