How to resolve the grid’s cyber vulnerabilitiesGordon Feller | September 13, 2022
The U.S. electrical grid is a complex, interconnected network of technologies focused on power generation, power transmission, power distribution, systems control and communications. Smithsonian Magazine called it the largest and most complicated machine ever built.
Increasingly, it seems, the work of ensuring a reliable supply of energy for the future hinges on a difficult problem: protecting a vulnerable and out-of-date energy grid. Government and industry executives have learned to appreciate how vulnerable many of the grid’s core elements have become. Over the past decade it has been damaged by natural events, such as severe storms and by malicious events perpetrated by humans, such as physical attacks and cyber-attacks.
This latter type of disaster is a focus of growing concern, since Iran, North Korea, the Chinese and Russian governments have been caught trying to tamper with utility infrastructure, breaking into such facilities with an eye toward disabling mission critical systems. Based on federal law enforcement and intelligence agency statements, it seems that both Russia and China have managed to succeed, on a small scale, with their grid disruption initiatives. In a recent article, Bloomberg noted that 10 U.S. electrical facilities’ networks were infiltrated by Russian malware. This, after years of grid-hacking attacks on enemies that include Ukraine and the U.S.
Responding to threats with government partnerships
While attacks emanating from Russia have been nearly constant during the past few years, one of the Kremlin's attacks of six years ago has been widely studied. This was one of many attacks that revealed some of the most glaring weaknesses in the highly fragmented U.S. electrical system, as outlined in a helpful article published by GovTech.
Industry-government partnerships have become a vital element of the strategy that utilities have begun to use as they work to address grid cyber challenges. Today, some leaders in the electric power industry are working through the non-profit Edison Electric Institute (EEI) via a series of initiatives to safeguard the energy grid from threats. EEI has long been the leading U.S. trade association, bringing together the largest electric utilities.
Under EEI’s umbrella, a few grid-focused partnerships are gaining momentum. One helpful example is the Electricity Subsector Coordinating Council (ESCC). This serves as the principal liaison between the U.S. federal government and the electric power industry on efforts to prepare for, and respond to, national-level disasters, including cyber-threats to critical infrastructure. The Coordinating Council works across the entire electricity industry, and also with the Electricity Information Sharing and Analysis Center, an organization that "reduces cyber and physical security risk to the electricity industry across North America by providing unique insights, leadership, and collaboration." Their goal is to develop actions and strategies that help protect the U.S. grid and prevent a spectrum of threats from disrupting electricity service.
The Coordinating Council represents all segments of the industry: CEOs and executives from electric companies, public power utilities and rural electric cooperatives, as well as their trade association leaders. Through the Coordinating Council, the industry works closely with its government counterparts, including senior administration officials from the White House, cabinet agencies, federal law enforcement and national security organizations. Canadian electric company executives also are represented on the ESCC, due to the international make-up of North America’s complex energy grid.
EEI member companies are partnering with federal agencies to improve sector-wide resilience to cyber-threats and to physical-threats. Their strategy is broad-based, but simple: to strengthen its own private-sector capabilities, the electric power industry collaborates with partners that can offer specific assistance to utilities. The long list includes the National Institute of Standards and Technology, the North American Electric Reliability Corporation, and numerous federal intelligence and law enforcement agencies, such as the CIA, the FBI and the Cybersecurity and Infrastructure Security Agency. EEI says that its own member companies “invested more than $25 billion in 2021 in adaptation, hardening, and resilience (AHR) initiatives to strengthen the nation’s transmission and distribution infrastructure.”
Leveraging partnerships in the real world
Both planning and exercises have become critical elements of the national strategy for emergency situations. Electric companies plan and regularly exercise for a variety of situations that could impact their ability, during emergencies, to provide electricity. For example, the American Public Power Association (APPA) conducts an annual cybersecurity exercise, the next of which is slated for September 2022. This war-game will provide public power utilities with the opportunity to do several things: create or strengthen cyber incident response plans; practice incident response during a live, scenario-based tabletop exercise; and share information and experience with the public power community.
APPA is working with Norwich University Applied Research Institutes to use their DECIDE Platform for the exercise. In previous years, this platform has been used in other electric sector cybersecurity exercises. This year’s exercise will include roles for multiple business segments beyond just security professionals — so that utilities can gain experience exercising a full cyber-incident response plan.
APPA is a not-for-profit worth watching. They represent community-owned utilities that power 2,000 towns and cities nationwide; more than 49 million people are served by such utilities. With funding from the U.S. Department of Energy (DOE), APPA published an important document, “Public Power Cyber Incident Response Playbook.” It provides “step-by-step guidance for small to mid-sized public power utilities to help them prepare a cyber incident response plan, prioritize their actions and engage the right people during cyber incident response, and coordinate messaging.”
According to Bridgette Bourge, the APPA’s senior director of cybersecurity, “Public power utilities have a wide variety of exercises in which they participate in (or hold internally) and a lot depends on their size, makeup, and available resources. APPA provides tools, resources, and forums to assist public power utilities taking on these and other cyber security activities.”
In the U.S., Bourge and her colleagues “have not seen operational impact from these types of incidents in the electric sector — for numerous reasons, including segmentation.” That being said, Bourge thinks that “it’s vital to remain vigilant and constantly look to up our collective game — since the bad actors are doing the same.”
“If more sophisticated hacking is being utilized and successful then it will depend a lot upon what was hacked, what was impacted, and if there is an operational and/or external impact. To help with these efforts APPA provides public power utilities a cyber incident response playbook that includes step-by-step guidance and critical considerations in preparing for a cyber incident and developing a response plan that enables staff to take swift, effective action. Additionally, if a hacking event is not unique to a single entity or is too much for an entity to handle there are many national plans and partners in place including efforts around Cybersecurity Mutual Assistance (CMAs), which are similar to physical mutual assistance utilized in the electric sector, as well as the E-ISAC, ESCC, DOE and DHS.”
In another example, in November 2021 the North American Electric Reliability Corporation (NERC) conducted a war-game that simulated a grid attack, called GridEx. The scenario presented simulated conditions that severely strained the industry’s ability to communicate operational status to many external stakeholders, including state, provincial and local governments. The scenario’s involvement of a nation-state adversary added a layer of complexity regarding how and with whom to share highly sensitive information. A few important lessons were learned by participants during this war-game:
1. It’s critical to clarify the differing crisis communications roles of different entities.
2. Effective communications procedures and systems make it much easier to share security information.
3. The DOE’s “grid security emergency” authorities are fundamental to the whole process.
4. Enhancing routine and emergency operations coordination — between the electricity industry and natural gas providers — makes it possible to get a more effective response to the attack.
Grid-owners and grid-operators, many of which are small to medium sized companies, have to overcome a number of challenges to counter this cyber-threat. A key review of cybersecurity risks by the U.S. Government Accountability Office was published in 2019. It focused on those risks facing the electric grid; among the study’s most important conclusions, it identified difficulties that include five big ones.
- Hiring a sufficient workforce
- Limited sharing of classified threat information between the public and private sectors
- Resource constraints
- Reliance on other critical infrastructure that could be vulnerable to cyberattack
- Uncertainty about how to implement cybersecurity standards and guidance
To that end, it seems that utility and government partnerships can help with most of those issues, if not all of them. As result, we are seeing the tangible value of these efforts. Just ask yourself — are your lights on as you’re reading this?