Get PJ Media on your Apple

Power Industry Seeks Ways to Protect Nation from Major Disaster

Goal is to avoid repeat of devastating 2003 blackout that affected much of the northeast.

Rodrigo Sermeño


August 27, 2013 - 11:29 pm

WASHINGTON — Government and power industry leaders want to improve the country’s weak defenses against a potentially catastrophic cyber-attack on the electric grid, but disagreements persist over the best approach to ensure collaboration between the public sector and the private sector.

What makes the electric grid an attractive target for cyber-attacks is its multiplier effect — an attack on one region or supplier can quickly ripple to others. Its vast infrastructure — from generation plants to substations — is spread over highly interdependent installations that are miles apart.

In addition, the grid makes an appealing target because of its exceptional vulnerability, which stems, in part, from its broad reach.

As past major outages have shown, a line outage or system failure in one area can lead to cascading effects in other areas. In 2003, a blackout across the Northeast, sparked by an overgrown tree near Cleveland, crippled commerce and transportation in the U.S. by cutting off power to 50 million people and causing up to $10 billion of damage to the economy.

As technology has advanced, utilities have begun taking steps to update the electric grid by integrating new technologies, such as automated systems, and information technology networks that connect grid operations and control systems to other computer networks and to the Internet.

Years ago, power companies saw that managing grid operations via the Internet would help them cut costs and increase efficiency, so they moved towards online systems that could be accessed remotely.

“Now we can remotely manage devices via the Internet,” says Mark Weatherford, a leading former Department of Homeland Security cybersecurity official. “So instead of putting someone in a truck and having them drive a hundred miles to a substation in the middle of the mountains somewhere, you remotely manage that.”

Weatherford, now a principal at the Chertoff Group, was among several power executives and cybersecurity experts who gathered recently at an event on grid security hosted by the Bipartisan Policy Center in Washington.

Although the changes have allowed the gradual modernization of the system, the increased interconnectivity has made the grid more vulnerable to attacks from computer hackers.

“To no one’s fault at the time — we didn’t realize it. [We] didn’t think about the security and the insecurity” of Internet connections, Weatherford said.

Security experts are aware of the problem, and they are moving quickly to solve what they see as a rapidly evolving threat to the networks of power utilities. But the increasing complexity of computer systems poses new challenges for personnel who do not have a cybersecurity background.

“How do we teach power engineers and operators what they need to know about cyber and in particular about cybersecurity?” asked Michael Assante, one of the nation’s top experts on cybersecurity. “These are tough questions. If you go to engineering school, you’re not taught about cybersecurity as part of becoming a power engineer.”

Some industry leaders argue that if power utilities want to counter the growing threat of cyber-attacks, they must use the same resources that they use to combat natural disasters.

“We have to treat the cyberthreat with the same respect that we give to forces of nature that impact our grid,” notes Chris Peters, the vice president for critical infrastructure protection at Entergy, one of the country’s largest operators of nuclear power plants. “We have to put the same comprehensive approach and the same attention to cyberthreats as we do to the other threats that impact our system.”

Former CIA and NSA director Michael Hayden warned that Edward Snowden’s actions have created a stir among those who are committed to transparency and Internet freedom, which could result in a retaliatory attack if Snowden is captured by the U.S. government.

“If, and when, our government grabs Edward Snowden and brings him back here to the United States for trial, what does this group do?” asked Hayden rhetorically about hacker groups such as Anonymous. “They may not go after the U.S. government because frankly, the dot mil stuff is one of the hardest targets in the United States. If they can’t go after dot mil, who are they going after? Who, for them, are the [digital] World Trade Centers?”

Anonymous and other affiliated hacker groups have carried out attacks on websites and released private information of thousands of people in the past as retaliation for the U.S. government’s treatment of Bradley Manning (aka “Chelsea Manning”).

“I don’t know that there’s a logic behind trying to punish America or American institutions for [Snowden’s] arrest, but I hold open the possibility,” Hayden said.

Current and former government officials also worry the ongoing disclosures about the National Security Agency’s secret surveillance programs by Snowden could trigger hasty actions by Congress.

The Obama administration, lawmakers, and the private sector in recent years have been negotiating how the government and industry should collaborate to protect the nation’s critical infrastructure.

Despite the emerging consensus that U.S. defenses against cyber-attacks must be improved, the conversation has stalled amid disagreements over the creation of new industry standards, privacy and liability protections, and other critical elements.

In April, the House passed a bill that would increase the sharing of information about cyber threats between the government and the private sector. In a repeat of last year’s vote on the same bill, the White House has threatened to veto it over privacy concerns and the Senate has yet to introduce similar legislation.

President Obama signed an executive order in February aimed to bolster cybersecurity protections for the nation’s critical infrastructure. The order focuses on three main areas: information sharing, privacy, and adoption of cybersecurity practices.

The presidential directive contains a set of incentives to encourage companies responsible for protecting critical infrastructure — such as the country’s electric grid, drinking water, and transportation — to adopt cybersecurity standards. Some of these incentives include collaborating with the insurance industry to provide cybersecurity insurance, expediting government services to those who put protections in place, offering federal grants, and pushing measures to limit liability, Michael Daniel, White House cybersecurity coordinator, wrote in a blog post last week.

Many of the power executives at the conference said it would be hard to make the business case for enhanced cybersecurity measures. Because of the low probability of occurring, it would be tough for power companies to justify any rate increases to finance cybersecurity measures, especially for a threat that consumers have not actually experienced yet.

Some electric utilities have proposed raising customer rates or taking other steps to recover costs of meeting the government’s demands to protect the power grid from cyber-attacks.

Making sure power generation and distribution networks are protected from hackers could represent “huge investments for companies like Exelon,” Edward Goetz, a vice president for energy provider Exelon, told Bloomberg Businessweek. “We would look for some way to recover some of those costs because this is a national security issue.”

Allowing utilities to recover some of the costs of their cybersecurity investments is also one of the incentives Daniel suggested to encourage companies to better protect their networks.

A survey conducted by Sen. Edward Markey (D-Mass.) and Rep. Henry Waxman (D-Calif.) earlier this year highlighted the threat to the electric grid. According to the report, one power utility said it already fields 10,000 attempted attacks every month.

Business executives, National Guard officers, FBI antiterrorism experts, utility workers, and officials from government agencies in the U.S., Canada, and Mexico will participate in an emergency exercise in November organized by the North American Electric Reliability Corporation (NERC).

The purpose of the drill is to explore how governments would react during an attack on the electric grid and its crippling effect on the supply chain of everyday needs. More than 150 companies and organizations have signed up to participate.

(Thumbnail on PJM homepage based on a modified image.)

Rodrigo is a freelance writer living in Washington, D.C.

Comments are closed.

All Comments   (9)
All Comments   (9)
Sort: Newest Oldest Top Rated
"Many of the power executives at the conference said it would be hard to make the business case for enhanced cybersecurity measures. Because of the low probability of occurring, it would be tough for power companies to justify any rate increases to finance cybersecurity measures, especially for a threat that consumers have not actually experienced yet."

That's very true. Unarguably true.

For a publicly traded company, of course. Back in the days of real businessmen, this would have been a no-brainer.
1 year ago
1 year ago Link To Comment
It is possible that, as we migrate to more and more of a digital instrument environment, that the overall grid may become more vulnerable to either remote hostile attacks or to the "sky is falling" scenario related to solar flares. But the fact is, the majority of the grid and its equipment was installed well before digital, and most relaying out there is electo-mechanical and not subject to hacking.

The truth is that the "grid" is no such thing. Electircal distribution, with few exceptions, is highly localized. What happened in 2003 initiated locally in Ohio and got bigger only because the rest of the systems that were sharing high voltage transmission didn't have isolation logic set up to isolate themselves from the effects of the Ohio generator power reject event.

If you want to have a power system that doesn't look like it belongs in a third world tinpot hell hole, then get the wreckers out of the public conversation, get some new HV transmission on line and let the engineers figure out how to protect their local system from companies that don't do their line and protective relaying maintenance properly.

The luddites and the nimbys fight new HV transmission lines every time they come up and they win. As few of them as there are, these creatures have successfully told the rest of you to go perform anatomically impossible and indecent acts upon yourself. If there is no other method of getting your power to you, when your one lonely line goes out, for any reason, your lights go out.

1 year ago
1 year ago Link To Comment
Threat should include EMP from massive ejections from the sun as happened in the 1840s once, and also an Electro-Magnetic Pulse from a high altitude nuke over Kansas or similar location. The nuke could come from the usual suspects and could even be launched from a cargo ship offshore.

Past testing shows that an EMP will cause a lot of damage in non-energized lines and worse in energized lines. The latter will have insulators ruined and hangers melted. The line drops on the ground like spaghetti. The major regional switch apparatuses will be severely damaged and could take a year to get a replacement from Sweden. The big demand will be for big equipment replacements and lots of bodies available to splice and re-hang wires. The latter would take prepositioned hardware such as hangers and splicing, plus instructional paper materials for available enthusiasts, and some kind of social organization around linemen, civilian and ex-military, like the Ground Observer Corps of the past, or Civil Defense Auxiliary. They could have summer picnics to demonstrate climbing and splicing to amateurs, alternative methods to use when there is no bucket truck, etc. The regional switch equipment needs EMP shielding. It might be useful to survey steam locomotive assets in museums etc. in case immediate call-up of pre-electric rail capability is needed.
1 year ago
1 year ago Link To Comment
Cyber attacks are a threat, but the damage they can cause is nothing compared to either a Coronal Mass Ejection solar event (Carrington class) or even a small exoatmospheric nuclear EMP attack. Cyber attacks are unlikely to cause widespread lasting damage, while these other events would take large sections of the power grid down for 6 months to two years - which would be catastrophic and very deadly.

I'd feel a lot better if someone spent the $20 bn or so needed to protect against these events. In a year or two, North Korea will have the capability to, in a spasm of insanity, launch a nuclear-weapon containing satellite over the South Pole and kill 10s of millions of Americans.
1 year ago
1 year ago Link To Comment
“To no one’s fault at the time — we didn’t realize it. [We] didn’t think about the security and the insecurity” of Internet connections, Weatherford said.

How is this even possible? Richard Clarke, former counter-terrorism czar under Clinton, documented the problem some years ago in "Cyber War", where he also discussed the government test run some years earlier in which a power generator's control system was cyber-attacked. That every expensive generator was, by the end of the test, left a smoking mess. (The video is even on YouTube!)

There's yet another problem that has yet to be addressed: vulnerability to massive electronic pulse. While such an EMP can be made-caused, a serious solar storm could prove devastating enough. Is preparing for such an eventuality also too big a hit on the "bottom line" to be dealt with?

As Clarke also noted, the major components of our electric infrastructure aren't sitting in a warehouse as "spare parts", but are custom-made to order. Unlike repairing downed power lines or a blown transformer at a sub-station, a major hit could take months to repair.
1 year ago
1 year ago Link To Comment
There is no need for a power engineer to be an expert in cybersecurity. I'd also be wary of efforts by politicians and rent seeking weasels to add fees to our electric bills. Instead, I'd look at other industries and see if there is an off-the-shelf solution to securing power company networks. I suspect that simply applying good cybersecurity practices from banking would be more than adequate. In addition, while people think security breaches primarily come from hackers, I'd be more worried about security breaches from employees on the inside. I bet the NSA had deployed some great security measures in their networks, only to have those measures defeated by a low-level contract employee.
1 year ago
1 year ago Link To Comment
Cyber attackers and virus trolls should be sent to cub FED for 20 years along with the trolls who scam $26 billion a year from hard working folks, the only way to stop them is punishment
1 year ago
1 year ago Link To Comment
Chemically blinding them and cutting their hands off. Then leave them in the middle of the jungle to fend for themselves. Fair is fair.
1 year ago
1 year ago Link To Comment
Don't have much use for the Constitution, do you?

Or at least not that inconvenient part about "cruel and unusual punishment".
1 year ago
1 year ago Link To Comment
View All