Why cyberattacks could knock out the U.S. power grid for 9-18 months

[Editor's Note: This article is the second part of a two-part interview with Joe Weiss on cybersecurity and the electric grid. Part one—"Could a cyberattack take out the U.S. power grid today?"—covers why the grid is vulnerable and why malicious organizations and nation-states such as Iran are capable of attacking the grid. Part two covers what a worst-case scenario cyberattack could do to the U.S. power grid and what utilities should do to secure their infrastructure.]

“A sophisticated, targeted cyberattack on the U.S. electrical grid could effectively be irrecoverable,” cybersecurity consultant Joe Weiss believes.

Joe Weiss, cybersecurity

Joe Weiss has been a subject matter expert to several government organizations, has testified before Congress and provided control system cybersecurity recommendations to the Obama Administration. Weiss is a Managing Partner at Applied Control Solutions, a consulting firm that specializes in securing industrial control systems, and publishes a blog, Unfettered, where he writes about cybersecurity issues and emerging threats.

“The industry needs to understand that cybersecurity is a reliability problem," Weiss says. "Don’t treat this as security for the sake of security. What you’re trying to do is keep the lights on.”

WHY WE CAN'T WAIT UNTIL SOMETHING BAD HAPPENS

What could a worst-case scenario cyber attack do the U.S. electrical grid? Weiss believes a "sophisticated, targeted cyberattack" could be "effectively irrecoverable." If such an attack were to occur, Weiss says, large parts of the grid could be lost for 9 to 18 months.

There are multiple reasons for this, Weiss says. The first is that the major equipment underpinning the critical infrastructures have extensive lead times. It could take 9-18 months to procure, manufacture and install equipment such as large boilers, turbines and transformers. The second reason is that sophisticated, targeted cyberattacks are not likely to target just one piece of equipment from one utility.

“We’ve assumed that a failure is one piece of equipment. Cyberattacks can damage multiple pieces of infrastructure from multiple utilities on the attacker's timetable,” Weiss says. “What happens if ten utilities each need two or three generation step-up transformers that individually take about one year to procure and install?”

The problem is that the industry keeps saying, "We’ll wait until something big happens.”

“Well, it’s already happened!" Weiss says. "We already had the Bellingham, Washington gasoline pipeline rupture that killed three people and led to the bankruptcy of the Olympic Pipeline Company. We already had the San Bruno gas pipeline rupture where PG&E will pay out over $565 million. Here’s the common theme to all the things I’m telling you—not one was identified as cyber.”

"Moreover, in 2007, the Idaho National Laboratory demonstrated the Aurora vulnerability that severely damaged a diesel generator (and can also damage AC motors and transformers). Yet very few utilities to date have attempted to mitigate this demonstrated attack vector," Weiss says. "Considering that every substation that does not implement the Aurora hardware mitigation fix is vulnerable to Aurora, one has to wonder how seriously the utility industry is taking cybersecurity.”

HERE'S HOW UTILITIES CAN START TO SECURE THE GRID

“If I were a utility executive,” Weiss hypothesizes, “the very first thing I would do is look at all of the equipment that is critical for me to accomplish my mission, which can be generating, transmitting and/or distributing electricity.”

Weiss would find out whether the equipment is vulnerable by determining what is actually installed and then testing for vulnerabilities. "I would also make I have addressed the cyber incidents that I already know about, and there have been more than 300 actual control system cyber incidents to date covering most industrial applications," he says.

At the same time, Weiss says, he would implement two initiatives to optimize security. The first is to require control system cybersecurity training. The second is to tie operations employees' incentives and security employees' to reliability so everyone would have a vested interest in securing the reliability of the electric grid. "At the same time," Weiss says, "the Board should also tie security goals to executive compensation."

At times, Weiss says, the security organization may not care "if the lights are on" as long as the firewall is working and the operations organization may care if they’re secure as long as "the lights are on."

“What you want,” he says, “is people to be as knowledgeable about their Operational systems from a cyber perspective as you want them to be knowledgeable about their Operational systems from every other perspective. And that’s what’s missing.”

“The people that really understand policy generally do not understand control systems. The IT community, who are developing cybersecurity solutions, generally don’t understand the unique issues association with control systems. And the people that operate the control systems, don’t understand security. Other than that, we’re fine!”

When asked what it might take to secure the grid, Weiss says, “I wish I could tell you what the final impetus to do this would be before it's too late.”

Would you like to see more utility and energy news like this in your inbox on a daily basis? Subscribe to our Utility Dive email newsletter! You may also want to read Utility Dive's look at whether a cyberattack could take out the U.S. power grid today.