The Buzz

Danger! Virus Discovered That Targets America's Electrical Grid

Two security firms, ESET and Dragos, released reports about the discovery of a virus that aims to damage equipment on any nation’s electric grid. The virus is called Industroyer, also known as “Crash Override,” and targets computers that control electrical substations and circuit breakers.

After electric power is generated, it flows through multiple substations to be delivered to customers. A circuit breaker is an automatically operated switch that protects an electrical circuit from damage caused by excess current from an overload or short circuit. Hence, a virus that aims for substations and circuit breakers could turn off power, create rolling blackouts or physically damage equipment on the grid.

According to the Chief Operations Officer at AppGuard, Mike Fumai, substations and circuit breakers are made of old technology that is hard to strengthen against cyber-attacks. In addition, substations and circuit breakers are largely standardized across the world. In short, this virus is a potential threat to all substations and circuit breakers in any county.

Industroyer includes multiple phases of attack. First, it penetrates an energy company’s networks. If the virus is not detected, it then begins to infect computers within the network. As it creates damage, the virus produces backdoors for itself. If one of the virus’ entrances is found it is still able to continue causing harm without being followed. In the event Industroyer is detected, it is even able to delete all traces of evidence left behind.

According to a report from Lloyd's of London, a cyber-attack on the U.S. grid could result in a total economic loss ranging from $243 billion to $1 trillion. This is because such an attack could mean a collapse in commerce, disruption to water supplies and transportation chaos. Thus, it is not surprising that cybersecurity is one of the most important issues utilities face today.

President Trump recently signed an executive order to protect the nation from cyber threats. Secretary of Energy Rick Perry and Secretary of Homeland Security John Kelly will work with state and local governments to assess gaps in power grid cybersecurity and the potential impacts of a prolonged power outage as the result of an attack. This assessment will be delivered to the president within 90 days.

While the executive order is a good start, more action to protect the grid from cyber threats needs to take place. To improve the grid’s resilience, industry leaders, regulators and legislators must work together to determine solutions and suitable funding mechanisms to pay for solutions, according to  Suedeen Kelly, former commissioner with the Federal Energy Regulatory Commission.

Protecting all parts of the grid from cyber threats is expensive and complicated. So while utilities are concerned about cyber threats on the distribution system, they are not equipped to do much. According to Eric Rosenbach, former chief of staff to former Defense Secretary Ashton B. Carter, mandatory cybersecurity standards need to be legislated to spur utilities to take action and ensure citizens’ access to electricity is secure.

Some states have pursued efforts to protect against cyber threats. For instance, utilities in New Jersey are required to develop programs and procedures to identify and mitigate cyber risks, report incidents and suspicious activity, create incident response and recovery plans and provide training programs. In Pennsylvania, utilities are required to maintain physical and cybersecurity, emergency response, and business continuity plans, and report cyber and physical attacks that cause more than $50,000 in damages. In Texas, an independent meter data-management organization specifies cybersecurity standards and the public utilities commission conducts annual security audits. Perhaps these actions could be adopted by more states to protect the grid from cyber threats.

The assessment that will be delivered to the president as a result of the executive order will find that cybersecurity standards exist for the bulk power system of the grid. The bulk power system includes facilities and control systems necessary for operating an interconnected grid and electric energy from generation facilities. However, such criteria are lacking for the distribution system, the final stage in the delivery of electricity to customers.

Without cybersecurity standards for the distribution system, the bulk power system of the grid is at risk. This is because the distribution system delivers electricity to pipelines, water systems, telecommunications and other critical infrastructure, including important government and military facilities. If a successful cyber-attack to the distribution system disrupts electricity at such facilities, devastating economic and security consequences would result.