Cybersecurity threats to U.S. electric grid continue evolving, multiplying, warn experts

Published on March 29, 2017 by Kim Riley

Consider this hypothetical scenario: a nor’easter slams into the coast of Maine, its rising ocean waves submerging the state’s easternmost town of Lubec under water, toppling buildings, ripping up power lines, and leaving all 1,350 residents without electricity. The storm next will hit Portland, Maine, four hours south, the state’s largest city with some 67,000 people, who also will experience a massive power outage.

Now imagine that during the midst of this natural disaster, another calamity strikes at the hands of foreign or domestic terrorists who have been lying in wait for an opportunity to launch a simultaneous cyberattack.

“It’s naive to think they’d attack us only on a good day,” Ben Fowke III, chairman of the board, president and CEO of Xcel Energy, testified before members of the U.S. Senate Energy and Natural Resources Committee’s Energy Subcommittee on Tuesday.

“In fact, they would use natural disasters as force multipliers to increase the impact of a catastrophe,” said Fowke, who heads the Minneapolis-based integrated energy company serving 3.5 million electric and 2 million natural gas customers in parts of eight midwestern and western states.

Such cybersecurity threats to the U.S. electric grid are growing, Fowke said, offering a personal corporate example. Last year, Xcel Energy identified more than 500,000 individual cyberattacks on its networks and already this year, the company reports a 10 percent increase in various “intrusions” over the same period in 2016.

While most cyberattacks against a utility are similar to the attacks targeting any other company in that cybercriminals and hackers seek personal or corporate data, attempt to defraud the company or its customers, or hold the company’s network hostage in a “ransomware” attack, Fowke said that utilities have much more at stake.

“Utilities like Xcel Energy have an even greater concern, the same concern that prompted today’s hearing: attacks from terrorists or nation-states targeting the control systems for the electric grid,” he said.

Fowke and several others provided Senate subcommittee members with their perspectives on such cybersecurity threats to the U.S. grid and the technology advancements to minimize those threats, and gave their input on the Securing Energy Infrastructure Act, S. 79, which was introduced Jan. 10 by Sen. Angus King Jr. (I-ME), who sits on the subcommittee.

During Tuesday’s hearing, King recalled the successful cyberattacks in 2015 and 2016 on the Ukraine power grid. Recent reports say that Russian hackers may be behind the cyberattacks. And worry grows that the same problem could occur in America, witnesses testified.

“This is warfare changing before our eyes … and the Russians are doing it on the cheap,” said King, explaining that rather than buying expensive missiles or tanks, for example, the Russians can wreak havoc by just hiring 500 hackers or trolls, instead. The devastation would be comparable, he said.
“We need this country to develop a comprehensive cyber strategy,” King added.

Proposed legislation

To that end, S. 79 would give the secretary of the U.S. Department of Energy (DOE) the authority to establish a two-year control systems implementation pilot program to identify security vulnerabilities of certain entities in the energy sector.

Specifically, the federal government would partner with certain energy sector partners to research, develop, test and implement technology platforms and standards “to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities, including (A) analog and non-digital control systems; (B) purpose-built control systems; and (C) physical controls,” according to language in the bill.

Additionally, the energy secretary would establish a working group to evaluate the technology platforms and standards used in the pilot program to develop a national cyber-informed engineering strategy. There would be at least 10 members in the working group, each appointed by the secretary. Members would represent energy-related industry groups, the Nuclear Regulatory Commission, and federal agencies, including the Department of Homeland Security or the Industrial Control Systems Cyber Emergency Response Team, the Department of Defense and intelligence community, among others.

There would be $10 million appropriated for the pilot program, with an additional $1.5 million appropriated for the working group and its subsequent report to Congress.

Currently, S. 79 has four cosponsors: U.S. Sens. James Risch (R-ID), Martin Heinrich (D-NM), Susan Collins (R-ME) and Mike Crapo (R-ID). The bill was referred to the Senate Energy and Natural Resources Committee after its introduction in January and King, among others, is looking to light a fire under congressional leaders this term to get the bill moving.

Michael Bardee, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission (FERC), is tentatively on board with S. 79 because he said it doesn’t require that program participants adopt a certain technology. Instead, the bill would require research and testing to determine if specific tools and technologies, when applied to limited circumstances, could enhance the security of the most critical systems.

“If this pilot program succeeds in identifying more secure approaches for the most critical systems, the implementation of these approaches could be justified, depending on factors such as effects on operational efficiency. Over time, these approaches, if successful, also could be incorporated into new designs for an evolving Bulk-Power System,” Bardee said during the hearing.

However, he emphasized that any implementation decision should be made only after sufficient research and testing.

Bardee also suggested a change for S. 79 — that FERC be added as a member on the proposed bill’s working group list. King agreed that was a good idea.

Different roads

The U.S. grid is the foundation of the country’s economy and way of life, said Thomas Zacharia, deputy director for science and technology at DOE’s Oak Ridge National Laboratory.

“The best way to mitigate threats to cybersecurity is to get DOE and the electric utilities off the internet,” he said.

By that Zacharia said he means that the grid should be disconnected from the commercial internet. There’s a tremendous amount of dark fiber that could be used to create separate connectivity for the utilities, he suggested. “It’s already available in the ground today.”

Today’s threats are fast-evolving and require quick adaptive responses, testified John DiStasio, president of the Large Public Power Council, which represents public-owned utility commissions. DiStasio said that the industry is engaged and actively working to beat these emerging threats, “but because they’re evolving rapidly and not static, industry agility must be permitted,” he told the senators.

In summing up their top recommendations for congressional actions to enhance cybersecurity for the grid, witnesses suggested support for training skilled workers, improving information sharing between the feds, industry and private sector, mandating that basic cyber standards be followed across the industry, and increasing coordination among stakeholders.