Power Grid Cyberattacks Keep the Pentagon Up at Night

The Conversation

It’s very hard to overstate how important the US power grid is to American society and its economy. Every critical infrastructure, from communications to water, is built on it and every important business function from banking to milking cows is completely dependent on it.

And the dependence on the grid continues to grow as more machines, including equipment on the power grid, get connected to the Internet. A  last year prepared for the President and Congress emphasized the vulnerability of the grid to a long-term power outage, saying “For those who would seek to do our Nation significant physical, economic, and psychological harm, the electrical grid is an obvious target.”

The damage to modern society from an extended power outage can be dramatic, as  in the wake of Hurricane Sandy in 2012. The Department of Energy earlier this year said cybersecurity was one of the , which is exacerbated by the interdependence between the grid and water, telecommunications, transportation, and emergency response systems.

So what are modern grid-dependent societies up against? Can power grids survive a major attack? What are the biggest threats today?

The grid’s vulnerability to nature and physical damage by man, including a  in 2013, has been repeatedly demonstrated. But it’s the  that keeps many of the most serious people up at night, including the .

Why the grid so vulnerable to cyberattack

One of the most well-known industrial cyberattacks involved these PLCs: the attack, discovered in 2010, on the centrifuges the Iranians were using to enrich uranium. The , a type of malware categorized as an Advanced Persistent Threat (APT), targeted the Siemens SIMATIC WinCC SCADA system.

Stuxnet was able to take over the PLCs controlling the centrifuges, reprogramming them in order to speed up the centrifuges, leading to the destruction of many, and yet displaying a normal operating speed in order to trick the centrifuge operators. So these new forms of malware can not only shut things down but can alter their function and permanently damage industrial equipment. This was also demonstrated at the now famous  at Idaho National Lab in 2007.

Securely upgrading PLC software and securely reprogramming PLCs has long been of concern to PLC manufacturers, which have to contend with malware and other efforts to defeat encrypted networks.

The oft-cited solution of an air-gap between critical systems, or physically isolating a secure network from the internet, was precisely what the Stuxnet worm was designed to defeat. The worm was specifically created to hunt for predetermined network pathways, such as someone using a thumb drive, that would allow the malware to move from an internet-connected system to the critical system on the other side of the air-gap.

Internet of many things

This concern is growing even faster with the Internet of Things (IoT), because there are many different types of sensors proliferating in . How do you know when the message from a sensor is legitimate or part of a coordinated attack? A system attack could be disguised as something as simple as a large number of apparent customers lowering their thermostat settings in a short period on a peak hot day.

Defending the power grid as a whole is challenging from an organizational point of view. There are about 3,200 utilities, all of which operate a portion of the electricity grid, but most of these individual networks are interconnected.

The US Government has set up numerous efforts to help protect the US from cyberattacks. With regard to the grid specifically, there is the Department of Energy’s Cybersecurity Risk Information Sharing Program () and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center () programs in which utilities voluntarily share information that allows patterns and methods of potential attackers to be identified and securely shared.

On the technology side, the National Institutes for Standards and Technology () and IEEE are working on smart grid and other new technology standards that have a strong focus on security. Various government agencies also sponsor research into understanding the attack modes of malware and better ways to protect systems.

But the gravity of the situation really comes to the forefront when you realize that the Department of Defense has stood up a new command to address cyberthreats, the United States Cyber Command (). Now in addition to land, sea, air, and space, there is a fifth command: cyber.

The latest version of The Department of Defense’s  has as its , “Be prepared to defend the US homeland and US vital interests from disruptive or destructive cyberattacks of significant consequence.”

There is already a well-established theater of operations where significant, destructive cyberattacks against SCADA systems have taken place.

In a 2012 report, the National Academy of Sciences called for more research to make the grid more resilient to attack and for utilities to modernize their systems to make them safer. Indeed, as society becomes increasingly reliant on the power grid and an array of devices are connected to the internet, security and protection must be a high priority.

The Conversation. Read the 

see also: