The Energy Department’s Warning
The U.S. Energy Department has released its Quadrennial Energy Review, in which it warned of U.S. electrical power grids being in ‘imminent danger’ of cyber attack. The Department also stated that a widespread power outage caused by a cyber attack could mean the undermining of “critical defense infrastructure” and much of the economy, as well as place the health and safety of millions of citizens in jeopardy. As attacks of this nature are becoming more frequent and sophisticated, The U.S. Department of Homeland Security has gone as far as to say that an attack on a U.S. power grid by a foreign enemy is one of their top concerns because such an attack could be one of the quickest ways to destroy the U.S. economy.
The issue of power grid security has become a concern for the Energy Department after allegations of Russian hacking on the U.S. election last year, as well as a supposed Russian attack on a Vermont electric utility at the start of the new year; However, whether or not these alleged Russian hacker scares are true, attacks of this nature have actually happened in the past quite frequently, and it is important to learn from these previous attacks on grids across the globe in order to properly secure these sources of energy from further attack.
Cyber Attacks on Energy Systems Across the Globe
In 2007, researchers for the Department of Energy conducted a vulnerability test on the power plant system at their Idaho lab. The staged attack, dubbed ‘Aurora,’ was launched by researchers to see where vulnerabilities might be hiding which ultimately resulted in the self-destruction of a generator. experimental cyber attack caused a generator to self-destruct. Though these were not malicious actors hacking into the system, this experimental cyber attack highlighted just how easy it would have been for a hacker to break in and cause harm. This was a bit of a wake up call for the federal government and electrical industry, as it made them think about what might happen if such an attack were carried out on a larger scale and by someone looking to cause harm to the American people.
Thankfully, by researching the vulnerabilities of the power grid in Idaho, the Energy Department has learned how to strengthen the cybersecurity defenses on these devices more so than ever before; though this is good news, acting undersecretary of DHS’s National Protection and Programs Directorate, Robert Jamison, said that vulnerabilities of this type cannot be easily eliminated, rather they need constant monitoring and updates that tests like these can aid in.
Though the cyber attack on the Idaho power plant was a staged event and not malicious in its nature, some grid attacks do not pan out so nicely. Just last month, an alleged Russian cyber attack was launched on a Ukrainian power grid in the country’s capital. This was the second year in a row where a holiday-timed cyber attack hit the Kiev grid. Vsevolod Kovalchuk, acting chief director of Ukrenergo, stated that a power distribution station near Kiev unexpectedly switched off early on a Sunday morning, leaving the northern part of the capital without electricity, adding that the outage amounted to 200 megawatts of capacity, which is equivalent to about a fifth of the capital’s energy consumption at night. He said there were only two possible explanations for the accident: a hardware failure or external interference; either way, regardless of which of these was the actual cause, it comes down to an inherent cybersecurity flaw.
Grid Vulnerabilities in the Modern Age
In the continental United States, there isn’t a single national grid; instead there are three major grids, (1) the Eastern Interconnect, (2) the Western Interconnect, and (3) the Texas Interconnect (in addition to the grids covering Alaska and Hawaii). As these electric grids comes into the 21st Century through things like Smart grids, which automate operations and ensure that components of the grid can communicate with each other as needed, cybersecurity needs to be even stronger in order to properly protect these grids. There are four major vulnerability areas in 21st Century electric grids (detailed below), and it is important for the U.S. to take note in order to properly prepare for future cyber attacks on power grids.
- Platform Configuration– This vulnerability comes from improper OS and application security patches maintenance, inadequate access controls, and unenforced password policies.
- Platform Software– This security flaw is similar to what businesses and individuals face daily, with cyber attacks such as DDoS, lack of intrusion detection and prevention, and malware/ransomware threats as well.
- Network Configuration– A grid experiences Network Configuration Vulnerability if network configurations or connections are not protected by something, specifically a hardware firewall. If there is nothing between the hackers and the network to protect it, it falls into this category. Also under this category are Network Perimeter Vulnerabilities which include any network leaks or insecure Internet connections.
- Network Communication– This vulnerability occurs when communication between people via devices connected on the network are compromised. This, like Network Configuration Vulnerabilities, is primarily caused by a leak in network security.
In their Quadrennial Energy Review, the Energy Department also stressed the importance of incorporating cybersecurity in these grids because of their impact on the Internet of Things.
Grid control systems now handle, sense, and control endpoints numbered in the thousands. Widespread DER/DR penetration implies that future grid control systems may have to coordinate millions of end point control devices to support grid functions. These devices vary in type, from digital sensors and smart boards built into transformers, to mobile devices used by field operators and grid control managers… Grid control systems must evolve from being centralized to a hybrid of central and distributed control platforms… grid security and reliability assurance concerns mean that Federal authorities must be included in designing 21st-century grid control systems.
Hailey R. Carlson | Axiom Cyber Solutions | 01/25/2016