Twitter Facebook Google RSS

Fears of Devastating Cyber-Attacks on Electric Grid, Critical Infrastructure Grow 

10  2,013 

By Yasmin Tadjdeh 

Many remember Aug. 14, 2003 as the day the lights went out. The Great Blackout, as it is often called, left millions in the Northeast and parts of Canada in the dark for up to two days. Traffic lights went out, commuters were stranded in stalled subway trains, and hundreds of people were trapped in elevators.

In this case, a power line in Ohio malfunctioned after touching an overgrown tree branch, crippling the local electrical system and creating a domino effect of outages.

That massive blackout was a work of Mother Nature, but officials fear similar damage that could be caused by a cyber-attack on the electrical grid.

In her farewell speech, exiting Department of Homeland Security Secretary Janet Napolitano warned that the United States faces “a major cyber-event that will have a serious effect on our lives, our economy and the everyday functioning of our society.” Many experts worry that this looming cyber-attack could target the nation’s power grid.

A massive cyber-attack on the nation’s grid has been a top concern among those working in the industry for years. Experts have said that a sophisticated assault targeting electrical lines or power plants could wreak havoc far and wide, and effectively shut down the government and economy.

The question isn’t if an attack will happen, but rather when, said Doug Myers, the chief information officer for Pepco Holdings Inc., an electrical company that serves parts of the Mid-Atlantic region.

“Utilities think about natural disasters as when, not if, and we think about the threat of a cyber-event in the same manner. However, there are several key differences between a hurricane, for example, and a cyber-event,” said Myers. “A hurricane comes with some degree of warning. Utilities typically begin their preparatory work days in advance … [but] cyber-attacks are not expected.”

While the electrical grid is vulnerable, industry has an opportunity to blaze trails in cybersecurity, said retired Air Force Gen. Michael Hayden, former director of both the CIA and National Security Agency.

The electric industry is one of the best places to test out new defenses, Hayden said in August at the Bipartisan Policy Center, a Washington, D.C.-based think tank.

“The electrical industry might actually be the trailbreakers here,” said Hayden.

Utilities may be able to establish a precedence in the cyberdomain that would not only help it better defend its networks, but open the doors for better relationships between the private sector and the government, Hayden said.

Electric companies do not deal with as much private information as the financial sector — another major hacker target, Hayden said. They can therefore be more aggressive in seeking threats and can more easily share information with other companies and the government without serious repercussions.

There is an ongoing debate about how much personal information the government can look at. From the Edward Snowden scandal to the snooping on private Gmail accounts, the country as a whole has not yet decided how much power it wants to give the government.

Until U.S. citizens embrace spying by the government — which is for the common good and safely collected — the United States will have one of the most unprotected networks in the world for the foreseeable future, he said.

“I’m willing to accept the proposition that the United States of America will forever have one of the least well-defended networks on this planet,” said Hayden. “We as a people have not yet created a consensus as to what it is we want our government to do … or what we’ll let our government do.”

While Congress and the American public wring their hands over government intrusions, the threat is growing.

The United States faces cyber-attacks from three types of “sinners,” Hayden said.

Countries such as Iran or China might launch attacks. In 2012, Iran allegedly destroyed 30,000 computers belonging to Saudi Aramco, the state-run Saudi Arabian oil and gasoline company.  But, while intrusions could be sophisticated and damaging, governments can be held accountable, and in that way are less of a threat, Hayden said.

Criminal gang syndicates, while dangerous, usually are after money and can be bought off, if necessary, Hayden said.

The most worrisome actor is the hacktivist, Hayden said. Hacktivists can be unpredictable and their motivations are often unclear. Notorious hacker groups such as Anonymous or LulzSec fall into this category. They are also becoming more sophisticated, Hayden said.

“As time goes on, we’re going to see this group down here [hacktivists] — whose demands are actually hard to define, whose demands may be unsatisfiable — begin to acquire the capacities that we now associate with nation states,” said Hayden. “This is going to get worse before it gets better.”

In response to increasingly frequent and dangerous attacks, companies in the private sector have called on the government to implement federal cybersecurity measures.

One of the largest efforts was the Cyber Intelligence Sharing and Protection Act of 2011. Critics claimed that CISPA could erode civil liberties, while proponents said it could help identify cyber-attacks. CISPA cleared the House of Representatives, but failed to pass the Senate in 2012. The act was reintroduced in Congress in 2013 but has since stalled.

In February, President Barack Obama released an executive order that aims to improve cybersecurity within critical infrastructure. The measure puts a premium on information sharing, and encourages the private sector to reach out to the government and share details about attacks. It also seeks to create a set of best practices while at the same time balancing privacy.

The order stated that securing critical infrastructure — like the electrical grid — is imperative.

“The cyberthreat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the nation’s critical infrastructure in the face of such threats,” said Obama.

While Obama said he would veto CISPA in the spring, the administration is in full support of creating federal legislation to combat threats, said Andy Ozment, senior director for cybersecurity for the White House’s national security staff.

While passing anything this congressional session would be tough, the White House is optimistic that it can happen, he said.

Cybersecurity, and protecting critical infrastructure in particular, is one of the priorities of the administration, said Ozment.

Electric companies are on the front lines, he said. “The executive order is one very clear example of what we’re doing in that space, and you can see we’re focusing on the standards to be developed under the cybersecurity framework … and information sharing in particular.”

As cyber-attacks have increased, energy companies realize they are prime targets.

It is critical that electric companies treat cyber-attacks as seriously as they do natural disasters, said Chris Peters, vice president for critical infrastructure protection at Entergy, a utility that serves nearly 3 million customers in Texas, Arkansas, Louisiana and Mississippi.

“We have to treat cyberthreats with the same respect that we give to forces of nature that impact our grid — hurricanes, floods, ice [and] storms,” said Peters. “They impact our grid throughout the year, and we are organized, [we] deal with those threats, [we] are strategic about how we respond.”

Electric companies need to make the proper investments in cybersecurity, he said. CEOs and board members also need to practice a top-down approach when discussing the importance of cybersecurity.

“These cyberthreats are part of our risk profile, we have to fund it, we have to staff it and we have to be prepared to respond as necessary,” said Peters.

Paul Stockton, the managing director for Sonecon, a Washington, D.C.-based economic advisory and analysis firm, and former assistant secretary of defense for homeland defense and America’s security affairs, said that lessons need to be drawn from Hurricane Sandy, which pummeled parts of the East Coast last October with flooding and powerful winds. The storm caused billions of dollars in damage and left millions without power for weeks.

When the electrical grid goes down, it’s not just power that goes out. It creates a domino effect that shuts down other essential services such as hospitals and can have major ramifications for public health, he said.

Federal legislation is one way to help better secure the grid, said Myers.

He asserted that it would better to have just one federal entity regulating cybersecurity, opposed to 51 separate regulatory commissions. The actions, or inaction, of just one state could have a cascading effect on a number of different power grids, he said. He pointed to the blackout of 2003, where mistakes made by one Ohio company following a small power outage caused grids in the Northeast and parts of Canada to shut down.

Scott Saunders, information security officer for the Sacramento Municipal Utility District in California, said since the executive order came out in February, he has seen an increase in information sharing in the industry, which is critical to stopping the threat.

“We cannot underscore that electricity would be a significant target by those intent on disrupting our national security and American way of life. Electricity underpins the capability of everything we do and every other critical infrastructure,” said Saunders.

He said implementing universal best practice procedures would be useful and that electric company employees need to use better practices to help curb potential intrusions.

While federal regulation would be wise, he stressed it should not bog companies down with excessive red tape.

“One size does not fit all. We need to be mindful that overly burdensome regulatory regimes can threaten our ability to respond to emerging threats and create complexity where it’s not needed and where it does not add value,” said Saunders.

Photo Credit: Thinkstock
Reader Comments

Re: Fears of Devastating Cyber-Attacks on Electric Grid, Critical Infrastructure Grow

Though I agree with Mr. Ramos thought the likelihood of that happening is very slim to none. As noted in the article this is not about one company or even a group of companies or municipalities we are talking about the very security of the whole country. This is not something we can look from a profit or loss perspective or even from a risk calculation. If you are not prepared day one you cannot catch up. The investment costs maybe high the outcomes of not making those investments now and on into the future is catastrophic. I am not crying wolf but understand the wolf is on the prowl and he can attack anytime. Only via communication and dialogue can the right balance be found to protect with out overburdening the public and private sectors alike.

Norman Hayes on 10/01/2013 at 16:31

Re: Fears of Devastating Cyber-Attacks on Electric Grid, Critical Infrastructure Grow

What we need to do is build a separate communications highway for critical infrastructure that is segregated from the internet.

Paul Ramos on 09/14/2013 at 19:37

Submit Your Reader's Comment Below
The content of this field is kept private and will not be shown publicly.
Please enter the text displayed in the image.
The picture contains 6 characters.
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

  Bookmark and Share