On December 30th, the Washington Post incorrectly reported that Russian hackers had penetrated the U.S. electric grid through a Vermont utility. While this story ended up being an error as malicious code was found in a computer which was not connected to the grid, it highlights the importance of protecting the U.S. electric grid from cyber-attacks. The federal government, some states and the private sector are implementing programs, especially ones that focus on information sharing, to keep the power grid safe from such threats.
Most industrial control systems used in the electric grid are connected to the Internet, making them vulnerable to a cyber-attack. U.S. officials have tracked efforts by China, Russia and other countries to implant malicious software inside computers used by U.S. utilities as far back as 2009. American officials believe that a cyber-campaign against the U.S. energy industry in 2014 resulted in the penetration of at least 17 companies’ systems, including four utilities, where hackers stole data and gained access to private networks. Such information and access could potentially allow them to remotely adjust equipment settings. Because the U.S. power grid is a large system with interconnected networks, taking down one or more utilities could easily destabilize large areas of the grid.
Ukraine is one example of a country that has had power interrupted as a result of a cyber-attack to its power grid. In December 2015, Ukraine’s electric grid was hacked by a third party and about 225,000 customers lost power. Since then, Ukraine has experienced 6,500 cyber hacks to state institutions in November and December 2016 alone. Ukraine has accused Russia of these cyber-attacks, but Moscow has denied involvement. Cyber threats to the electric grid are real. It is only a matter of time another country experiences a similar attack on its electric grid.
The U.S. federal government has implemented multiple programs to boost cybersecurity in critical sectors. The Cyber Security Advisor Program recognizes that a regional and national cyber security focus is necessary to protect critical infrastructure. This program assigns Department of Homeland Security (DHS) personnel to 10 regions to bolster cybersecurity preparedness, risk mitigation and incident response capabilities of critical infrastructure. The Cyber Resilience Review aims to measure key cybersecurity capabilities to provide indicators of an entity’s operational resilience and ability to manage cyber risk to critical services. This program includes a free voluntary assessment to evaluate and enhance cybersecurity within critical infrastructure sectors and state and local governments.
President Barack Obama issued Executive Order 13636 in February 2013 which established U.S. policy to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. The Executive Order called for a voluntary risk-based Cybersecurity Framework to provide a set of industry standards and best practices to help organizations manage cybersecurity risks.
Information sharing and analysis plays a critical role in cyber security. Enhanced Cybersecurity Services utilizes sensitive and classified cyber threat information to block malicious traffic from entering customer networks. The Cybersecurity Information Sharing and Collaboration Program allows the government and private sector to block certain cyber threats prior to damage occurring. The Automated Indicator Sharing (AIS) initiative is an effort to create a system that shares information about attempted compromises, such as malicious IP addresses or the sender address of a phishing email, detected by a federal agency in real time with partners.
One good example of enabling collective cyber defense through information sharing is the report on Russian malicious cyber activity, released by DHS and the Federal Bureau Investigation. This document includes cyber signatures including IP addresses, signatures and character combinations known as file hashes that allow governments and companies to review their log history, identify them and eliminate any compromises. This is the first time the federal government has gone to such lengths to attribute malicious cyber activity to specific actors in Russia.
Some states have created their own programs to protect the electric grid from cyber threats. The California Public Utilities Commission has funded a cyber information sharing program called California Energy Systems for the 21st Century (CES-21). CES-21 was launched in 2012 and aims to provide accurate and fast communication of cyber threats and the development of automated response capabilities to be executed prior to critical infrastructure damage. This initiative includes a team of technical experts from California's three largest public utilities and the Lawrence Livermore National Laboratory that will perform research in power grid cyber security. Other states including Idaho, North Dakota, Rhode Island, Virginia and Texas have established state-specific efforts to assess cybersecurity infrastructure, recommend ways to enhance the resiliency of government operations, and promote the growth of their cybersecurity industry and workforce.
The National Guard is taking a proactive role in defending critical infrastructure from cyber threats. Guard cyber units in California, Maryland, Wisconsin and Washington have established collaborative relationships with local utilities. In some cases, the Guard unit and the utility have even conducted joint exercises. The National Guard is uniquely positioned with authorities, responsibilities and capabilities to support the ongoing defense of the nation against such threats.
In addition to a large and growing industry of cybersecurity providers, the private sector is conducting research on how to protect critical infrastructure from cyber-attacks. The Defense Advanced Research Projects Agency has tasked Raytheon to develop technologies to protect the U.S. power grid infrastructure from cyber threats. The company will construct products to provide warnings of possible attacks and identify power grid data collection and communication issues. Raytheon will also review processes for emergency communication networks maintenance after a cyber-attack has occurred. Massachusetts Institute of Technology, Raytheon, Boeing, BAE Systems and other companies have also created a team to launch a cybersecurity initiative aimed at keeping digital information safe from cyber threats.
The recent scare of Russia penetrating the U.S. electric grid, while overblown, highlights the significance of keeping critical infrastructure safe from cyber threats. A successful cyber-attack on the U.S. electric grid is possible, as power interruption in Ukraine has demonstrated. Attempts have been made by China, Russia and other countries to infiltrate computers with software belonging to U.S. utilities and hackers conducted a cyber-campaign against the U.S. energy industry and gained access to private networks in 2014. While it is encouraging that the federal government, some states and the private sector are actively researching and implementing programs to protect the electric grid, they should be evaluated and tested so that eventually the best elements of each program could merge to provide multi-layered of security from cyber-attacks against the grid.
Constance Douris is Vice President of the Lexington Institute. Her current research interests include energy, ballistic-missile defense, nuclear strategy, European security, and the Greek financial crisis. You can follow her at @CVDouris and you can follow the Lexington Institute @LextNextDC.
Image: AAAndrey A via Wikimedia