As the Electricity Grid becomes smarter and more connected, the result may be gaping holes in cyber defenses
America’s Electricity Grid is Becoming Greener, Smarter – and More Vulnerable to Cyber threats. According to CrowdStrike, a cyber security consultancy, geopolitical developments have become the “most important drivers for cyber attacks,” they are firmly part of the “global threat landscape.” Adds Kevin Mandia, CEO of FireEye, another cyber security firm: “It does not seem reasonable to expect the majority of the private sector to defend itself from military cyber attacks.
As the GAO reported, the Department of Defense’s own infrastructure is vulnerable to cyber physical attack. The Pentagon should prioritize helping the private sector secure and defend America’s critical electric infrastructure. The Defense Advanced Research Projects Agency announced plans in January 2016 for a $77 million, four-year program to help utilities detect cyber attacks; but given the scale and complexity of the challenges, it is only a small step.
Tech titans, including Facebook, Google, Apple, and Microsoft, have pledged to help advance the deployment of “green” and smart grids. They should also acknowledge, and help resolve, the cyber security challenges associated with such initiatives. The foundational responsibility for solutions originates with the technologies’ providers, not the users in the industrial and utility sectors. Similarly, investors and policymakers should explore ways to encourage greater focus on innovative venture capital in cyber physical security—which accounts for less than 1 percent of total venture-capital investment.
Three realities must be acknowledged:
(1) the rush to make U.S. Electric Grid greener and smarter also increases the cyber physical attack surface
(2) there are two radically different classes of cyber threat: private hackers and nation-state (or nation-sponsored) hackers
(3) evolving cyber physical threats are unlike other physical-security issues that utilities have heretofore faced.
Sound grid-cyber security policy should be slow and smart. Perhaps some gird transformations should be halted until adequate cyber security features are available and incorporated.
Electric Grid budgets should be reallocated to increase funding for security, resilience, and reliability, and require cybersecurity metrics as part of pre-deployment requirements for green and efficiency programs.
Utility sector collaborative engagement should be boosted with federal cyber security programs, especially those of the U.S. Department of Defense.
Private-sector-led cybersecurity technology research should be encouraged. Ensure that policies, mandates, and regulations in cybersecurity are based on overall objectives—rather than being prescriptive and subject to becoming rapidly obsolete.
The central challenge for U.S. utilities in the twenty-first century is to accommodate the conflict between political demands for more green energy and society’s demand for more reliable delivery of electricity. Greater electric grid cybersecurity in the future means that policymakers must rethink the deployment of green and smart grids until there are assurances that security technologies have caught up.
In Canada – Cyber security threat ‘keeps us up at night,’ says Hydro Ottawa CEO talking about security for electricity grid
“What you’re trying to do is open (the system) up for (customers) and keep the back door closed to someone who wants to do something nefarious.” – Bryce Conrad, CEO of Hydro Ottawa
As the electricity grid becomes more and more connected to the internet, Hydro Ottawa says it’s investing heavily to protect the system from cyber attacks. Conrad described how someone sitting in a bedroom at a computer on the other side of the world can try to hack into a utility’s information systems and do damaging things — like take down a grid.
The strategy describes an industry in the midst of transformation in which electricity systems are converging with, and are increasingly dependent on, information technology. Hydro Ottawa anticipates big changes in the coming years — from increased sales of electric cars to innovations that come from more customers being digitally connected to a smart grid, a system of resources to better manage consumption.
But having people, their homes, their appliances, and their vehicles connected to the internet all the time poses a security challenge for an electric utility like Hydro Ottawa. “As we become more customer-centric, and give customers more tools to sort of manage these things, you’re effectively opening up your system for your customers,” said Conrad.
“We have to invest heavily in cybers ecurity and making sure our systems, particularly our command and control systems, are as robust and protected as they possibly can be,” he said. The electricity industry gets together regularly to discuss best practices for protecting utilities from the threat of hacks emanating from terrorists, organized crime groups, or other foreign entities. “I’ll never say we’re 100 per cent protected, but we’re in pretty good shape.”