Utilities Engaged In Hand-To-Hand Cyber Combat To Keep The Lights On
America’s energy infrastructure is getting bombarded through cyber warfare — attacks that are getting through and which if the big one hits, would signal lights out on huge population centers. It’s not a computer game. It’s real, which is constantly testing corporate resolve.
Kudos to USA Today for getting its hands on the Energy Department’s Joint Cybersecurity Coordination Center, which indicates a steady barrage of assaults on the nation’s vital infrastructure and its energy laboratories. The newspaper found that in a 48 month period ending nearly a year ago that 1,131 attacks occurred, with 159 of those successful.
What’s all this mean? Electricity, of course, is the lifeblood of any society, enabling commerce to not just ebb and flow on the streets but also on the transmission wires. Knocking out the power could cost billions of dollars in damages and lost opportunities. But it could also threaten national security; any person — or foreign adversary — that penetrates such hardened technology is able weaken a country at its core and deflate the confidences required to buoy an economy.
“If privacy is breached, it shows a lack of competency and it feeds distrust,” says Larsh Johnson, chief technical officer at Siemens Smart Grid, in an interview at the company’s annual retreat in Boston last week. “There are some cases where malicious operations could result in power outages.”
The grid is especially vulnerable, given its vast outreach. Altogether, there are about 5,800 major power plants and 450,000 high-voltage transmission lines in the United States. Because the system is now connected to the outside world through the Internet, it has been become subject to evermore attacks. Roughly 85 percent of that infrastructure is owned by private entities, which maintain that they have an inherent interest in protecting their assets from outside hazards.
Consider the smart grid that allows utilities and customers to communicate with each other: A nemesis can manipulate the data and disrupt the network — just as a number of smaller but potent viruses have already done. The big one, of course, has been Stuxnet that this government used in coordination with that of Israel and that was intended to diminish the Iranian nuclear program.
For their part, utilities are already required under the Energy Policy Act of 2005 to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. Meantime, nuclear operators have their own separate requirements that they follow and that they report to the Nuclear Regulatory Commission.
And utilities are swamped. Siemen’s Johnson says that Xcel Energy is successfully fending off thousands of would-be attackers a month. A lot of other power companies are doing the same. It’s a good thing, given that customer information is relayed to data centers that gets uplifted to cloud-based storage operations — intelligence that may be useful to an entity with nefarious purposes.
Outsiders are breaking in through, in some cases, unsuspecting workers who download malware and spyware that invade control systems. The result could be anything from taking proprietary information to killing the power.
Looking back, the Great Blackout of 2003, which began in FirstEnergy’s territory and which was the result of unwieldy trees that had interfered with the lines, was all compounded by a computer system error. Ultimately, 50 million people stretching from the Mid Atlantic states to the Northeast and into Canada were affected. That cost $6 billion and 11 lives.
Grid operations are being protected by everything from frequent password changes to periodic patches to firewalls and upgrades. But it’s a never-ending battle. Setting priorities by identifying high-value assets and then restricting access is a good start, all while ensuring employees are well-trained and well-vetted.
“It is important to understand that security is a process and will never be completely resolved,” says Utilities Telecom Council Cybersecurity Strategist Nadya Bartol, in congressional testimony last week.
“We have had sporadic attacks and gaps,” adds Larsh Johnson. “We can feel secure but it does not mean we should stop.”
In the age of digital communications, corporations must be on their toes to defend against not just those who want to steal their secrets but also those who want to damage their businesses and the trust that their customers have put in them. Naturally, utilities have been thrust to the front lines in this clash and are now engaged in cyber combat with a faceless and potentially lethal enemy.
This article was written by Ken Silverstein from Forbes and was legally licensed through the NewsCred publisher network.