From Scott Carlberg

“Today’s energy industry has undergone rapid digitalization, presenting attackers with new attack surfaces to exploit.” That’s what POWER magazine reported.  At a recent Charlotte event a major energy figure told me cyber security is his biggest energy concern.

ECC will do two blogs about cyber security. This is the introduction.

Smart grids, smart devices, and humans all play into the cyber threat. The sheer volume of possible attack points is mind-boggling. “The Tennessee Valley Authority — the biggest U.S. government-owned electric utility with seven nuclear reactors, 29 hydroelectric dams and service to the Oak Ride nuclear weapons arsenal … monitors more than 1 billion activities a day…” (Source)

A survey of more than 1,500 utility professionals showed nearly one-half have suffered an outage or data loss in the last 12 months, and half of them expect an attack on critical infrastructure within the next 12 months.

A Wall Street Journal story on November 25, Utilities Identified in Cyber-attacks, said the issue is coast-to-coast, but noted one South Carolina coop in the story. The utilities attacked seemed to share a trait, they are, “…located near dams, locks and other critical infrastructure.” WSJ’s observation: “This year’s hacking campaign illustrates the extent of the threat: Even smaller utilities, which often lack big budgets for security measures, are vulnerable, even though experts once believed their low profile afforded them some protection.” More startling, some of the utilities that were attacked had to be told by the FBI it had or was happening.

The U.S. electric grid has three distinct functions, as described in a Government Accounting Office cyber report.

  • Generation and Storage. Power plants generate electric power by converting energy from other forms—chemical, mechanical (hydroelectric or wind), thermal, radiant energy (solar), or nuclear— into electric power. Energy storage, such as batteries or pumped hydroelectric, can improve the operating capabilities of the grid while also regulating the quality and reliability of power.
  • The power transmission system connects geographically distant power plants with areas where electric power is consumed. Substations are used to transmit electricity at varied voltages and generally contain a variety of equipment, including transformers, switches, relays, circuit breakers, and system operations instruments and controls.
  • The distribution system carries electric power out of the transmission system to industrial, commercial, residential, and other consumers.

The GAO report says that the Department of Energy (DOE) has not done enough to protect the electrical grid against increasing cyber attacks, according to the Washington, DC, publication, The Hill.  Trouble is that the DOE is not the only organization that has to be on-guard. Utilities are. Frankly, they have done yeoman’s work so far in a growing and evolving threat, especially considering the wide range of resources and cyber sophistication across utilities.

Threats come from nations, criminal groups, terrorists, and in some cases employees in the utilities.

Attackers look for vulnerabilities, especially in industrial control systems that support grid operations. (The illustration from the report shows ways in which an attacker could compromise industrial control systems.) The increasing adoption of Internet of Things devices and the use of the global positioning system to synchronize grid operations are also vulnerabilities.

There have been no reported domestic outages, but industrial control systems have been hit overseas.

What is the process to defend against cyber attacks on utilities? That’s our next cyber security blog.