Two security firms, ESET and Dragos, released reports about the discovery of a virus that aims to damage equipment on any nation’s electric grid. The virus is called Industroyer, also known as “Crash Override,” and targets computers that control electrical substations and circuit breakers.
After electric power is generated, it flows through multiple substations to be delivered to customers. A circuit breaker is an automatically operated switch that protects an electrical circuit from damage caused by excess current from an overload or short circuit. Hence, a virus that aims for substations and circuit breakers could turn off power, create rolling blackouts or physically damage equipment on the grid.
According to the Chief Operations Officer at AppGuard, Mike Fumai, substations and circuit breakers are made of old technology that is hard to strengthen against cyber-attacks. In addition, substations and circuit breakers are largely standardized across the world. In short, this virus is a potential threat to all substations and circuit breakers in any county.
Industroyer includes multiple phases of attack. First, it penetrates an energy company’s networks. If the virus is not detected, it then begins to infect computers within the network. As it creates damage, the virus produces backdoors for itself. If one of the virus’ entrances is found it is still able to continue causing harm without being followed. In the event Industroyer is detected, it is even able to delete all traces of evidence left behind.
According to a report from Lloyd's of London, a cyber-attack on the U.S. grid could result in a total economic loss ranging from $243 billion to $1 trillion. This is because such an attack could mean a collapse in commerce, disruption to water supplies and transportation chaos. Thus, it is not surprising that cybersecurity is one of the most important issues utilities face today.
President Trump recently signed an executive order to protect the nation from cyber threats. Secretary of Energy Rick Perry and Secretary of Homeland Security John Kelly will work with state and local governments to assess gaps in power grid cybersecurity and the potential impacts of a prolonged power outage as the result of an attack. This assessment will be delivered to the president within 90 days.
While the executive order is a good start, more action to protect the grid from cyber threats needs to take place. To improve the grid’s resilience, industry leaders, regulators and legislators must work together to determine solutions and suitable funding mechanisms to pay for solutions, according to Suedeen Kelly, former commissioner with the Federal Energy Regulatory Commission.
Protecting all parts of the grid from cyber threats is expensive and complicated. So while utilities are concerned about cyber threats on the distribution system, they are not equipped to do much. According to Eric Rosenbach, former chief of staff to former Defense Secretary Ashton B. Carter, mandatory cybersecurity standards need to be legislated to spur utilities to take action and ensure citizens’ access to electricity is secure.
Some states have pursued efforts to protect against cyber threats. For instance, utilities in New Jersey are required to develop programs and procedures to identify and mitigate cyber risks, report incidents and suspicious activity, create incident response and recovery plans and provide training programs. In Pennsylvania, utilities are required to maintain physical and cybersecurity, emergency response, and business continuity plans, and report cyber and physical attacks that cause more than $50,000 in damages. In Texas, an independent meter data-management organization specifies cybersecurity standards and the public utilities commission conducts annual security audits. Perhaps these actions could be adopted by more states to protect the grid from cyber threats.
The assessment that will be delivered to the president as a result of the executive order will find that cybersecurity standards exist for the bulk power system of the grid. The bulk power system includes facilities and control systems necessary for operating an interconnected grid and electric energy from generation facilities. However, such criteria are lacking for the distribution system, the final stage in the delivery of electricity to customers.
Without cybersecurity standards for the distribution system, the bulk power system of the grid is at risk. This is because the distribution system delivers electricity to pipelines, water systems, telecommunications and other critical infrastructure, including important government and military facilities. If a successful cyber-attack to the distribution system disrupts electricity at such facilities, devastating economic and security consequences would result.
According to Patricia Hoffman, former assistant secretary for the Department of Energy’s Office of Electricity Delivery and Energy Reliability, cybersecurity is one of the most serious challenges the grid faces. Hoffman believes cutting edge technologies are essential to help the energy sector adapt to the evolving landscape. Thus, it is not surprising that research firm Zpryme estimates that U.S. utilities will spend $7.25 billion on grid cybersecurity by 2020.
Some providers of smart grid cybersecurity include Siemens, VeriSign, Raytheon, Sierra Nevada, ViaSat Inc., Leidos, IOActive Inc., Kingfisher, BAE Systems and IBM. In addition, the National Institute of Standards and Technology recently released a report that identified commercially available products that increase situational awareness on the grid. Some of the products include Siemens’ Ruggedcom Crossbow, Dragos’ Security CyberLens, Cisco’s 2950 (Aggregator), and Schneider Electric’s Tofino. These solutions can be integrated with existing infrastructure and merge data within a utility’s network to increase awareness of what is happening and how it may affect the delivery of electricity.
Since December 2015, when power was interrupted in Ukraine as a result of a cyber-attack, the threat of such an incident elsewhere in the world is no longer hypothetical. Government leaders and regulators need to implement requirements to motivate utilities and all operators of the grid to protect it from cyber threats. Industry leaders, regulators and legislators need to work together to determine solutions and funding mechanisms to pay for solutions. The National Institute of Standards and Technology’s recent report provides an excellent guide as to which commercial products can be adopted now to protect electricity availability from cyber threats.
Constance Douris is Vice President of the Lexington Institute. Her current research interests include energy, the electric grid, ballistic-missile defense, nuclear strategy, European security, and the Greek financial crisis. You can follow Constance at @CVDouris and the Lexington Institute @LextNextDC.
Image: U.S. Air Forcehttps://www.flickr.com/photos/usairforce/11594120903/sizes/k/