The American people and critical stakeholders are increasingly aware that the nation’s electric power grid is vulnerable to a variety of attacks. Much attention has been focused on the threat of an electromagnetic pulse attack that could destroy much of the electric power infrastructure in an instant. But there are other significant dangers, most notably physical attacks and hacking into control systems. This last threat may be particularly challenging to individual electric power providers.
The disaggregated character of the electric power industry makes it difficult to come up with a standard approach or template for securing the power grid from cyber attacks. There are more than 3,000 electric power providers in the United States, ranging from a relatively small number of very large investor-owned corporations to several thousand publicly-owned utilities, many of which are quite small. For the latter, in particular, it can be hard to develop a cyber security strategy and to find the resources to take the required palliative or restorative measures.
One approach that may hold great promise for publicly-owned utilities is collaboration with the National Guard. The National Guard is in a unique position due to its dual role as an asset available both to the individual states and the federal government. It is rapidly developing its expertise in cyber defense. There already are seven cyber protection teams (CPTs) in the National Guard focused primarily on supporting Northern Command’s mission of homeland defense. There are plans to create an additional 13 units by 2019.
One utility, the Snohomish County Public Utility District (SCPUD), Washington State, has pioneered the development of a collaborative relationship between the National Guard and the electric power sector, enabling the military’s Reserve Component to provide cyber security for public infrastructure. The initiatives taken by the SCPUD provide, at a minimum, a useful case study and, maximally, a template for other jurisdictions.
SCPUD provided a remarkable degree of thought leadership and organizational support for the effort to enable the National Guard to provide cyber support to utilities. The utility began several years ago by organizing a series of cyber summits. Attendance has more than doubled, with the 2016 summit reaching some 130 participants from public utilities, National Guard units, local, state and federal government agencies and the private sector. The summits address threats, organizational and process issues, the roles of various entities in providing security for public networks and education.
SCPUD had an advantage in pursuing its strategy: the National Guard of the State of Washington possessed one of the original seven cyber defense units created in the Reserve Component. These were created in parts of the country with a very strong private sector IT and cyber security base.
It was the SCPUD that came up with the idea of bringing the local National Guard cyber security unit in to do a vulnerability assessment of the utility’s cyber vulnerability. SCPUD came up with the idea of a contract between the National Guard and the utility. The rationale was that the National Guard could perform this service in its home state so long as it was for a public but not a private utility. This would not violate the prohibition on the National Guard competing with the private sector. Even so, it took two years to write a contract and letters from the Governor and the Adjutant General of Washington State to make the effort happened. According to its estimates, it cost SCPUD only a fraction of what the private sector would have charged to perform the same cyber assessment. SCPUD is a relatively small utility and could not afford the private sector’s prices.
The Guard unit was asked to conduct a Red Team assessment of the vulnerabilities of the SCPUD networks. The assessment indicated that the SCPUD had very good security of its operating network, at least from direct intrusion. However, the Guard was able to penetrate the utility by conducting a classic phishing attack on the e-mail system. Apparently, half the individuals targeted were fooled. Once into the e-mail system, the Guardsmen were able to eventually penetrate the entire network including into the utility’s SCADA systems.
One reason the Guard could do such a detailed Red Team vulnerability assessment is that SCPUD had applied for a SmartGrid grant under the 2009 American Recovery and Reinvestment Act to create a cyber security laboratory in which its entire network was replicated virtually. The Guard could run its attacks in the lab. Creating such a virtual network seems to be good idea in itself.
One distinct advantage of bringing in the National Guard to do a vulnerability assessment is that once familiar with the SCPUD networks, the Guard could also respond more swiftly and effectively in the event of a real attack. In fact, a source says that since the assessment the Guard was accessed by SCPUD on several occasions when there were apparent problems with intrusions.
There are a number of lessons from the SCPUD-National Guard experience that need to be captured and their relevance to other public utilities assessed. There are also questions that need to be addressed. For example, how prepared are other states and public utilities to replicate the SCPUD-Washington State model? What changes to state laws, regulations and practices will be required? Are there targeted investments, such as those provided by the SmartGrid initiative, which would be required to enable public utility-National Guard collaboration? Since some National Guard cyber protection teams are multi-state units, how will this impact efforts at collaboration?
Dr. Dan Goure is a Vice President of the Lexington Institute. He is involved in a wide range of issues as part of the institute’s national security program. This piece originally appeared in the LexNext blog.
Image: Northrop Grumman