Grid Security And Cyber Defense Cannot Fall On Deaf Ears, Experts Warn

The following article is from Forbes and is written by Ken Silverstein. Click here to read the article on the Forbes News Website.

If the electrical grid is knocked out for long periods, the damage to the American economy would be insurmountable. And the country’s enemies know that. That is why its brain trust is dedicated to insulating the transmission network from both physical and cyber-attacks.

The National Commission for Grid Resilience just laid out its blueprint to prepare the country for 21st Century combat — including the kind from afar and from behind a keyboard. Power companies are on guard and they are developing robust systems that can continue to generate and deliver power if attacked. Most, if not, all are participating in exercises that simulate mock assaults. The aim is to be proactive — to anticipate what moves the enemy might make. But it is a never ending battle with each side is always trying to one-up the other.

“The idea that the Russians would use cyber attacks on the grid did not exist” in the 20th Century, says Darrel Issa, a former congressman and now a co-chair on this grid commission. “We later found that Osama bin Laden wanted to take down grids.” Issa, who spoke last week an event hosted by the Center for Strategic & International Studies, said that the focus has been on hurricanes and earthquakes. But in recent times, the experts have learned that more insidious events such as cyber attacks and invisible viruses can wreak havoc.

The commission, dedicated to securing the grid, is comprised of General Wesley Clark, Norm Augustine, Dan Poneman, Kevin Knobloch, Adam Cohen and Rep. Issa. Among their recommendations are to ensure that the threats are widely understood by the utilities that must allocate scarce resources to these causes — ones that have a low probability of occurring but also ones that have a high consequence if they do occur.

To that end, innovations need to be rapidly advanced and they need to be paid for by using public-private resources. The need is simply too great to depend on private investors who think short term and who are concerned about quarterly returns. Utilities should be able to recoup their outlays associated with resilience, the commission says, just as they do for all other capital expenses. The grid is a national asset. But with 500 separate grid owners, it is too hard to coordinate. As such, Congress needs to get involved and there must be a central repository upon which utilities, grid operators and safety experts can share information.

Team Effort

“The grid has evolved over many years — not from a clean sheet of paper,” says Commissioner Augustine. “There are a number of vulnerabilities. And most of the grid is owned and operated by the private sector. So the government has an important role to play by providing incentives to defend against those threats.”

The financial value stretches from preserving human life to maintaining the integrity of critical infrastructure. Consider that complex interdependency of utility systems: A loss of power can also take out the drinking water system, the wastewater facility and the communications infrastructure. For those reasons, the use of distributed assets such as onsite power generation with microgrids can provide protections.

The “bulk” electric grid is a fat target for two reasons. First, it’s a critical economic asset. A single brownout can cost as much as $10 billion, which comes in the form of direct losses as well as lost opportunities, estimates the Federal Regulatory Commission. Second, the grid is vast: Altogether, there are about 5,800 major power plants and 450,000 high-voltage transmission lines in the United States.

And because the system is now connected to the outside world through the Internet, it has become subject to evermore attacks.

Weather events are one matter. But cyber and physical assaults are another. Federal law enforcement has identified ways in which bad actors can plant malware and go on “phishing” expeditions to gain access to remote transmission networks. And it started around 2016 and it drew a lot of suspicions when the Kansas-based Wolf Creek Nuclear Operating Corp. got hacked in 2018. Russia is said to be behind the assault — a move similar to what it also, allegedly, did in 2015 to Ukraine’s network, which caused a lot more damage.

In one 48 month period, for example, 1,131 actual attacks occurred, with 159 of those successful, reports the Energy Department’s Joint Cybersecurity Coordination Center. Because electricity is “wheeled” across the country, any assault could reverberate. Altogether, the electrical transmission network serves more than 300 million people and it is comprised of 200,000 miles of wires

Consider PG&E Corp., which operates in the heart of Silicon Valley — home to America’s high tech sector: Masked gunmen burst into a substation and started firing automatic weapons that destroyed 17 transformers six years ago. PG&E is fighting back by bridging its information technology department with its operations unit, meaning that those who are responsible for securing the company are communicating closely with those who keep the lights on.

High Priority

The questions before U.S. lawmakers are over how to pay for these protective measure and whether the potential steps should be voluntary or mandatory.

Power companies, which prefer a voluntary approach, are already supposed to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. More than 200 utilities and several government agencies have participated in emergency drills to simulate prolonged blackouts from both physical and cyber-attacks.

Duke Energy DUK 0.0% and Xcel Energy XEL +0.8%, which have been frequent targets of hackers, are allocating billions toward grid modernization. Grid operations are being protected, for example, by frequent password changes as well as by periodic patches to firewalls and upgrades. But it’s a constant chess match. Setting priorities by identifying high-value assets and then restricting access is a good start, all while ensuring employees are well-trained and well-vetted.

“A priority for the next administration should be for the United States to build a more secure and resilient power grid,” says General Clark. “To keep our nation powered and our electric companies informed, we must overcome the lag in communication between the intelligence community and power companies.”

History has shown that utilities know how to defend against natural catastrophes. But it is an open question on whether they can protect against more nefarious actions. To give the country a fighting chance, the National Commission for Grid Resilience has outlined its defense that will be presented to the next administration — something that the commissioners caution cannot fall on deaf ears.

In Other News…