Off the coast of Long Island, New York, a cyberattack caused Plum Island, a federal research center, to go dark.
The perpetrator was not a foreign adversary, but rather the Defense Advanced Research Projects Agency (DARPA) in the Department of Defense. In November 2018, DARPA ran its first cyberattack simulation on the island to assess how the public and private sectors could work together to restore power after a hypothetical cyberattack. On the island, researchers were tasked with restoring an electric grid that was out for weeks as well as a second power utility under attack. In other words, the researchers were dealing with a black start.
black start
The process of restoring an electric grid’s power station without backup electrical resources.
An all-out attack on the power grid like the one simulated on Plum Island is a worst-case scenario for cybersecurity experts. While an attack like this is certainly possible, some experts prefer to focus on smaller-scale threats. Even a small disruption to electrical service could have serious consequences in various sectors ranging from military to finance to healthcare.
As the nation’s grid continues to incorporate more connected devices, it presents new vulnerabilities for potential attackers to exploit. The challenge for the United States is to prepare for a wide range of possible threats, which will require coordination among multiple levels of government and the hundreds of companies that make up the country’s vast, decentralized electrical grid.
Foreign state, non-state and domestic actors can conduct cyberattacks in an attempt to access networks to obtain information or influence the performance of the system. Large-scale cyberattacks on power grids have happened internationally — like in Ukraine in 2015 and 2016 — and domestically on a smaller scale, but the United States has not experienced a nationwide power grid takedown.
While it can be tempting to speculate if the United States is at risk of a large-scale attack, experts say that such an event is unlikely.
Will Carter, deputy director and fellow of the Technology Policy Program at the Center for Strategic and International Studies (CSIS), said a large-scale attack on the United States power grid is technologically possible. He said countries are identifying vulnerabilities and planting malware to position themselves for a potential attack on the nation’s electric grid but that the United States’ strength and resources are a deterrence.
“There’s a pretty solid understanding among our major adversaries that a large-scale attack on the power grid would be treated as an act of war, more or less, by the United States,” Carter said.
Still, government agencies are taking steps to prepare for an attack on the nation’s infrastructure rather than waiting to implement a solution if an attack occurs.
The Plum Island simulation targeted the electrical grid, but cyberattacks can infiltrate any type of infrastructure that is connected to a digital network. The electrical grid relies on industrial control systems (ICS) to digitally control the systems that comprise the grid. Because this equipment is controlled digitally rather than mechanically, the electrical grid is susceptible to a cyberattack.
As technology becomes more integrated into the nation’s infrastructure, the dependence on the grid — which powers the infrastructure — makes it increasingly vulnerable to attacks.
“If the power grid were to go down, that’s really the nightmare scenario because it takes down virtually the entire economy around it,” Carter said.
Karen Evans, assistant secretary of the Office of Cybersecurity, Energy Security and Emergency Response at the United States Department of Energy, said that as systems become more reliant on technology, cybersecurity will become increasingly relevant.
“Cybersecurity is embedded in everything we do,” Evans said. “If it’s connected, it’s a risk.”
A Decentralized Grid
However, the United States’ power grid was not built with cybersecurity in mind. The country’s power grid is a decentralized mixture of old and new equipment.
Suzanne Spaulding, senior adviser of Homeland Security with the International Security Program at CSIS, said many older aspects of the grid that date back to the 1970s are being replaced by systems that are more cyber-dependent. The result is an electrical grid with a wide geographic distribution that contains many facilities that are only controlled remotely.
“This provides attackers opportunities to continuously target vulnerabilities in older technology, or pursue exploits in new connectivity models, or pursue a coordinated cyber-physical attack if necessary,” an Idaho National Laboratory’s 2016 report stated.
The adversaries the nation is the most concerned about — including Russia and China — have the technical capabilities and resources to coordinate such an attack.
Carter said decentralization plays a role in preventing major cyberattacks on the United States’ power grid because it is more expensive, time-consuming and complicated to launch a coordinated attack on such a large scale. However, the adversaries the nation is the most concerned about — including Russia and China — do technically have the capabilities and resources to coordinate such an attack.
However, Carter said decentralization plays a role in preventing major cyberattacks on the United States’ power grid because it is more expensive, time-consuming, and complicated to launch a coordinated attack on such a large scale. The very decentralized system that helps to prevent major cyberattacks, however, requires close coordination between federal agencies and the private sector.
Investor-Owned Utilities (IOUs) play a significant role in net generation, transmission, and distribution of power across the country, according to the Department of Energy. There are 192 IOUs that account for 50 percent of distribution while about 2,900 public utilities make up the other half.
The U.S. Department of Energy’s Multiyear Plan for Energy Cybersecurity states that the primary responsibility to prevent cyberattacks falls on energy owners and operators. The report also states federal governments should complement private-sector efforts because cybersecurity is a matter of national and economic security.
Although the federal government’s direct role in regulating the electric grid is limited, there are steps the federal government can take to help the private sector manage cybersecurity.
The federal government already assists operators in simulating potential attacks, understanding industry practices, and sharing threat information to anticipate attacks. State and local governments have more direct authority over grid operations, but they do not necessarily have the resources to gather intelligence on potential cyberattacks.
As the various constituencies figure out how to work together to strengthen the nation’s cybersecurity, they are looking at what the potential vulnerabilities are in the United States’ electric grid.
Vulnerabilities within the System
Though the United States has not experienced major cyberattacks against the electric grid, foreign actors have been seen exploring the systems, searching for vulnerabilities and perhaps leaving behind backdoors that can be exploited later.
Adversaries have many potential points of access into the electric grid, from common equipment like computers and routers to purpose-built ICS. And new technology on the grid means that these attacks could have more tangible consequences than ever before.
Systems that rely on physical and digital components in the electrical grid give hackers greater opportunities to disrupt operations. In the past, physical energy systems, like turbines, were manually controlled. Modern ICS allows for digital and remote control of the grid operations equipment. While these innovations allow for operators to address problems more quickly and efficiently, they also come with significant security concerns, according to the Idaho National Laboratory’s 2016 report.
“These technological improvements have caused the U.S. bulk electric system (BES) to be increasingly vulnerable to intrusions from cyberspace,” the report said.
Evans said protecting the energy grid is a high priority when safeguarding national security.
“Energy security is national security,” Evans said.
Cyberattacks in Ukraine
In 2015, the Russian state demonstrated its offensive cyber capabilities by attacking Ukraine’s power grid. Russia showed its cards to intimidate foriegn adversaries and demonstrate its ability to conduct a sophisticated cyberattack with tangible consequences.
The events in Ukraine served as a learning experience for the U.S. and continues to provide a concrete example of the increasingly sophisticated abilities of foreign adversaries. Now, U.S. officials are more focused than ever on assessing the vulnerabilities of the American cyberspace and finding ways to increase resilience.
“Even knowing what we know about the Ukraine attack, we would be vulnerable to a similar attack because not everyone has implemented measures we know could prevent it,” Spaulding said.
Guarding the Grid
In order to secure the United States’ critical infrastructure, like the nation’s access to energy, cybersecurity specialists need to collaborate in the private and public sectors. While the private sector focuses on its operational imperatives and economic development, they must also consider the bigger picture.
“The public and our entire society and economy depend on their services in order to operate, and they have a responsibility to provide a resilient service to secure it against potential attacks by our adversaries,” Carter said.
There are a number of ways providers can create more secure systems. One solution is creating consistent, encrypted backups of data. If companies have up-to-date backups, then they can more easily rebuild their systems after a successful attack.
Another recommended solution is to “isolate,” or take offline, ICS so that state-actors are not able to get into the system through the internet. Regularly installing security updates can also prevent infection by known strains of malware.
But while these solutions are known to help prevent or impede attacks, there are roadblocks to adequately putting them into effect. According to a study done by the Global Information Security Workforce, there will be a projected 1.8 million vacancies in the cybersecurity workforce by 2022. The employment gap means that there are not enough people to secure company networks.
Besides the lack of people, there is a stark lack of resources. Running backups and installing security updates takes time and money, and these precautions are sometimes ignored in favor of more immediate concerns.
The federal government has created methods to incentivizing companies to spend time and money on education programs and aligning their processes with industry best practices. Jurisdiction on regulations for corporations generally lies with state and local governments, but the federal government does provide some resources.
“More regulatory authority tends to sit at the local and state levels, but there’s a lot the federal government can do to help the private sector to manage the cybersecurity of the grid,” Carter said.
A Public-Private Effort
The National Initiative for Cybersecurity Careers and Studies (NICCS) has provided companies with a Cybersecurity Workforce Development Toolkit. The toolkit is broken into four digestible steps.
Agencies such as the Federal Energy Regulation Commission (FERC) have stepped in to create standards for risk management for ICS, software, and networking services, which are then enforced by the North American Electric Reliability Corporation (NERC).
The government also shares information with companies about what malware has been recently detected. One organization that informs the private sector is the National Cybersecurity and Communications Integration Center (NCCIC), which explains threats and vulnerabilities to improve companies’ preparations for cyberattacks.
Another set of organizations is the Information Sharing and Analysis Centers (ISACs), which consists of member-driven groups divided by industry. The members can alert other members of threats they have seen through the federally created forum.
The public sector also intersects with the private through the Energy ISAC, which helps convey information between grid operators and the federal government.
“It’s a two-way street,” Carter said. “So, the grid operators see activity on their network, which they sometimes are able to identify as malicious activity, that helps the government to understand where our adversaries are and what they’re doing. At the same time, the federal government is watching our adversaries directly, and they’re aggregating all this information they get from service providers and sharing it with the broader community.”
Carter said the Department of Homeland Security (DHS) and the Department of Energy (DOE) have also been active in ensuring the private sector has the tools, expertise, and information it needs to understand where to better invest in cybersecurity and to plan ahead.
The relationship is still new, Spaulding noted, and it is a process the government and companies are still working on.
“You’ve got to work in a collaborative way with the owners and distributors and operators of electricity in this country, to make sure that we’re all aware of the nature of the threat and that we’re all taking the steps that we can take,” Spaulding said.
But even with further investments in cybersecurity and a focus on deterring adversaries, there is little doubt that someone will eventually succeed in attacking the U.S. grid. The goal, according to Spaulding, is to minimize the amount of damage and the effectiveness of successful cyberattacks.
“We have to find all the ways to make the results not catastrophic,” she said.
The government has organized training exercises, like GridX, to conduct research and prepare energy providers for a large-scale power outage. These practices help leaders in both the private and public sectors visualize the effects of such a shocking disaster, Carter said.
“That really makes a big difference both in getting senior executives to understand where they need to invest in better security and getting organizations to think about the types of scenarios that they might encounter and plan proactively to deal with them quickly,” he said.
But while building resiliency can help reduce the consequences of a successful cyberattack, the government is also focused on deterring its adversaries from attacking in the first place.
Jim Lewis, senior vice president at CSIS and cybersecurity expert, said he believes the most important step in eliminating a cyber threat is to stand up against state actors.
“The most important thing [the United States] can do now is persuade our opponents that it would be exceptionally painful if they were to take action against the United States and that we have the ability to identify them were they to do it,” Lewis said. “It’s the need to impose consequences for malicious cyber behavior that is probably the most pressing problem that we have now.”
A Means to an End
After a week of the simulation, Plum Island was back on the grid. Still, success did not come easily. Between blackout conditions and adverse weather, the researchers were exposed to vulnerabilities that may not have been considered going into the exercise. DARPA is planning to continue this exercise with varying elements on Plum Island in the future.
Although the nation may not know exactly when or where a cyberattack may occur, the United States’ private and public sectors are taking steps to be prepared in the case of an attack.
Spaulding said that as technology progresses, the nation needs to be aware of the vulnerabilities that come along with increased convenience and build this awareness into the systems. She said it is necessary to shift the mindset of cybersecurity from an end goal to an aspect that is integrated in[to] everyday life.
“Cybersecurity is not an objective,” Spaulding said. “It’s a means to an end, and the end is allowing Americans all of the benefits of a networked world, and you have to take cybersecurity into account.”