Throughout 2018, news trickled out of the White House about the involvement of China and Russia in any number of schemes, campaigns, and infiltration into American life—influencing elections, critical infrastructure, and social media alike. One such attempt—which appears to have been successful—was the Russian infiltration of the electric grid.
A joint report from the FBI and U.S. Department of Homeland Security (DHS) described Russia’s use of compromised third-party vendors to gain access to power companies’ systems in 2016. Once inside the computers, though, the hackers modified code in the systems to record information about power grid operations. The operatives wrapped up their scouting mission by carefully covering their tracks, leaving questions as to whether malware remains on affected computer systems. The intrusion also raises concerns about what exactly the Russians were trying to accomplish—the official report is vague about what impacts, if any, the attack has had on the electric grid, or what might come next. However, DHS officials have acknowledged that the hackers reached the point where they could have taken control of operations if they had wanted to.
The FBI/DHS report recommends following common cybersecurity best practices, such as finding and eliminating malware, administrator account management, and adopting better password practices. The reality, though, is that protecting America’s 5.5 million miles of electric grid from both cyberattacks like the one Russia carried out and physical threats such as natural disasters and malicious attacks is an immense challenge.
In the wake of the Russian grid hack, the U.S. Department of Energy (DOE) has pledged to get more utilities to participate in its Cybersecurity Risk Information Sharing Program (CRISP). The program uses monitoring devices to comb through operational data and detect cyberattacks—that’s how the Russian infiltration was discovered.
Some experts believe a wider-scale look at how power companies conduct security—as well as the guidance, vendors, and equipment used to do so—is necessary to prepare for high-impact, low-frequency events on the power grid.
Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour, posed questions to Ross Johnson, CPP, senior manager of security and contingency planning at Capital Power Corporation, and Ryan Frillman, director of information security and compliance at Spire Energy, during a session at GSX 2018.
“High-intensity, low-frequency events don't happen often, but when they do, they can kill you or your organization,” Johnson noted. “If it’s a once-in-20-years event, people say that they have 19 more years before they have to worry. It’s extremely difficult to convince people. We end up creating fictional scenarios to try to solve the problem—ones that we don’t even believe ourselves.”
While there is plenty of government guidance on best practices, Frillman pointed out that the industry needs to figure out how to balance compliance and heavy regulation—an issue with the North American Electric Reliability Corporation (NERC), where noncompliance with its mandatory reliability standards can result in hefty fines.
“On the issue of innovation, it’s a great world out there—things are moving forward at very great speed, but the problem in the electric sector is that we’re creating barriers that make it difficult for us to succeed,” Frillman explained. “Never get in your own way, and I think in that area we are.”
But innovation comes with potential vulnerabilities. Johnson noted that his organization is moving away from a preferred vendor system—which can stifle the adoption of new technology—and towards using a vendor vetting process to identify trustworthy organizations. Supply chain risk management assessments are key to adopting new vendors and technologies, he said.
“What I’d like to come up with are community prequalifying vendors,” Johnson said. “We use standards which are terrific, but the problem is it tends to keep us stuck with using old technology, and it’s difficult to get into new technology because there’s great comfort in the way we used to do things—and the security of that.”
Weatherford agreed, noting that NERC’s Critical Infrastructure Protection standard can be behind the times when it comes to technology like supervisory control and data acquisition (SCADA), which could allow critical infrastructure systems to operate in a more secure and efficient way.
“I’ve been trying to convince NERC that the current standards drafting process simply doesn’t work in an innovative environment,” Weatherford noted. “Being able to take advantage of the cloud and newer technology—most utilities are rightly very apprehensive about doing something from a technology perspective that could get them with those million-dollar-a-day fines.”
A new report published by Johns Hopkins University Applied Physics Laboratory, Resilience for Grid Security Emergencies: Opportunities for Industry-Government Collaboration, agrees with Weatherford’s premise—NERC compliance alone may not be enough to keep the industry truly prepared for an attack. The report, which advocates for the DOE and industry to jointly outline a series of emergency operations in the case of a power grid attack, notes that DOE needs to take a role in emergency response.
“Grid owners and operators are also spring-loaded to employ emergency measures the moment they are needed,” the report notes. “Indeed, the [NERC] can fine most major U.S. power companies if they fail to implement emergency actions to protect grid reliability. This robust industry preparedness begs the question: what added value can DOE emergency orders provide?”
Currently, the secretary of the DOE has the ability to issue emergency orders to the power industry during an imminent or underway attack in order to protect and restore grid reliability. However, the scope of what the secretary might require companies to do is unknown, and the report notes that companies and the government should draft basic orders based on three attack scenarios.
“Such operations might include staffing up emergency operations centers, prepositioning recovery personnel and supplies, increasing available generation to help manage grid instabilities, and taking other precautionary measures,” the report states.
The Hopkins report notes that attacks that damage large numbers of difficult-to-replace grid components could disrupt power to some regions for weeks or months. Additionally, the public declaration of a grid security emergency will spark a media frenzy—allowing attackers to further sow discord.
“Against a backdrop of fear and uncertainty, adversaries may use social media and other means to spread further disinformation and incite public panic as part of their attacks,” the report states. Adversaries may also disrupt communications systems that industry and the DOE would use to coordinate. “Industry and government partners should build on their existing array of coordination mechanisms and communications playbooks to prepare for grid security emergencies.”
And once companies enter the recovery phase to restore power, they should prepare to shift back into the imminent security phase, the report notes. Indeed, cooperation with government and between industry partners is imperative to prevent and respond to an attack on the power grid.
“We work for our companies, but they’re secondary,” Johnson said at the GSX panel. “We really work for the bulk electric system. We keep the lights on. We can’t sell power unless there’s a bulk system to sell it into, and our first responsibility as security professionals is to the larger industry.”