Electrical grids aren't really synonymous with the technological cutting edge. Delivery of electricity itself is of course old technology, having been initially developed in the 19th century and then rolled out en masse to homes and other buildings in the decades after that. Historically, the biggest threats to municipal power infrastructure have been mechanical failures and adverse weather conditions, which have both triggered plenty of outages.
The evolution of electrical grid issues: How the grid became a software problem
The 2003 blackout across much of the Northeastern United States and parts of Canada is a good example of both the traditional causes of grid failure and what the future could hold for electricity suppliers and their customers. The incident disrupted service for nearly 50 million individuals in the region in August of that year after the summer heat caused power lines to sag and get tangled up in some unpruned trees.
Normally, this type of event wouldn't be much cause for concern. Utility companies have automated computer systems in place that can offload the demand on those distressed lines to others under less pressure. However, the mechanism for doing so at one grid coordinator had not received a necessary software update at the time. Its failure to deal with the foliage incident then cascaded into a widespread outage.
Here we can spot the usual suspects in grid-related problems – i.e., nearby trees and strained infrastructure – as well as the large-scale problems that can be triggered by software bugs. Cyber security wasn't always a hot topic in relation to basic utilities such as electricity, but ever since the 2003 outage and the ensuing rise of the Internet of Things along with ubiquitous wireless connectivity, the grid's vulnerability to software-related threats such as cyber attacks has become much more apparent.
Would-be attackers not only have a vulnerable target in the form of an aging electrical grid that serves virtually; they also have potent tools like advanced malware that could compromise electrical generators and other critical infrastructure. It's a problematic culmination of incentives, capabilities and modern technologies, and one that everyone from insurers to government agencies are now waking up to.
"Cyber attacks are often treated as a problem of technology, but they originate with human actors who employ imagination and surprise to defeat the security in place," Tom Bolt, director of performance management at Lloyd's of London, stated in a report that his company prepared in conjunction with the University of Cambridge Centre For Risk Studies. "The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than defenders could remedy them. In order to achieve accurate assessment of risks, insurers need insight into the evolution of tactics and motives across the full spectrum of threats."
What would a cyber attack against the electrical grid look like?
The report from Lloyds also estimated that a successful cyber attack against the U.S. electrical grid on the Eastern Seaboard could plunge 15 states and the District of Columbia into darkness, with a price tag of nearly $1 trillion and insurance claims of more than $71 billion. That's a steep sum, and one that is made all the more troubling by the mismatch of the massive scale of the grid and the seemingly easy means by which someone could jeopardize its integrity.
On an October 2015 episode of the PBS NewsHour, Ted Koppel explained that someone "sufficiently skilled in cyber-warfare, using an individual laptop," could potentially cause great damage to the power grid. The 2003 outage certainly demonstrated that even a simple benign oversight can deprive millions of people of power – a malicious attack could be much worse.
Ironically, the complexity of the emerging "smart grid" – the term used for describing electrical distribution and metering systems that incorporate networked technologies for superior operational efficiency – is what could make it so vulnerable to the types of simple attacks that Koppel fretted about on the show. The 2015 document "Report on Cybersecurity and Critical Infrastructure in the Americas" from Trend Micro and the Organization of American States highlighted how the electrical grid was being transformed into something that was more intricate than ever, yet also susceptible to the types of cyber attacks already carried out against computers and network infrastructure.
"Each distributed energy resource will become a potential entry point for a cyber attack," explained Steven Low, professor of computer science and electrical engineering at the California Institute of Technology, in the Trend Micro/OAS report. "The cyber network that controls and optimizes the physical network will also greatly amplify the scale, speed and complexity of an attack."
It's the same sort of danger that now confronts any previously "dumb" device that has been made "smart" with the addition of network connectivity. From home thermostats to dolls (indeed, one Wi-Fi-enabled Barbie has been cited for its potential to become an Orwellian telescreen device for government surveillance), adding Internet access to everyday devices bring risks as well as rewards. The future power grid described by Low in his contribution to the Trend Micro/OAS report would be one with advanced technologies such as power flow optimization and constant load-side frequency control, but also a central need to be hardened against malware and cyber attacks.
Preparing the electrical grid for a challenging future
The threat of an attack against the grid has been flagged by cyber security experts for years. However, governments have been slow and tentative to act, as Koppel and Gwen Ifill noted in the aforementioned edition of NewsHour.
The U.S. Congress has not given grid security much attention recently. Funding for some energy and water development initiatives passed the House of Representatives in fall 2015, but, considering the stakes, it looks like the federal government will need to go beyond these relatively modest bumps in spending and instead invest more proactively in grid protection.
Fortunately, the issue has made its way across party lines and is now a growing topic of concern for members of Congress as well as presidential candidates. The House bill, which passed with 249 votes (most of them Republican), includes provisions requiring the U.S. Department of Energy to incorporate cyber-secure products and services into its systems. Democratic candidate Hillary Clinton has also pushed for renewed focus on cyber security across the electrical grid. Both of these efforts come in the context of uncertainty about how bodies like DOE are approaching cyber security, according to The Hill.
But the divided nature of the federal government at present could complicate the passage of any legislation in this realm, much of which contains riders that the parties cannot all agree to. Accordingly, progress may have to be made on other fronts. Grid operators will have to create realistic road maps for upgrading their infrastructures and implementing sufficient security software to guard against attacks of all kinds.
The scale of the electrical complicates this task, but it is hardly impossible with a feasible plan, sufficient staff training and advanced network security tools for detecting and mitigating potential threats to critical infrastructure. Find out more about securing your critical infrastructure with Trend Micro Deep Security.