WASHINGTON — Government and power industry leaders want to improve the country’s weak defenses against a potentially catastrophic cyber-attack on the electric grid, but disagreements persist over the best approach to ensure collaboration between the public sector and the private sector.
What makes the electric grid an attractive target for cyber-attacks is its multiplier effect — an attack on one region or supplier can quickly ripple to others. Its vast infrastructure — from generation plants to substations — is spread over highly interdependent installations that are miles apart.
In addition, the grid makes an appealing target because of its exceptional vulnerability, which stems, in part, from its broad reach.
As past major outages have shown, a line outage or system failure in one area can lead to cascading effects in other areas. In 2003, a blackout across the Northeast, sparked by an overgrown tree near Cleveland, crippled commerce and transportation in the U.S. by cutting off power to 50 million people and causing up to $10 billion of damage to the economy.
As technology has advanced, utilities have begun taking steps to update the electric grid by integrating new technologies, such as automated systems, and information technology networks that connect grid operations and control systems to other computer networks and to the Internet.
Years ago, power companies saw that managing grid operations via the Internet would help them cut costs and increase efficiency, so they moved towards online systems that could be accessed remotely.
“Now we can remotely manage devices via the Internet,” says Mark Weatherford, a leading former Department of Homeland Security cybersecurity official. “So instead of putting someone in a truck and having them drive a hundred miles to a substation in the middle of the mountains somewhere, you remotely manage that.”
Weatherford, now a principal at the Chertoff Group, was among several power executives and cybersecurity experts who gathered recently at an event on grid security hosted by the Bipartisan Policy Center in Washington.
Although the changes have allowed the gradual modernization of the system, the increased interconnectivity has made the grid more vulnerable to attacks from computer hackers.
“To no one’s fault at the time — we didn’t realize it. [We] didn’t think about the security and the insecurity” of Internet connections, Weatherford said.
Security experts are aware of the problem, and they are moving quickly to solve what they see as a rapidly evolving threat to the networks of power utilities. But the increasing complexity of computer systems poses new challenges for personnel who do not have a cybersecurity background.
“How do we teach power engineers and operators what they need to know about cyber and in particular about cybersecurity?” asked Michael Assante, one of the nation’s top experts on cybersecurity. “These are tough questions. If you go to engineering school, you’re not taught about cybersecurity as part of becoming a power engineer.”
Some industry leaders argue that if power utilities want to counter the growing threat of cyber-attacks, they must use the same resources that they use to combat natural disasters.
“We have to treat the cyberthreat with the same respect that we give to forces of nature that impact our grid,” notes Chris Peters, the vice president for critical infrastructure protection at Entergy, one of the country’s largest operators of nuclear power plants. “We have to put the same comprehensive approach and the same attention to cyberthreats as we do to the other threats that impact our system.”
Former CIA and NSA director Michael Hayden warned that Edward Snowden’s actions have created a stir among those who are committed to transparency and Internet freedom, which could result in a retaliatory attack if Snowden is captured by the U.S. government.
“If, and when, our government grabs Edward Snowden and brings him back here to the United States for trial, what does this group do?” asked Hayden rhetorically about hacker groups such as Anonymous. “They may not go after the U.S. government because frankly, the dot mil stuff is one of the hardest targets in the United States. If they can’t go after dot mil, who are they going after? Who, for them, are the [digital] World Trade Centers?”
Anonymous and other affiliated hacker groups have carried out attacks on websites and released private information of thousands of people in the past as retaliation for the U.S. government’s treatment of Bradley Manning (aka “Chelsea Manning”).
“I don’t know that there’s a logic behind trying to punish America or American institutions for [Snowden’s] arrest, but I hold open the possibility,” Hayden said.
Current and former government officials also worry the ongoing disclosures about the National Security Agency’s secret surveillance programs by Snowden could trigger hasty actions by Congress.
The Obama administration, lawmakers, and the private sector in recent years have been negotiating how the government and industry should collaborate to protect the nation’s critical infrastructure.
Despite the emerging consensus that U.S. defenses against cyber-attacks must be improved, the conversation has stalled amid disagreements over the creation of new industry standards, privacy and liability protections, and other critical elements.
In April, the House passed a bill that would increase the sharing of information about cyber threats between the government and the private sector. In a repeat of last year’s vote on the same bill, the White House has threatened to veto it over privacy concerns and the Senate has yet to introduce similar legislation.
President Obama signed an executive order in February aimed to bolster cybersecurity protections for the nation’s critical infrastructure. The order focuses on three main areas: information sharing, privacy, and adoption of cybersecurity practices.
The presidential directive contains a set of incentives to encourage companies responsible for protecting critical infrastructure — such as the country’s electric grid, drinking water, and transportation — to adopt cybersecurity standards. Some of these incentives include collaborating with the insurance industry to provide cybersecurity insurance, expediting government services to those who put protections in place, offering federal grants, and pushing measures to limit liability, Michael Daniel, White House cybersecurity coordinator, wrote in a blog post last week.
Many of the power executives at the conference said it would be hard to make the business case for enhanced cybersecurity measures. Because of the low probability of occurring, it would be tough for power companies to justify any rate increases to finance cybersecurity measures, especially for a threat that consumers have not actually experienced yet.
Some electric utilities have proposed raising customer rates or taking other steps to recover costs of meeting the government’s demands to protect the power grid from cyber-attacks.
Making sure power generation and distribution networks are protected from hackers could represent “huge investments for companies like Exelon,” Edward Goetz, a vice president for energy provider Exelon, told Bloomberg Businessweek. “We would look for some way to recover some of those costs because this is a national security issue.”
Allowing utilities to recover some of the costs of their cybersecurity investments is also one of the incentives Daniel suggested to encourage companies to better protect their networks.
A survey conducted by Sen. Edward Markey (D-Mass.) and Rep. Henry Waxman (D-Calif.) earlier this year highlighted the threat to the electric grid. According to the report, one power utility said it already fields 10,000 attempted attacks every month.
Business executives, National Guard officers, FBI antiterrorism experts, utility workers, and officials from government agencies in the U.S., Canada, and Mexico will participate in an emergency exercise in November organized by the North American Electric Reliability Corporation (NERC).
The purpose of the drill is to explore how governments would react during an attack on the electric grid and its crippling effect on the supply chain of everyday needs. More than 150 companies and organizations have signed up to participate.