Grid Cyber Attacks: How is Our Electric System Vulnerable?

This is the second article in a Microgrid Knowledge series that explores why we need to focus on microgrid cybersecurity to protect the grid of the future. This post narrows in on grid cyber attacks and how our electric system is vulnerable.

Download the full report.

The North American electric power grid has been described as a single enormous machine, one of the largest in the world, with about 1,000 GW of generation and 200,000 miles of transmission lines.

It is a single machine in the sense that all the parts have to work together. If there is a fault within any of those semi-autonomous grids, failures can ripple through the rest of the system. The system is built to be resilient and ride through faults – up to a point.

The grid’s vulnerability was demonstrated on a large scale in 2003 when an overloaded transmission line sagged and touched a tree south of Cleveland, Ohio. Within minutes, a mix of equipment failure and human error left 50 million people without electricity and caused an estimated $6 billion in economic damage.

In the wake of that blackout, reliability rules were strengthened, and the grid is now in a better position

to avoid or withstand a repeat of the 2003 event. But unfortunately, the range of threats has increased since then. Blackouts from cyber attacks raise the stakes, with the potential to cause even greater debilitation than storms or accidents.

Concern about grid security has grown with reports of cyber intrusions into commercial computer networks across a wide range of industries. There have been several high-profile attacks in recent years, including the hijacking of sensitive data from Sony Pictures in 2014 , the breaching of digital defenses at J.C. Penney and Yahoo! , and the successful grid cyber attacks in the Ukraine in 2015 and again in 2016 and 2017. To date, the U.S. electric grid has not been disrupted by hackers, but that is not for lack of attempts. Many consider it only a matter of time until such an event.

Concern about grid security has grown with reports of cyber intrusions into commercial computer networks across a wide range of industries.

In December 2016, The Wall Street Journal reported that American officials believe a 2014 cyber attack against the U.S. energy industry resulted in at least 17 companies being penetrated, including four electric utilities. A study by Cisco found that 70 percent of utility security professionals reported they have experienced at least one security breach.

Grid cyberattacks no longer theoretical concern

In an April 2017 article, the Council on Foreign Relations said that grid cyber attacks are no longer just a theoretical concern, and that rapid digitalization, low investment in cybersecurity, and a weak regulatory regime make the country even more vulnerable.

As vulnerable as the grid is in its current state, it is becoming more susceptible to attack as we expand our energy-related network with smarter homes and cities that incorporate distributed energy, electric vehicles, and Internet-of-Things (IoT) appliances that include everything from laptops and cameras to cell phones, street lights, and thumb drives. A world of interconnected devices makes life more convenient, but these devices all rely on a rapidly growing number of interconnected digital interfaces. Those interfaces offer potential entry points for cyber attacks of all kinds.

[clickToTweet tweet=”The Council on Foreign Relations – Grid cyber attacks are no longer just a theoretical concern. #cybersecurity” quote=”The Council on Foreign Relations – Grid cyber attacks are no longer just a theoretical concern. #cybersecurity”]

This growing threat has captured the attention of the utility industry. The Edison Electric Institute (EEI), a utility-funded advocacy group, has launched a series of initiatives aimed at safeguarding the grid from cyber threats and is partnering with federal agencies to improve the industry’s resilience to cyber attacks. EEI also is collaborating with the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corp. (NERC), and federal intelligence and law-enforcement agencies to strengthen grid capabilities. The U.S. Department of Energy (DOE) also is providing $15 million in funding to support the efforts of the American Public Power Association and the National Rural Electric Cooperative Association (NRECA), two advocacy groups that represent municipal, cooperative, and other public power utilities. The associations are using the funds to bolster the cybersecurity of their members, many of which are small, locally run utilities without adequate resources to manage cyber threats on their own.

The military prepares for grid cyber attacks with microgrids

There is acute awareness within the U.S. military of threats posed by grid cyber attacks. This has led military leaders to embrace microgrids as a way to reduce dependency on the utility grid for critical missions and on fossil fuels overall. But the energy resiliency objectives of those microgrids would be undermined if the microgrids inadvertently opened those installations to cyber attacks. So the Department of Defense (DoD) has set strict security requirements for military facility systems, including microgrids; they must be much less vulnerable to cyber attack than the utility grid. With those objectives in mind, in 2008 the DoD launched its Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS) program.

The program was designed to bolster the cybersecurity and energy efficiency of U.S. military installations by deploying advanced microgrids, and to transfer that knowledge to nonmilitary critical infrastructure.

SPIDERS included three project phases demonstrating enhanced mission assurance at military installations, integrating smart grid technologies, distributed and renewable generation, and energy storage with a cybersecure microgrid architecture. To date, the DoD has already deployed more than a dozen microgrids in locations that include Joint Base Pearl Harbor-Hickam in Hawaii, Camp Pendleton in California, Fort Carson in Colorado, and Fort Belvoir in Virginia.

The microgrid at Camp Smith in Hawaii, which provides power for full base operations during an extended grid outage, offers an example of a microgrid with cyber attack defenses infused into the control system. As we’ll see in the next chapter, these defenses are crucial to ensure the microgrid itself does not become a portal for cyber attack.

So how exactly does a microgrid ensure the flow of electricity during a cyber breach? Chapter 3 explains.

Over the next few weeks, the Microgrid Knowledge Special Report series on microgrid cybersecurity will cover the following topics: