Cybersecurity of the power grid: A growing challenge

 

Connecting state and local government leaders

Research into grid security is moving toward systematically analyzing the risks inherent in critical systems and methodically defending against each of them.

This article was first published on The Conversation.

The Conversation

Called the “largest interconnected machine,” the U.S. electricity grid is a complex digital and physical system crucial to life and commerce in this country. Today, it is made up of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines. This web of generators, substations and power lines is organized into three major interconnections, operated by 66 balancing authorities and 3,000 different utilities. That’s a lot of power and many possible vulnerabilities.

The grid has been vulnerable physically for decades. Today, we are just beginning to understand the seriousness of an emerging threat to the grid’s cybersecurity. As the grid has become more dependent on computers and data sharing, it has become more responsive to changes in power demand and better at integrating new sources of energy. But its computerized control could be abused by attackers who get into the systems.

Until 2015, the threat was hypothetical. But now we know cyberattacks can penetrate electricity grid control networks, shutting down power to large numbers of people. It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too.

As researchers of grid security, we know the grid has long been designed to withstand random problems, such as equipment failures and trees falling on lines, as well as naturally occurring extreme events including storms and hurricanes. But as a new document from the National Institute of Standards and Technology suggests, we are just beginning to determine how best to protect it against cyberattacks.

Understanding the Ukraine attacks

On Dec. 23, 2015, a cyberattack penetrated electricity distribution control centers in Ukraine using software vulnerabilities, stolen credentials and sophisticated malware. The attackers were able to open dozens of circuit breakers and shut off power to more than 200,000 customers for several hours.

A year later, the country’s electricity transmission facilities were attacked. That attack also cut off electricity service, though to a much smaller geographic area, and for only about an hour. In both cases, it is widely reported that hackers aligned with the Russian government were responsible.

How can we prevent this sort of attack in the U.S.?

Protecting the American electricity grid from cyberattacks is challenging not just because it is made up of so many physical and computerized elements connecting nearly every building in the country. It’s difficult because the grid has to continue to operate in real time, making adjustments to ensure the right amount of electricity gets where it needs to go at every moment.

And it’s especially hard because the electricity industry is used to a slower pace of technological advance: While computer technologies like smartphones and servers are updated every two to three years, grid infrastructure typically must operate for over a decade.

Over time, though, older traditional electricity meters have given way to digital smart meters. Similarly, power substations that are crucial for converting electricity from high-voltage transmission lines to lower voltage for household use are increasingly controlled via internet-enabled networks and software.

Security standards can help ensure utility companies keep their protection strong. The North American Electric Reliability Corporation, which oversees the grid in the U.S. and Canada, has rules, known as Critical Infrastructure Protection (CIP) compliance, for how electric companies must protect the power grid both physically and electronically. This includes monitoring the grid for attacks, as well as requiring safeguards such as multifactor user authentication to keep unauthorized intruders from accessing control networks.

NERC also hosts regular tabletop simulation exercises, where electricity companies can practice defending against major attacks. The U.S. National Institute of Standards and Technology has its own recommendations, though they are not mandatory for utilities. A draft version of a new set of guidelines was just released, adding both urgency and detail for utility companies.

These standards, guidelines and exercises have significantly improved the security of the larger elements of the power system, such as power plants and high-voltage transmission networks. But they have done little to protect the low-voltage distribution networks that supply power directly to our homes and workplaces. Attacks on these low-voltage parts of the overall system cover less territory than intrusions at higher levels, but they can still cause large-scale power outages, like in Ukraine in 2015.

Defending the edges of distribution system is much more complicated than protecting its center. Not only are there many more physical locations to safeguard, but there are also many more companies involved in operating them. Municipal governments and utility cooperatives, for example, are significant distributors of electricity, and yet have limited security requirements. In addition, they may not have the money or expertise to protect their systems against cyberattacks.

Joining forces

The grid depends on a number of key control systems and algorithms, each of which presents its own unique vulnerabilities. The growing scale of this problem requires techniques to manage and reduce the number of vulnerable points the grid has.

Research into grid security is moving away from investigating ways to better handle equipment failures and natural disasters and toward creating a well-defended power grid for the future. One approach could be to add more redundancy -- additional equipment that can fill in when an attack takes out a power plant or a transmission line. That is very expensive, though.

The other approach involves systematically analyzing the risks inherent in critical systems and methodically defending against each of them. Key elements of this approach involve developing techniques that can prevent attacks, detect and respond to them when they happen, and allow us to investigate what happened after an attack has ended. That will help us to improve protection for the future.

This approach will require the industry to ensure each new device it connects to the grid is protected, no matter how small or how big. We’ll also have to develop new systems that can detect anomalous grid communications and create more secure network architectures for critical grid control systems.

In addition, regulators will need to keep updating the rules governing the industry to raise minimum security standards over time. Schools and universities will need to teach people to be not only electricity experts but cybersecurity defenders. Our ability to flip a switch and turn on the lights depends on it.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.