When 225,000 Ukrainians lost electric power in late December 2015, the failure marked one of the first confirmed cyber attacks to result in outages combined with physical impact. During the attack, multiple hackers orchestrated synchronized, coordinated intrusions, remotely controlling the supervisory control and data acquisition (SCADA) systems of three regional electric power distribution companies.

Six months earlier, the perpetrators had gained access to the companies’ business networks via spear phishing and had stolen operator credentials. Once inside, they used virtual private networks (VPNs) to enter the industrial control system (ICS) network and facilitate the remote access.

During the December attack, the hackers rendered targeted systems inoperable through KillDisk malware and serial-to-ethernet devices that affected firmware. They also disconnected backup power supplies to hamper restoration efforts, likely enabled by BlackEnergy malware.

Not Bulletproof

In the U.S., no entity has reported a cyber attack resulting in a similarly widespread loss of power, although menaces like the one in Ukraine persist across the built infrastructure. The Justice Department on March 24 indicted seven hackers associated with the Iranian government, accusing them of accessing the control system of a water retention dam.

The National Security Agency (NSA) reported in 2014 that it had observed intrusions into industrial control systems by people who demonstrated the technical capability “to take down control systems that operate U.S. power grids, water systems and other critical infrastructure.”

For fiscal year 2015, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) — part of the Department of Homeland Security — responded to 295 cyber incidents in the critical infrastructure. Of those, 46 were aimed at the energy sector.

“The sky is not falling” but we are not bulletproof, either, says Massoud Amin of the University of Minnesota.“The sky is not falling” but we are not bulletproof, either, says Massoud Amin of the University of Minnesota.Despite the escalation and growing sophistication of threats on the power grid, “the sky is not falling,” says Massoud Amin, chair of the Technological Leadership Institute and professor of electrical and computer engineering at the University of Minnesota. “But we are not bulletproof, either.”

Through new research initiatives and more robust standards, the U.S. aims to better protect against cybersecurity and resiliency vulnerabilities in the electric power grid.

Amin says that most of the same technologies that address weaknesses in other critical sectors, such as banking, that use real-time information and operational control systems also can improve power grid security. However, the electricity infrastructure will require “power system-specific advanced technology as well,” he says.

Developing Resiliency

In that spirit, the U.S. Department of Energy (DoE) recently awarded two grants to develop research centers that help make the power grid less susceptible to attack and more resilient should a cyber-related incident occur.

Researchers will evaluate grid resiliency, of which security is a part “but not the whole ball of wax,” says David Nicol of the University of Illinois.Researchers will evaluate grid resiliency, of which security is a part “but not the whole ball of wax,” says David Nicol of the University of Illinois.One recipient is the University of Illinois at Urbana-Champaign, which formed the Cyber Resilient Energy Delivery Consortium (CREDC) that involve 10 other universities and national laboratories. Researchers will evaluate grid resiliency, of which security is a part, “but not the whole ball of wax,” says David Nicol, professor of electrical and computer engineering and CREDC principal investigator.

Resiliency of the nation’s energy delivery systems (EDS) requires robustness, similar to that used in redundant computer systems on space flights, to withstand attacks. The systems also need to provide a “minimal but essential level of service, even in the midst of an event,” and be able to recover quickly, Nicol says.

To achieve resiliency, CREDC investigators are anticipating the ways in which attackers can access control stations and making it harder for them to do so. One objective is to detect the presence of intruders. For instance, an operator might hold the proper credentials to have access to a specific system, but is detected as giving an irrational command to a device.

“We are working on a technology that will help you catch that [action] and alert somebody to say, ‘Do you really want to do this?’” Nicol says. He emphasizes the need for more stringent authentication to keep credentials out of intruders’ hands in the first place.

Intrusion detection presents challenges of its own, however. Installing software to do the watching, especially on legacy devices, could slow the system and impact its functionality and safety. Says Nicol: “We need to be able to integrate advanced cyber components with the assurance that we aren’t making systems more vulnerable.”

Other areas the consortium will cover include data analytics for cyber event detection, risk assessment of EDS technology and the impact of the Internet of Things and cloud computing on energy infrastructure resiliency.

Ultimately, CREDC aims to develop effective, affordable technology that can be implemented quickly in the field. As part of the five-year initiative, the group will collaborate with industry partners such as Honeywell and Illinois-based utility Ameren to accelerate the tech-transfer process.

A Study in Feasibility

A second DoE grant was awarded to the University of Arkansas, which is leading the Secure, Evolvable Energy Delivery Systems, or SEEDS, center. Its goal is to research and develop technologies that will detect incidents, prevent intrusions and help grid operators in decision-making when incidents occur.

The center also will explore ways to “proactively harden the energy grid against attack for the purpose of maintaining reliable energy delivery,” says electrical engineering professor and principal investigator Alan Mantooth.

Specifically, researchers from Arkansas and four other universities will create algorithms for software modules that load onto systems and equipment. These may include fault-current limiters, breakers, measurement units, relays, wireless communications systems and power-line communications.

“Collaborating intensively with industry to ensure proposed solutions are viable” is essential, says University of Arkansas’ Alan Mantooth.“Collaborating intensively with industry to ensure proposed solutions are viable” is essential, says University of Arkansas’ Alan Mantooth.Another critical component, Mantooth says, is “collaborating intensively with industry to ensure proposed solutions are viable.” Viability means that solutions must lower risk, as well as integrate into existing or evolving operations paradigms in order to maintain or enhance energy delivery reliability.

Investigators plan to test and validate the protective measures at the universities, then at industry partner sites, before making systems available to power producers and operators throughout the U.S.

The DoE isn’t the only U.S. government entity exploring ways to protect the electrical grid from cyber attack. The Defense Advanced Research Projects Agency (DARPA) has detailed research efforts through a program called Rapid Attack Detection, Isolation and Characterization Systems (RADICS). The program seeks to develop advanced anomaly-detection systems with high sensitivity and low false-positive rates based on analyses of the power grid’s dynamics.

One pillar of RADICS consists of designing a secure emergency network that connects power suppliers after an attack. The alternative online network would isolate the affected utilities from the Internet so they can start recovery efforts without surveillance and interference from adversaries.

To assist cyber first-responders and utility engineers safely and quickly restore power, RADICS encourages research and development of systems that localize and characterize malicious software on power company networks.

Adapting Standards

In tandem with research efforts, regulatory standards are evolving to strengthen the power grid against cyber attacks. In July 2016, new critical infrastructure protection cybersecurity standards from the North American Electric Reliability Corp. (NERC) go into effect for owners and operators of the bulk electric system (BES).

One change to the standards — known as CIP Version 5 — is a tiered system that classifies cyber assets as high, medium or low impact. Types of cyber assets include control centers, transmission stations and substations, and systems and facilities critical to electrical grid restoration. The classifications are role-based, rather than risk-based as in the past.

Entities will need to develop incident response recovery plans, as well as document all software and security patches. Image source: NRELEntities will need to develop incident response recovery plans, as well as document all software and security patches. Image source: NRELAmong other requirements of the revised standards are encryption of grid command and control signals, multifactor authentication for more secure password access and consideration of all serial connections. Entities also must develop incident response recovery plans, as well as document all software and security patches on each BES device.

NERC representative Kimberly Mielcarek says that just as critical is the organization’s Electricity Information Sharing and Analysis Center, which monitors the security of the BES in real-time.

Making the Business Case

Although regulations mandate what power producers must do to secure the grid, “that does not increase resiliency with a glad heart,” says University of Illinois’s Nicol. A better approach is communicating to high-level decision-makers the value that new technologies and methodologies bring to the energy delivery system — and their pocketbooks.

For example, technology providers could argue that the same information that looks for intruders on a system also could be used to find more efficient ways of managing processes. “You have to map the issue in terms of return on investment,” Nicol says.

Such investments also present an opportunity “to grow a much more sophisticated, proactive and capable workforce in this area,” says Minnesota's Massoud Amin. To address this need, he developed a Master of Science degree for working professionals in security technologies at the university.

On a broader scale, Amin says that all stakeholders in the bulk power system need to take a more strategic approach to protecting the grid. Updating the regulatory framework, training the workforce and implementing tax recovery are among the actions that lead to a healthier energy delivery system and economy.

“We have to make sure our networks of power and energy, commerce and communications are secure, resilient and worthy of the top economic power in the 21st century,” Amin says. “We’re not yet having that dialogue.”