With the hacks into the Ukraine power grid, and the latest cyberattack on Israel’s Electric Authority, attention has returned anew to the vulnerabilities of the U.S. power grid, a problem that victims of Hurricane Sandy and the recent blizzard can attest to given wide scale power outages.
Though black swan weaknesses exist, Washington is moving to fix the problem. Confounding the solution is the fact that an estimated 90% of the 3,200 U.S. utilities are in private hands. Also, the rise of the “smart grid”—the grid’s computing and communications done over the Internet, as well as the Internet of Things--has poked open more entry points for miscreants to hack the grid’s computer systems. In fact, researchers have found holes in thousands of Internet-connected industrial control systems.
Even though James Clapper, Director of National Intelligence, has said that "cyber Armageddon" is less likely than smaller attacks, those attacks could bedevil systems for years to come. It’s the ease of entry that’s concerning authorities. Cyberhackers could, for instance, break into a power grid system via a simple phishing email to a utility insider that’s loaded with malware, as is suspected in the Ukraine grid attack. The hackers can then seize control of certain parts of the system, all the while getting insights into industrial processes so as to conduct sabotage later on.
Though it reads like something out of a Tom Clancy novel, the attacks have occurred in the real world. The U.S. power grid routinely gets hit with hacks or physical attacks, with an estimated 331 from fiscal 2011 to 2014, and now occurring once every four days, according to the Dept. of Homeland Security. A major cyberattack on the U.S. electric grid could cause over $1 trillion in economic damage, estimates ThreatTrackSecurity.com. The Pentagon, too, has warned that, in a worst-case scenario, a massive attack on the nation’s power grid would take "many weeks” to fix, blanket the country in darkness, and push it into a recession.
The Government Accountability Office recently wrote of the weaknesses: “The cyber threat to critical infrastructure continues to grow and represents a serious national security challenge. Foreign malicious actors have directly attacked and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies.”
However, the Dept. of Homeland Security has a unit that oversees such threats. It’s called the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The unit is now working with Ukrainian authorities and international officials to combat malware, like the BlackEnergy virus, which had been injected into power grids.
In December 2014, ICS-CERT issued a warning about “a sophisticated malware campaign compromising numerous industrial control system environments.” It warned that this attack “had been ongoing since at least 2011.”
In early 2014, the unit warned that an unnamed U.S. public utility had been hacked “when a sophisticated threat actor gained unauthorized access to its control system network through a vulnerable remote access capability configured on the system.”
How did they get in? Via the Internet. “The software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism,” the unit warned.
However, Washington has been stepping up its countermeasures on the problem for the last several years. Along with the Dept. of Homeland Security’s ICS-CERT unit, there is Homeland Security’s National Cybersecurity and Communications Integration Center. The Department of Energy also has its oversight, including the Cybersecurity Risk Information Sharing Program (CRISP). Also, the powerful Department of Defense has had up and running for some time its United States Cyber Command.
And the Pentagon has the Defense Advanced Research Projects Agency (DARPA), which recently put out a new call to the nation's best tech and engineering minds to come up with a solution that will get the nation’s power grid back up and running in less than seven days in the event of a cyberattack on the country’s power grid. "A substantial and prolonged disruption of electric power would have profound economic and human costs for the United States,” the DARPA solicitation reads. “From a defense perspective, it would hamper military mobilization and logistics, impairing the ability of the government to project force.”
DARPA has been moving to develop secure embedded systems in everything from large supervisory control and data acquisition systems that run and manage physical infrastructure, down to even items like medical devices in hospitals, computer peripherals such as printers and routers, even communication devices such as cell phones and radios, as well as infrastructure that supports the nation’s roadways, airplanes and satellites. The U.S. Department of Energy has also spent millions developing security systems for the grid.