Risk of Power Outages Due to Cyber Attacks is Getting Worse
The United States power grid is increasingly vulnerable to cyber-attacks, but the scale of power outages that could be caused by these attacks are difficult to predict. This is one of the conclusions reached by the Government Accountability Office (GAO) in a recent report to Congress on protecting critical infrastructure. Thankfully, the U.S. has not yet suffered power outages due to cyber-attacks. Unfortunately, the growing trends in distributed control and automation of systems increase the attack surface an adversary can to take advantage of.
The U.S. electric grid is primarily owned and operated by the private industry with three large interconnections: Western Interconnect, Electric Reliability Council of Texas Interconnect, and Eastern Interconnect. These grids provide electricity into Canada and Mexico but, have limited connectivity to each other. The Energy Policy Act of 2005 gave responsibility for enforcing and assessing grid reliability standards compliance to the Federal Energy Regulation Commission (FERC).
The GAO reported that state sponsored actors are most likely to be the culprits of attacks on the U.S. power grid. GAO noted a specific recent example of an attack on electric substations in the Ukraine in December 2015 that resulted in a three-hour power outage. The other major concern is from an insider threat. GAO noted an alleged attempt in a 2009 case, where a former IT employee whose access was not revoked disrupted a powerplant’s energy forecast system in Texas. Criminal groups have so far been less motivated, and terrorist generally lack the capability.
Increasing risk to the power grid is related to several factors. Increasingly, systems may be controlled from remote locations while existing industrial control systems are being connected to the internet. Many older industrial control systems were not designed for modern internet connectivity making them less vulnerable to attack. Potential risk also exists in the form of a compromised supply chains.
The number one difficulty in addressing cyberattack risks, federal officials reported to the GAO, was “hiring a sufficient cyber security workforce”. This was also the top difficulty reported to the GAO by federal agencies in a previous report on government cyber risk management, which can be viewed here. Other concerns included cost, which is passed on to the consumer, and the compromise of other critical infrastructure, such as natural gas pipelines necessary for power plant operations. Additionally, FERC told the GAO they have not addressed the issue of cyberattacks against geographically distributed systems.
The GAO gives credit to the electricity industry for its disaster response processes built over years of experience related to events like natural disasters. The GAO goes on to note that a natural disaster and a cyberattack may both disable equipment, but they may do so in different ways for which the industry may not be ready. Citing the example of a Hurricane which can be predicted in advance and inflicts localized damage; a cyber-attack could be sudden and effect geographically dispersed systems. A cyberattack could complicate damage assessment and reduce response time. There have been several studies to ascertain how bad a cyberattack against the power grid would be, but they all suffer problems in their approach. The most damaging model assumed complete success against dissimilar, geographically separate systems at the same time; along with the failure of all built in safety mechanisms. Such an event is considered unlikely. In another study examined by the GAO, outdated models were used and generalizations made, that keep the study from being useful in predicting outages across large systems.
It is difficult to underestimate the importance of the electric grid. It is one of the foundations of our modern society. While the electric grid is evolving to handle the modern requirements of scale and control, it is contributing to risk that has cascading effects on other industries.
The full version of the GAO report can be found here.