Too Big to Fail? Understanding the U.S. Power Grid Vulnerabilities in terms of Cybersecurity

As a follow-up to yesterday’s Round Up, a report released by MIT in 2011 entitled “The Future of the Electric Grid“,  discussed the potential ramifications of failing to address cybersecurity in the context of the Nation’s Power grid.  Additionally, cybersecurity and the impact on the U.S. power grid has been discussed by multiple outlets, including articles by the BiPartisan Policy Center, as well as USA Today.

The MIT report highlights the fact that the electric grid is a complex inter-connected system and the assertion is that within the next twenty years the percentage growth in terms of data flowing through grid networks will far outweigh the growth in actual electricity flowing through the grid.  Consequently, the introduction of new devices ranging from automated meter devices to proprietary power and communications grid monitoring devices introduce a multitude of new potential attack vectors, according to the report.

The MIT report indicates that several types of data communications are already using the power grid:

• Utility-owned wide-area and field-area networks: used for operational control and measurement signals;
• Commercial wide-area, field-area, and local networks: used for similar purposes as above and also for communications between data centers;
• Public communications networks: communicate between home area networks and link the internet with the telephony;
• Satellite communications networks: applied where microwave communication is prohibitively expensive;
• Home and Commercials premises: appliance connections and transmittal of data from utilities to homes and or businesses.

The BiPartisan Policy Center’s article states that The Industrial Control Systems Cyber Emergency Response Team, reported to nearly 200 cyber incidents in 2012 across U.S. critical infrastructure systems, and of those, roughly 41% involved the energy sector.  The article also points to the 2003 Northeast blackout that lasted for several days, affected 50 million people in the United States and Canada and resulted in economic impacts in excess of $6 billion.  It is further posited that a large-scale cyber attack on the electric grid, especially if combined with a simultaneous physical attack, could lead to even higher costs and outages that would affect far more than 50 million people, according to the article.

To further underscore this, a USA Today article reported that Department of Energy components experienced cyberattacks over 1,100 times between 2010 and 2014.  Of these, over 150 were actually successful, which raises the likelihood that attacks against DOE components could impact the grid, according to USA Today.

My opinion:
For the World’s most developed nations the electrical power grid is a critical piece of infrastructure whose loss or instability could prove devastating.  The fact that the U.S. continues to push command and control functions into the power grid opens up a vast and previously untapped network resource which is ripe for the picking.  In a coordinated attack where a physical and cyber-attack were conducted simultaneously, the resulting impact could have a ripple effect.  Businesses, consumers, as well as critical facilities such as hospitals going “offline” in the resulting power outage.  The U.S. needs to take a long-term approach towards a cohesive and comprehensive cybersecurity policy and should consider the following:

1. create a single-agency with Cabinet level authority to oversee the entire U.S. Cyber Policy: including, federal, military, and civilian Cyber related issues;
2. fully assess the vulnerability matrix of critical infrastructure in the United States (irrespective of whether the resources are managed by the public or private sectors);
3. take a phased-approach towards cyber security:
   1. short-term: using offensive and defensive cyber strategies “harden” our critical infrastructure;
   2. long-term: employ a continuous improvement process wherein audits are performed, the results are fed into vulnerability mitigation and then the process is repeated ad infinitum.

[Note: Our home organization, Syracuse University, has an interdisciplinary smart grid initiative for both research and to teach future utility workers and engineers.  The preSAGE group [Privacy, Regulation & Economics in a Smart Assured Grid Ecosystem] applies four perspectives—technology, security, economics, and law—in an integrated approach to solve emerging problems, such as management of the electric grid and other critical infrastructure.  It offers a graduate level course approved in multiple school of the University entitled, LAW 868, Smart Grid: Sec. Prov. & Ecn.  I don’t know what “Prov.” stands for, but no doubt the other two abbreviations are in place of “Security” and “Economics.”]