How To Protect the Connected Energy Grid
New digital tools are transforming the energy sector, connecting everything from household appliances to electric vehicles to smart sensors, and improving the efficiency of infrastructure from transmission lines to power plants to pipelines. These technologies promise smarter, cleaner, and cheaper energy. Unfortunately, they also leave the U.S. increasingly vulnerable to cyberattacks.
A March 2017 MIT report found that both electricity and oil-and-gas industry leaders “believed that unduly complex, and insufficiently secure, hardware, software, and industrial controls were a significant source of cyber vulnerabilities.” A 2017 survey of utility professionals ranked physical and cybersecurity threats to the grid as the top concern for their companies (up from sixth place in the 2015 and 2016 surveys).
The FBI and Department of Homeland Security, in a highly unusual March 2018 report, publicly called out Russia for hacking the American energy grid and gaining access to critical controls that enabled them to cut off power.
In an unprecedented intrusion, security firm Symantec found hackers last year successfully gained access to the networks of more than 20 energy companies, and gained “operational control”—giving them the ability to actually cut off the power—at a handful of U.S. power firms.
Also last year, hackers compromised companies that manage U.S. nuclear power facilities, and North Korea allegedly perpetrated a spear-phishing email attack against U.S. electricity companies.
The attacks on energy infrastructure go beyond just the power grid. In April of this year, a cyberattack compromised the data systems of four of the nation’s natural-gas pipeline operations.
While the damage so far has been minimal, one need only look abroad to see the risks. In 2015, Russian attackers cut power to 225,000 people in Ukraine. The Ukrainian grid was hit again in 2016, shutting down 20% of all power.
The U.S. energy system is highly complex and diffuse. The electricity grid has a vast number of power plants, transmission lines, substations, transformers and distributions lines that bring electricity to homes and businesses. It offers myriad points of attack from internet-connected sensors to an unsuspecting operator clicking on the wrong attachment.
Although the diffuse network makes it hard to take down the whole system by targeting a single piece of it, one insurance firm still developed a plausible scenario for an attack on the eastern half of the U.S. that could leave 93 million people without power.
The impacts would be severe. Electricity is needed to produce food and purify water, run the financial and telecommunications systems, and operate transportation, energy, hospitals and emergency services. The 2003 Northeast Blackout left 50 million people without power for four days and caused economic losses between $4 billion and $10 billion. Lloyd’s of London found an attack on the U.S. grid could cost up to $1 trillion.
Most U.S. energy infrastructure is owned by the private sector, which bears responsibility for investing to protect it from attack. Federal and state governments must also do more to work with energy firms to harden critical infrastructure, and be prepared to respond when attacks happen.