Journalism Bootcamp
Power Struggle: Anticipating Cyberattacks on the Electric Grid
June 7, 2019

Power Struggle: Anticipating Cyberattacks on the Electric Grid

How likely is a cyberattack on US infrastructure, and what can be done to increase resilience?
By Will Carlson, Skylar Eagle, Madison Fernandez, Vaughn Golden, Abigail Haley, Jason Hannigan, Tara Lynch, Meghan Mazzella, Rebecca Mehorter, and Alyssa Spady
U.S. Air Force Staff Sgt. Jerome Duhan, inserts a hard drive into the network control center retina server in preparation for a command cyber readiness inspection. DoD photo by Senior Airman Franklin R. Ramos, U.S. Air Force/Released
AA

Off the coast of Long Island, New York, a cyberattack caused Plum Island, a federal research center, to go dark.

The perpetrator was not a foreign adversary, but rather the Defense Advanced Research Projects Agency (DARPA) in the Department of Defense. In November 2018, DARPA ran its first cyberattack simulation on the island to assess how the public and private sectors could work together to restore power after a hypothetical cyberattack. On the island, researchers were tasked with restoring an electric grid that was out for weeks as well as a second power utility under attack. In other words, the researchers were dealing with a black start.

black start
The process of restoring an electric grid’s power station without backup electrical resources.

An all-out attack on the power grid like the one simulated on Plum Island is a worst-case scenario for cybersecurity experts. While an attack like this is certainly possible, some experts prefer to focus on smaller-scale threats. Even a small disruption to electrical service could have serious consequences in various sectors ranging from military to finance to healthcare.

A short video depicting the location of Plum Island, an animal research center turned cyber attack simulation facility.

As the nation’s grid continues to incorporate more connected devices, it presents new vulnerabilities for potential attackers to exploit. The challenge for the United States is to prepare for a wide range of possible threats, which will require coordination among multiple levels of government and the hundreds of companies that make up the country’s vast, decentralized electrical grid.

Foreign state, non-state and domestic actors can conduct cyberattacks in an attempt to access networks to obtain information or influence the performance of the system. Large-scale cyberattacks on power grids have happened internationally — like in Ukraine in 2015 and 2016 — and domestically on a smaller scale, but the United States has not experienced a nationwide power grid takedown.

While it can be tempting to speculate if the United States is at risk of a large-scale attack, experts say that such an event is unlikely.

Will Carter, deputy director and fellow of the Technology Policy Program at the Center for Strategic and International Studies (CSIS), said a large-scale attack on the United States power grid is technologically possible. He said countries are identifying vulnerabilities and planting malware to position themselves for a potential attack on the nation’s electric grid but that the United States’ strength and resources are a deterrence.

“There’s a pretty solid understanding among our major adversaries that a large-scale attack on the power grid would be treated as an act of war, more or less, by the United States,” Carter said.

Still, government agencies are taking steps to prepare for an attack on the nation’s infrastructure rather than waiting to implement a solution if an attack occurs.

The Plum Island simulation targeted the electrical grid, but cyberattacks can infiltrate any type of infrastructure that is connected to a digital network. The electrical grid relies on industrial control systems (ICS) to digitally control the systems that comprise the grid. Because this equipment is controlled digitally rather than mechanically, the electrical grid is susceptible to a cyberattack.

Cybersecurity is embedded in everything we do. If it’s connected, it’s a risk.

Karen Evans, Department of Energy

As technology becomes more integrated into the nation’s infrastructure, the dependence on the grid — which powers the infrastructure — makes it increasingly vulnerable to attacks.

“If the power grid were to go down, that’s really the nightmare scenario because it takes down virtually the entire economy around it,” Carter said.

Karen Evans, assistant secretary of the Office of Cybersecurity, Energy Security and Emergency Response at the United States Department of Energy, said that as systems become more reliant on technology, cybersecurity will become increasingly relevant.

“Cybersecurity is embedded in everything we do,” Evans said. “If it’s connected, it’s a risk.”

A Decentralized Grid

However, the United States’ power grid was not built with cybersecurity in mind. The country’s power grid is a decentralized mixture of old and new equipment.

Suzanne Spaulding, senior adviser of Homeland Security with the International Security Program at CSIS, said many older aspects of the grid that date back to the 1970s are being replaced by systems that are more cyber-dependent. The result is an electrical grid with a wide geographic distribution that contains many facilities that are only controlled remotely.

“This provides attackers opportunities to continuously target vulnerabilities in older technology, or pursue exploits in new connectivity models, or pursue a coordinated cyber-physical attack if necessary,” an Idaho National Laboratory’s 2016 report stated.

The adversaries the nation is the most concerned about — including Russia and China — have the technical capabilities and resources to coordinate such an attack.

Carter said decentralization plays a role in preventing major cyberattacks on the United States’ power grid because it is more expensive, time-consuming and complicated to launch a coordinated attack on such a large scale. However, the adversaries the nation is the most concerned about — including Russia and China — do technically have the capabilities and resources to coordinate such an attack.

However, Carter said decentralization plays a role in preventing major cyberattacks on the United States’ power grid because it is more expensive, time-consuming, and complicated to launch a coordinated attack on such a large scale. The very decentralized system that helps to prevent major cyberattacks, however, requires close coordination between federal agencies and the private sector.

Investor-Owned Utilities (IOUs) play a significant role in net generation, transmission, and distribution of power across the country, according to the Department of Energy. There are 192 IOUs that account for 50 percent of distribution while about 2,900 public utilities make up the other half.

The U.S. Department of Energy’s Multiyear Plan for Energy Cybersecurity states that the primary responsibility to prevent cyberattacks falls on energy owners and operators. The report also states federal governments should complement private-sector efforts because cybersecurity is a matter of national and economic security.

Although the federal government’s direct role in regulating the electric grid is limited, there are steps the federal government can take to help the private sector manage cybersecurity.

The federal government already assists operators in simulating potential attacks, understanding industry practices, and sharing threat information to anticipate attacks. State and local governments have more direct authority over grid operations, but they do not necessarily have the resources to gather intelligence on potential cyberattacks.

Energy security is national security.

Karen Evans, Department of Energy

As the various constituencies figure out how to work together to strengthen the nation’s cybersecurity, they are looking at what the potential vulnerabilities are in the United States’ electric grid.

Vulnerabilities within the System

Though the United States has not experienced major cyberattacks against the electric grid, foreign actors have been seen exploring the systems, searching for vulnerabilities and perhaps leaving behind backdoors that can be exploited later.

Adversaries have many potential points of access into the electric grid, from common equipment like computers and routers to purpose-built ICS.  And new technology on the grid means that these attacks could have more tangible consequences than ever before.

Systems that rely on physical and digital components in the electrical grid give hackers greater opportunities to disrupt operations. In the past, physical energy systems, like turbines, were manually controlled. Modern ICS allows for digital and remote control of the grid operations equipment. While these innovations allow for operators to address problems more quickly and efficiently, they also come with significant security concerns, according to the Idaho National Laboratory’s 2016 report.

“These technological improvements have caused the U.S. bulk electric system (BES) to be increasingly vulnerable to intrusions from cyberspace,” the report said.

Evans said protecting the energy grid is a high priority when safeguarding national security.

“Energy security is national security,” Evans said.

Cyberattacks in Ukraine

When Kyiv Went Dark
Will Carter
Deputy Director, Technology Policy Program, CSIS
Kenneth Geers
Ambassador, NATO Cooperative Cyber Centre of Excellence
Jim Lewis
Director, Technology Policy Program, CSIS
Suzanne Spaulding
Former Under Secretary, Department of Homeland Security

In 2015, the Russian state demonstrated its offensive cyber capabilities by attacking Ukraine’s power grid. Russia showed its cards to intimidate foriegn adversaries and demonstrate its ability to conduct a sophisticated cyberattack with tangible consequences.

The events in Ukraine served as a learning experience for the U.S. and continues to provide a concrete example of the increasingly sophisticated abilities of foreign adversaries. Now, U.S. officials are more focused than ever on assessing the vulnerabilities of the American cyberspace and finding ways to increase resilience.

“Even knowing what we know about the Ukraine attack, we would be vulnerable to a similar attack because not everyone has implemented measures we know could prevent it,” Spaulding said.

ggg

People cross a road during a power outage in the Crimean city of Simferopol on November 24, 2015. MAX VETROV/AFP/Getty Images

Guarding the Grid

In order to secure the United States’ critical infrastructure, like the nation’s access to energy, cybersecurity specialists need to collaborate in the private and public sectors. While the private sector focuses on its operational imperatives and economic development, they must also consider the bigger picture.

“The public and our entire society and economy depend on their services in order to operate, and they have a responsibility to provide a resilient service to secure it against potential attacks by our adversaries,” Carter said.

There are a number of ways providers can create more secure systems. One solution is creating consistent, encrypted backups of data. If companies have up-to-date backups, then they can more easily rebuild their systems after a successful attack.

Another recommended solution is to “isolate,” or take offline, ICS so that state-actors are not able to get into the system through the internet. Regularly installing security updates can also prevent infection by known strains of malware.

But while these solutions are known to help prevent or impede attacks, there are roadblocks to adequately putting them into effect. According to a study done by the Global Information Security Workforce, there will be a projected 1.8 million vacancies in the cybersecurity workforce by 2022. The employment gap means that there are not enough people to secure company networks.

Besides the lack of people, there is a stark lack of resources. Running backups and installing security updates takes time and money, and these precautions are sometimes ignored in favor of more immediate concerns.

The federal government has created methods to incentivizing companies to spend time and money on education programs and aligning their processes with industry best practices. Jurisdiction on regulations for corporations generally lies with state and local governments, but the federal government does provide some resources.

“More regulatory authority tends to sit at the local and state levels, but there’s a lot the federal government can do to help the private sector to manage the cybersecurity of the grid,” Carter said.

A Public-Private Effort

The National Initiative for Cybersecurity Careers and Studies (NICCS) has provided companies with a Cybersecurity Workforce Development Toolkit. The toolkit is broken into four digestible steps.

Agencies such as the Federal Energy Regulation Commission (FERC) have stepped in to create standards for risk management for ICS, software, and networking services, which are then enforced by the North American Electric Reliability Corporation (NERC).

The government also shares information with companies about what malware has been recently detected. One organization that informs the private sector is the National Cybersecurity and Communications Integration Center (NCCIC), which explains threats and vulnerabilities to improve companies’ preparations for cyberattacks.

President Obama visits the National Cybersecurity and Communications Integration Center (NCCIC) on Jan. 13, 2015. Department of Homeland Security

Another set of organizations is the Information Sharing and Analysis Centers (ISACs), which consists of member-driven groups divided by industry. The members can alert other members of threats they have seen through the federally created forum.

The public sector also intersects with the private through the Energy ISAC, which helps convey information between grid operators and the federal government.

“It’s a two-way street,” Carter said. “So, the grid operators see activity on their network, which they sometimes are able to identify as malicious activity, that helps the government to understand where our adversaries are and what they’re doing. At the same time, the federal government is watching our adversaries directly, and they’re aggregating all this information they get from service providers and sharing it with the broader community.”

Carter said the Department of Homeland Security (DHS) and the Department of Energy (DOE) have also been active in ensuring the private sector has the tools, expertise, and information it needs to understand where to better invest in cybersecurity and to plan ahead.

The relationship is still new, Spaulding noted, and it is a process the government and companies are still working on.

Natural Disaster Recovery: Lessons Learned

Some of the preventative measures governmental agencies are taking to combat cyberattacks are not necessarily new. Electric companies have long responded to crises by using mutual assistance agreements, which is when resources are reallocated from one location to another during a time of need. 

For instance, after more than 10 million homes and businesses in 17 states lost power for weeks after Hurricane Sandy in October 2012, cross-sector constituents from across the nation responded to reestablish power.

The Regional Resiliency Assessment Program in the Department of Homeland Security looks at the interdependencies between sectors to assess potential infrastructure issues. In the case of Hurricane Sandy, other sectors assisted the electricity subsector by providing fuel for tools and equipment and communications to spread information about restoration efforts.

However, Spaulding said these steps cannot be directly applied to cybersecurity due to the more variable nature of a cyberattack.

“In the event of a cyber attack, it won’t be so clear A, that it’s over, the way a storm moves through when it’s over,” Spaulding said. “B, it won’t be so clear that it’s not going to next hit Ohio or Virginia. They need to rethink some of those assumptions, that they’ll be able to call on resources from other places.”

Flood waters from Hurricane Sandy on October 29, 2012 in New York City. A large part of Manhattan below 26th St. lost power because of flooding. Preston Rescigno/Getty Images

“You’ve got to work in a collaborative way with the owners and distributors and operators of electricity in this country, to make sure that we’re all aware of the nature of the threat and that we’re all taking the steps that we can take,” Spaulding said.

But even with further investments in cybersecurity and a focus on deterring adversaries, there is little doubt that someone will eventually succeed in attacking the U.S. grid. The goal, according to Spaulding, is to minimize the amount of damage and the effectiveness of successful cyberattacks.

“We have to find all the ways to make the results not catastrophic,” she said.

The government has organized training exercises, like GridX, to conduct research and prepare energy providers for a large-scale power outage. These practices help leaders in both the private and public sectors visualize the effects of such a shocking disaster, Carter said.

“That really makes a big difference both in getting senior executives to understand where they need to invest in better security and getting organizations to think about the types of scenarios that they might encounter and plan proactively to deal with them quickly,” he said.

But while building resiliency can help reduce the consequences of a successful cyberattack, the government is also focused on deterring its adversaries from attacking in the first place.

Jim Lewis, senior vice president at CSIS and cybersecurity expert, said he believes the most important step in eliminating a cyber threat is to stand up against state actors.

“The most important thing [the United States] can do now is persuade our opponents that it would be exceptionally painful if they were to take action against the United States and that we have the ability to identify them were they to do it,” Lewis said. “It’s the need to impose consequences for malicious cyber behavior that is probably the most pressing problem that we have now.”

A Means to an End

After a week of the simulation, Plum Island was back on the grid. Still, success did not come easily. Between blackout conditions and adverse weather, the researchers were exposed to vulnerabilities that may not have been considered going into the exercise. DARPA is planning to continue this exercise with varying elements on Plum Island in the future.

Although the nation may not know exactly when or where a cyberattack may occur, the United States’ private and public sectors are taking steps to be prepared in the case of an attack.

Spaulding said that as technology progresses, the nation needs to be aware of the vulnerabilities that come along with increased convenience and build this awareness into the systems. She said it is necessary to shift the mindset of cybersecurity from an end goal to an aspect that is integrated in[to] everyday life.

“Cybersecurity is not an objective,” Spaulding said. “It’s a means to an end, and the end is allowing Americans all of the benefits of a networked world, and you have to take cybersecurity into account.”

Authors

Will Carlson

Ithaca College

Will Carlson is pursuing a bachelor’s degree in Television and Radio with a minor in Anthropology at Ithaca College. He also studied at Nanyang Technological University in Singapore as an exchange student during the fall 2018 semester. He has served as a station manager of VIC Radio at Ithaca College, as well as being a broadcast engineer for Ithaca College Television. Will is currently serving as the program director for VIC Radio.

Skylar Eagle

Ithaca College

Skylar Eagle is pursuing a bachelor’s degree in journalism with a minor in politics at Ithaca College. She is a recipient of the Rising Junior Park Scholarship and spent the past academic year interning with WRFI Community Radio. Recently, she helped produce an episode of the NYSBA Award-Winning Series, “The Loneliness Project.” Skylar is extremely passionate about political journalism and hopes to pursue a career in the broadcast industry.

Madison Fernandez

Ithaca College

Madison Fernandez is studying journalism with a minor in health policy at Ithaca College. She is a Park Scholar and is in the Ithaca College Honors Program, as well as Phi Kappa Phi and Lambda Pi Eta. She is the news editor of The Ithacan, Ithaca College’s student-run newspaper. She has previously worked at 1010 WINS news radio station in New York City, WRFI Community Radio in Ithaca and CBS News in London. In the summer of 2019, she will be interning at Forbes Media with the College Rankings team.

Vaughn Golden

Ithaca College

Vaughn is a junior journalism and economics double major. Vaughn is a regular correspondent for ICTV where he also serves as Assistant News Director. He’s also a newscaster for WICB radio. Vaughn is a political writer with the weekly “Capitol Watch” watchdog legislative report for The Ithaca Voice. He also has bylines with NPR, WSKG, WRVO , WRFI, The Ithaca Times, Hornell Evening Tribune and Corning Leader. In 2018 Vaughn spent six months working in Washington, D.C. where he reported from the Capitol, Supreme Court and the White House.

Abigail Haley

Ithaca College

Abby Haley is a third year student at Ithaca College, majoring in Documentary Studies & Production and minoring in International Politics and Art History. Last fall, Abby was an Observer at the 24th annual Climate Summit in Katowice, Poland and a Mobile Journalist for Cultural Experiences Abroad. This summer, she will be interning for the Barnes Foundation and volunteering for the National Park Services in Acadia, Maine.

Jason Hannigan

Ithaca College

Jason Hannigan is an undergraduate journalism and economics student at Ithaca College. He is a member of Omicron Delta Epsilon, an accredited International Economics Honor Society, and a Roy H. Park School Peer Advisor. Jason has volunteered with the HEADstrong Foundation, a national non-profit that raises funds and awareness for cancer research, and plans to pursue a career in financial journalism upon graduating college in May 2020.

Tara Lynch

Ithaca College

Tara Lynch is pursuing a bachelor’s degree in journalism with a minor in honors and Spanish at Ithaca College in the Roy H. Park School of Communications. She is a Park Scholar and serves as a Vice President for the Ithaca College chapter of the Society of Professional Journalists. This summer she is interning with NBC Connecticut, a local NBC affiliate station in West Hartford, Conn. Outside of journalism, she enjoys playing soccer and Irish Dancing.

Meghan Mazzella

Ithaca College

Meghan Mazzella is a recent 2019 graduate of Ithaca College. She received a bachelor’s degree in Documentary Studies and Production, minoring in Sociology. She was a member of the Ithaca College Women’s Basketball team for four years, named to the Liberty League All-Academic team, the National College Athlete Honor Society, and the National Sociology Honor Society. She interned at Entertainment Tonight in the Summer of 2018. She hopes to produce in the film or television industry.

Rebecca Mehorter

Ithaca College

Rebecca Mehorter is pursuing a bachelor’s degree in both journalism and Spanish at Ithaca College. She serves as the chief copy editor of the award-winning school newspaper, The Ithacan. She is also a member of the intercollegiate women’s lacrosse team. In the summer of 2019, she will be an intern at the Ithaca Voice, a local, digital newspaper.

Alyssa Spady

Ithaca College

Alyssa Spady is pursuing a bachelor’s degree in journalism and a minor in legal studies at Ithaca College. She is a news and sportscaster for VIC and 91.7 WICB radio. She is also a member of the women’s basketball team at Ithaca College.

Mead Loop

Ithaca College, professor

Loop serves as associate professor of Journalism and director of Sports Media at Ithaca College. His scholarship emphasizes fantasy sports journalism. He was National Editor of the Nashville Banner; and a copy editor at the Kansas City Times and Star, and Lancaster (Pa.) Intelligencer Journal before coming to Ithaca. He holds a master’s degree in journalism from the University of Missouri and a bachelor’s degree in television-radio from Ithaca College.

This story was writen by students participating in the CSIS Journalism Bootcamp.

Read another story