Lately, it seems that everything is touted as being "smart." We now have smart cities, smart meters, smart phones, smart water, smart cars, smart homes, and the smart grid. But, with every technological and operational advance we make in the interest of productivity (examples being distribution system automation, remote access, and bring your own device), we also make our electric grid more vulnerable to cybersecurity attacks.
The smart grid has introduced new innovations and risks (both cyber and financial) to the electric utility industry. In a Ponemon Institute report, 90% of critical infrastructure providers say their IT/OT environment has been damaged by a cyberattack in the last two years. Additionally, in the Smart Grid Risk Snapshot by the World Economic Forum, experts estimate that a cyberattack on the U.S. grid could cost $1 trillion, which is eight times the cost of the Fukushima nuclear disaster cleanup. It is no longer a question of "if" but rather "when" a compromise may occur and the amount of damage that is done.
Our beloved electric grid is a new frontline in national security. A New York Times article entitled "U.S. Escalates Online Attacks on Russia's Power Grid," made me shudder. The article stated the U.S. had placed malware inside the Russian electric grid. President Trump’s national security adviser, John R. Bolton, is reportedly warning anyone engaged in cyber-operations against us that they would "pay the price." Cybersecurity attacks on the electric grids have been occurring for years and are becoming increasingly sophisticated, going months or years before detection.
The supervisory control and data acquisition (SCADA) systems used by utilities to power critical infrastructure are another example of high value targets that have further induced hackers.
'Dumb Grid' Legislation
The Securing Energy Infrastructure Act (SEIA) passed the U.S. Senate in June 2019, and a companion bill passed the House of Representatives in July 2019. The legislation mandates the DOE national labs study low-tech solutions to protect against cybersecurity threats. SEIA was inspired by the 2015 cyberattack in Ukraine, in which power outages impacted more than 225,000 people. A co-sponsor of the bill, Senator Agnes King, said "The attack could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid." SEIA removes vulnerabilities that allows hackers access to the energy grid through holes in digital software systems. "This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult" said King.
A pilot program established by SEIA would (1) identify the security vulnerabilities of certain entities in the energy sector, and (2) evaluate technologies that can be used to isolate the most critical systems of such entities from cyberattacks. Lastly, SEIA requires the DOE establish a working group to evaluate technology solutions proposed by the national laboratories and develop a national strategy isolating the energy grid from attacks. The House and Senate will still need to work out differences between the two companion bills before SEIA is ready to be signed into law.
Is it Smart to be Dumb?
Low-tech redundancies protecting against hackers are logical and used elsewhere in the energy sector. For example, U.S. utilities use both digital and analog systems to monitor, operate, control, and protect their nuclear plants. Digital assets critical to plant systems are isolated from external networks and the internet. This separation provides protection from many cyberthreats. I spoke with a nuclear plant employee who said their plant has more cybersecurity protections because it was built in the 1980s using "retro" analog technologies. Because of their lack of interconnection (dumbness?), surprisingly the aging nuclear fleet is a positive example of cybersecurity protections. We can all agree that we don’t want our nuclear plants to be controlled by an app!
The concept of an "air gap" is a network security measure that ensures that a secure network is completely isolated from unsecured networks, such as the public internet. An "air gap" is to cybersecurity what a trench or mote is to traditional warfare. But, adversaries can still get around "air gaps" using flash drives or by targeting individual physical components through the supply chain, which are the prevailing theories explaining how the Stuxnet worm was able to infiltrate the computer networks operating Iranian nuclear facilities.
Smart technologies bring many benefits including efficiency, predictive analytics, safety and increased reliability. But, with cybersecurity threats, are all of these "smart" technologies truly smart? Physical controls reduce cybersecurity risk, but also require more manpower and cost more. More manual processes can also be less safe for workers.
Common Sense & Preparedness Win
Overall, completely disconnecting from the internet also seems like overkill to me and not the best way to approach grid security. Perhaps it is possible to be both smart and dumb. As in all areas of life, identifying our weaknesses makes us stronger. A well thought-out program, with industry and government collaboration, will result in increased grid security and critical infrastructure resilience.