The cyber risk to the electrical power grid
In the infamous 2007 Aurora Test, the U.S. Department of Homeland Security simulated a remote computer attack on electric grid infrastructure. In the video of the test, a generator the size of a minibus shakes and sputters. Tiny pieces begin flying off. Then thick black smoke pours out the top and sides, engulfing the entire machine.
This was a watershed moment for the electric grid: The test showed that it’s possible to destroy physical infrastructure with a cyber attack.
Cybersecurity experts like to divide the world into two categories: Those who have been hacked, and those who have been hacked but don’t yet know it. Electric utilities are being hacked.
The Department of Homeland Security’s cyber response team reported 79 cyber incidents in the energy sector in 2014 and 145 in 2013, an average of one every three days. As our grid gets digitized — with technologies like smart meters and automated controls that run power plants and substations — it becomes more and more vulnerable to computer attacks by anyone from activist groups such as Anonymous to nation-states like China and Russia.
But the utility industry maintains that hackers have not taken out power in this country.
“There has never been a cyber attack that has had an impact on the reliability of the grid,” said Scott Aaronson of the Edison Electric Institute, a utility industry interest group. “It has not resulted in a power outage.”
Aaronson’s statement isn’t simply an industry dodge. Cybersecurity experts can point to examples where hackers have infiltrated grid software or launched ransom attacks on utility companies, but never to the extent of actually creating power disruption. At a recent hearing before Congress, Granger Morgan, an electrical engineering professor at Carnegie Mellon University, said of cyber attacks, “There haven’t actually been any successful ones that I’ve been aware of.”
So how big of a threat do cyber attacks pose to the electric grid?
Understanding the risks hackers pose to the grid is challenging because of the utility industry’s culture of secrecy, although Aaronson says that’s changing. Still, investor-owned utilities face a Catch-22: Mention potential cyber threats, they risk scaring their shareholders and driving prices down; mention how secure they are, they risk daring potential attackers to prove them wrong.
But investor-owned utilities have a smaller cousin in the electric utility world: Rural electric cooperatives.
The 900 rural co-ops spread across the country are nonprofits; they have members, not stockholders. They serve only about 12 percent of the population, but cover three-quarters of U.S. land area. Even though they are rural, they still provide electricity to critical services like hospitals, dams, factories and mines. They have smaller staffs and budgets to deal with cyber attacks than their investor-owned counterparts, which actually makes them more willing to talk about it. They have to. Sharing information and resources is the only way they can survive.
Maurice Martin, a former strategist for the National Rural Electric Cooperative Association, pointed out, “The average time between when a cyber infection happens and the time it is detected is 205 days.” That gives hackers plenty of time to cause trouble.
They could steal customer information — things like credit card numbers and addresses — just like they have from Target or Home Depot. Or hackers could potentially shut off power, damage infrastructure or injure workers, “if a line were to be energized at a time when a repairman was on it,” said Martin.