As the United States' electric system becomes more distributed, security experts say the growing array of internet-connected sensors and industrial control systems presents a potential vulnerability that is not clearly understood and could be exploited to cause blackouts.
So far, utilities have kept hackers from disrupting the grid and Critical Infrastructure Protection (CIP) standards have helped to keep defenses robust. But the attack surface is only growing.
"[W]e cannot pretend that standards themselves equate to security."
Scott Aaronson
VP of security and preparedness, Edison Electric Institute
"Regulations and standards and associated penalties are important," Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute (EEI), told Utility Dive. "But we always look to go beyond simply having standards. They have a role ... but we cannot pretend that standards themselves equate to security."
EEI represents investor-owned utilities, and Aaroson said that as more distributed resources come online it is vital they are operated in coordination with utilities and allow for sufficient visibility.
"As soon as you interconnect with the grid in any two-way [power] flow, now there needs to be some elevated sense of security," Aaronson said. "And if you then start to aggregate those resources to the level they have an impact on the [bulk electric system], then you really need to have a baseline level of security."
Security experts agree that the baseline level of security provided by CIP compliance is a starting point and not an end goal.
"It's critical not to confuse compliance with security," Sharon Chand, principal with Deloitte Cyber Risk Services, told Utility Dive. The CIP standards set out minimum security requirements for assets critical to the nation's bulk electric system, she said, which "scopes out a lot of things" utilities control in their operations.
The National Institute of Standards and Technology is seeking technology vendors to help develop solutions to secure the "Industrial Internet of Things," potentially including sensors, network monitoring, system monitoring, and data acquisition devices related to grid analysis. It's a welcome effort at a more "holistic" approach to security said Chand.
Because threats are growing more varied and dispersed.
For example, researchers at New York University's Tandon School of Engineering have concluded multiple high-wattage electric vehicle charging stations could be used in tandem to launch an attack and potentially cause a blackout in Manhattan. A September report from U.S. Government Accountability Office concluded industrial control systems and the rise of distributed resources mean the grid "is becoming more vulnerable to cyberattacks."
"The GAO report is exceedingly important but unfortunately somewhat late," Paul Steidler a senior fellow at the Lexington Institute, told Utility Dive. "There's a real dearth of public information about the dangers of grid attacks."
Could residential solar pose a vulnerability?
Perhaps the most visible sign of the growth of distributed resources is residential rooftop solar, but could your neighbor's small array pose a grid threat?
"The thing is, we don't know and we can't say for sure," said Steidler. "But someone is going to try to exploit it."
The North American Electric Reliability Corporation's (NERC) CIP standards cover infrastructure critical to the bulk system and that typically means resources under 75 MW won't be covered, according to Nor-Cal Controls, which provides engineering and training services.
"If I am able to hack into to a single solar array, I can probably disable those. It can have a local impact."
Sharon Chand
Principal, Deloitte Cyber Risk Services
"It is only in the last two or three years that there’s been enough solar on the grid to impact utilities and grid reliability," security expert John Franzino wrote in a July 2019 blog for Nor-Cal Controls. "Now that we’re having substantial amounts of solar penetration, both the utilities and NERC have to pay more and more attention to solar. They have not caught up with solar yet, but that will change."
The thing to remember, says Chand, "it's not about the size of the asset on the grid — it's about what it is connected to, and what the function of the device is."
"If I am able to hack into to a single solar array, I can probably disable those. It can have a local impact," said Chand. "But I probably can't use that access to make them catch fire or do harm."
Utilities have pretty good security already, but cracks are showing
Compared with other industries, the utility sector actually does a pretty good job of keeping systems safe but constant improvement will be necessary to maintain security, CyberX Vice President of Industrial Cybersecurity Phil Neray told Utility Dive.
The firm recently assigned a median security score to industries, recommending its clients attain a minimum of 80 points out of 100. The oil and gas sector averaged 74 points; electric utilities averaged 70 points; the manufacturing sector scored 63; and the pharmaceutical and chemical sectors scored 62 points.
"As these smart devices get deployed, they increase the attack surface" of the distributed grid ... "Most experts recognize you can't prevent a determined and sophisticated attacker. They will eventually get in."
Phil Neray
Vice President of Industry Security, CyberX
"Energy utilities are ahead of the other industrial sectors in terms of paying attention to security and eliminating vulnerabilities," Neray said. The advantage is due to the widespread security regulations in place, he said, though "the regulations don't really go far enough."
Some utilities are using outdated operating systems and unencrypted passwords the firm's "2020 Global IoT/ICS Risk Report" concluded. Two thirds of sites the report monitored lack automatic antivirus updates.
"As these smart devices get deployed, they increase the attack surface" of the distributed grid Neray said. "Most experts recognize you can't prevent a determined and sophisticated attacker. They will eventually get in."
Industrial control devices increasingly targeted
The industrial control systems and sensors used to operate and gain visibility into distributed resources are increasingly being targeted. In the past, these systems were relatively unknown. "Security by obscurity," Neray calls it. Control systems had specific functions and were often unconnected to other systems, making attacks less likely and more difficult.
But last year, security firm Dragos said it had tracked 163 public vulnerability advisories with an industrial control system impact that were issued by groups like the U.S. Cybersecurity and Infrastructure Security Agency.
Companies are adding sensors and embedded devices to control networks, said Neray, in order to monitor operations and boost efficiency. Those operating systems are increasingly connected to corporate internal tech systems, to transfer data.
Network-level monitoring is the only way to manage security on some of these devices, he said, but there are no regulations requiring it.
"In a sense, utility control and security teams are blind," Neray said.
The threat from inside
Russia, China and North Korea are the actors commonly thought to threaten the United States' electric grid. But security experts warn the most disruption could be caused if a hacker is able to get some help from the inside of a utility.
A report from the U.S. Department of Energy last year identified more than a half dozen "capability gaps" in the power sector's defenses, including supply chain and trusted partner issues.
"Internal threats from inadvertent human error and disgruntled employees and contractors pose a far great cyberthreat to the critical infrastructure than a nation-state."
Eddie Habibi
CEO and Founder, PAS Global
"The electric utility industry, and the IT consultants that serve it, cannot forget the human element in cyberattacks," said Steidler. "A bad actor on the inside can do damage and/or collaborate with outside attackers. It is critical to have proper and thorough background checks on those leading the fight to prevent cyberattacks."
Eddie Habibi, CEO and founder of cybersecurity firm PAS Global, said enhanced background checks for critical private sector employees would be a good step to improve security.
"Internal threats from inadvertent human error and disgruntled employees and contractors pose a far great cyberthreat to the critical infrastructure than a nation-state," Habibi told Utility Dive in an email.
Utilities will have a chance to work closely with supply chain partners in a couple of weeks, when NERC holds the biennial GridEx simulation. This will be the fifth GridEx event, which has grown to encompass thousands of participants.
The exercise, a simulated grid attack, gives utilities the opportunity to test their response plans. But an assessment of the 2017 event concluded none of the utilities participating in that year's exercise turned to vendors for help or information. In response, NERC recommended a focus on communication and coordination in the 2019 event, including broadening the involved stakeholders and developing processes for sharing critical information.
NERC officials are keeping a tight lid on the GridEx V scenario details, but spokesman Martin Coyne told Utility Dive that "each entity looks at its plans, infrastructure and unique aspects of its systems, which increasingly includes distributed energy resources."
GridEx this year will run Nov. 13-14, with an executive tabletop exercise occurring at the same time.
IOUs see downside to identifying CIP violators
While standards and security requirements can help make the grid safer, the real work must be done by utilities say experts.
"The problem is not the standards, it's more the implementation," Steidler said. "Standards have to be continually evolved and they're not going to be perfect."
"It's a constant process to keep regulations up to date, responding to innovations and advanced threats. CIP requirements do a good job in terms of minimum protection," Deloitte's Chand agreed.
But there is disagreement on how to handle grid participants who do not meet those standards.
"Utilities are image-conscious and frankly the fines for grid violations are not that expensive ... There needs to be some pain; you need a punitive aspect to encourage the best behavior."
Paul Steidler
Senior Fellow, Lexington Institute
Currently, entities that violate cybersecurity standards are not publicly named by NERC or the Federal Energy Regulatory Commission, though there is a proposal to change that. Under the proposal, NERC would include a public cover letter with each notice that discloses the name of the violator, the reliability standards violated and the amount of penalties assessed.
Steidler said the move is a step in the right direction. He called for not just naming violators but also increasing penalties.
"The mere fact there is no public embarrassment for a utility that is slipshod in its practices is quite alarming," he said. "Utilities are image-conscious and frankly the fines for grid violations are not that expensive. It's a modest cost of doing business. There needs to be some pain; you need a punitive aspect to encourage the best behavior."
The utility sector sees this a bit differently, though there is broad agreement on the need for greater security. But EEI's Aaronson said it is possible that naming violators in combination with other data could actually give a hand to would-be attackers.
"Generally speaking, the naming of a violator in and of itself is not problematic," Aaronson said. But when that information is combined with other data points, it can help attackers design new exploits or identify patched weaknesses.
"I would much rather keep adversaries in the dark," Aaronson said. "It's a new world order. We are living in a time when adversaries are taking advantage of our transparency."
CORRECTION: A previous version of this article misidentified Phil Neray's title at CyberX. He is the VP of industrial cybersecurity.