28 March 2018

US power grid needs defense against looming cyber attacks


A recent poll showed that more than 90 percent of Americans believe the government is not doing enough to protect the electric grid from cybersecurity attacks. Their fears appear to be justified. This month, the U.S. government revealed its concerns about Russian incursions into the operating systems of domestic electric power plants and noted that the efforts to disrupt date back to 2013. These attacks have the capability to bring down all or part of our electricity service.

Such large-scale grid cyberattacks were foreseen. The Departments of Energy and Homeland Security identified the grid’s vulnerability to cyberattacks some time ago and called for new protective measures in the DOE-led January 2017 Quadrennial Energy Review. The study, which analyzed the entire U.S. electricity system, noted that that the key critical infrastructures underpinning the nation’s economy and national security — transportation, water, finance, natural gas, oil, communications/IT — depend upon a reliable electricity “uber-network.”

A 2012 report by the National Research Council concluded that a cyberattack could black out a large region of the nation for weeks or even months. Public health and safety would be in jeopardy from an extended, widespread power outage, resulting in loss of life support systems in hospitals, nursing homes, and households, disruption of clean water supplies and sanitation, and a massive breakdown of the transportation system.

The economic disruptions from an extended blackout would also be enormous. A 2015 Lloyds of London study found that a cyberattack on 50 generators in the Northeast could leave 93 million people without power and cost the economy over $234 billion.

We’ve already seen previews of a successful cyberattack on the grid stemming from operational failures and extreme weather. The 2003 Northeast blackout left 50 million people without power for four days, causing economic losses between $4 billion and $10 billion. In Puerto Rico, 400,000 people are still without power six months after Hurricane Maria, with staggering impacts on the commonwealth’s economy and well-being. 

Russia, Iran, North Korea and others have large-scale, offensive cyberattack programs.

The CIA has concluded with “high confidence” that Russian military attackers crippled computers in Ukraine’s financial system last year. This followed 2015 and 2016 cyberattacks that disabled part of Ukraine’s electric grid. Global security analysts say Russia is using Ukraine as a cyberwar testing ground. The U.S. also appears to be in their crosshairs as the overall U.S.-Russia relationship hits new lows, evidenced most dramatically by their interference in our 2016 elections.

According to DHS and the FBI, Russia appears to be laying a foundation for a large scale cyberattack on U.S. infrastructure. The Dragonfly 2.0 hackers, identified by DHS as Russian government cyber actors, pursued a prolonged cyberattack (since 2015) on a U.S. power plant and computer networks controlling the grid.

Industry and government have been trying to address cyber vulnerabilities.

In 2015, Congress expanded DOE’s authority to take immediate measures in response to cyberattacks on the grid in the FAST Act. Congress has also proposed additional legislation to address grid-related cyber-defense deficiencies with resilience measures for electricity infrastructure. These bills — introduced but not passed — focus on state assistance, authority to address cybersecurity gaps for other energy infrastructures, and identification of cybersecure products for the grid. Energy Secretary Rick Perry should also be commended for setting up a new cybersecurity office at DOE.

These actions are important but not enough.

It is time for a comprehensive examination of how we anticipate, recover, and deter cyberattacks. We need to fund development and deployment of advanced designs and technologies to protect our grid and to provide states the tools they need to contribute to the defense of the nation’s electricity system. We need to incorporate mandatory reliability and resilience measures into every aspect of our electricity system and the internet. We must also address state-sponsored cyberattacks at the legal, regulatory, operational and diplomatic levels, including the development of international protocols. 

But the hardest part may be modernizing our jurisdictional system to ensure seamless federal authority to prepare for and respond to cyberattacks. The DOE study concluded that the electricity system is a national security asset. National security is inherently a federal responsibility and cybersecurity attacks do not respect jurisdictional boundaries. It is time to adopt a regulatory system that meets 21st century realities. Our economy and national security depend on it

Melanie Kenderdine is the former director of the Office of Energy Policy and Systems Analysis at the U.S. Department of Energy and is a principal at the Energy Futures Initiative

No comments: