In the 10 years since sagging power lines in Ohio sparked a blackout across much of the Northeastern United States and Canada, utility engineers say they have implemented measures to prevent another such event in the country’s electric grid.
But there is one disaster scenario for which the power companies are still unprepared: a massive attack on the computer networks that underlie the U.S. electric grid.
Energy industry leaders believe a cyberthreat could produce a blackout even bigger than the August 2003 outage, which left an estimated 50 million people in the dark.
“We have to treat the cyberthreat with the same respect that we give to forces of nature, [such as] hurricanes, floods, ice, storms,” said Chris Peters, vice president for critical infrastructure at Entergy, a company that operates nuclear power plants. “We have to fund it, we have to staff it and we have to be ready to respond as necessary.”
Peters was among several power executives who gathered in Washington recently to discuss the need to better protect the electric grid against cyberattacks. Their consensus judgment was that such attacks are probably inevitable.
“At some point in time, somebody is coming at me,” said Scott Saunders, information security officer for the Municipal Utility District in Sacramento, Calif. “It’s going to happen.”
The New Grid
The concern that computer hackers could shut down the electric grid stems from technological changes in the power industry. Much of the equipment used in the grid, from the generators to the transformers, is now operated by computers. By disrupting computer network operations, hackers could shut down a key part of the grid.
They would still need access to the computers, but this obstacle could be overcome because many of those computers are now connected to the Internet.
“Now we can remotely manage devices via the Internet,” notes Mark Weatherford, until recently a top cyberspecialist at the Department of Homeland Security. “So instead of putting someone in a truck and having them drive a hundred miles to a substation in the middle of the mountains somewhere, you remotely manage that.”
Weatherford, now consulting on cyber issues at the Chertoff Group, says power companies saw that managing grid operations via the Internet brought efficiencies and cut costs, so they jumped at the chance. Perhaps a bit recklessly.
“To no one’s fault at the time — we didn’t realize it — [we] didn’t think about the security and the insecurity [of Internet connections],” Weatherford said. When a computer is connected to the Internet, a skilled hacker can often find a way to break into it.
This is the new disaster scenario for power companies. Security experts in the industry are aware of the challenge and moving quickly to meet it, but the threats to their networks may be evolving even faster.
“Computers are tricky,” says Michael Assante, chief executive of the National Board of Information Security Examiners and one of the country’s top experts on the cyberthreat to the grid. “They just continue to become more complex, and the importance to how we operate the system continues to increase.”
The 2003 blackout was not caused by a cyberattack, but even then computers were part of the system, and Assante says one reason the blackout spread far and wide was that many operators didn’t understand their own computer connections.
“How do we teach power engineers and operators what they need to know about cyber and in particular about cybersecurity?” Assante asks. “These are tough questions. If you go to engineering school, you’re not taught about cybersecurity as part of becoming a power engineer.”
Hurdles To A Solution
The concern now is that a really sophisticated cyberattack could cause a blackout bigger than anything yet seen in North America. Congress has considered various bills that would require power companies to beef up their protection against cyberattack and impose mandatory security standards.
A survey of electric utilities earlier this year, directed by Reps. Edward Markey (now a U.S. senator) and Henry Waxman, found that most of the companies had failed to implement voluntary cybersecurity standards recommended by the North American Electric Reliability Corp., an industry organization.
Attempts to legislate mandatory cybersecurity standards have been rebuffed, however, in part because the power industry opposed them.
“Our companies are in the business of selling electricity. They are fully motivated to do what they need to do to protect their systems against cyberattack and other problems,” says James Fama, vice president for energy delivery at the Edison Electric Institute, which represents power companies. “We don’t need to be penalized in order to be motivated to provide continuity of service. That’s the business we’re in.”
But computer hackers are becoming more sophisticated, and they increasingly see the power grid as a target. Redesigning the grid to make it less vulnerable to cyberattacks will be expensive. Some companies might calculate that the necessary investments to guarantee grid security might not be justified, given their assumptions that a major attack is still unlikely.
“It’s really hard to make the business case for this,” said former CIA Director Michael Hayden, speaking at the recent Washington conference on grid security, organized by the Bipartisan Policy Center.
Curt Hebert, the former chairman of the Federal Energy Regulatory Commission, asked power executives at the conference whether their industry was prepared to make the big investments necessary to secure the grid against a big cyberattack.
“When it comes to cost cutting,” Hebert suggested, “this may be one of the areas, quite frankly, that gets the knife.”
Consumers, after all, would eventually be stuck with the bill, paying for those investments through higher rates and being told it was necessary to secure the power grid against a threat they had not actually experienced. Yet.