According to a recent analysis of federal energy records, the nation’s power grid experiences cyber and physical attacks nearly once every four days. The investigation revealed that the critical infrastructure of the US power grid sustained 362 attacks between 2011 and 2014, causing outages or other power disturbances to the US Department of Energy. In the majority of these instances, the suspects responsible for these attacks were never identified. “A widespread outage lasting even a few days, could disable devices ranging from ATMs to cellphones to traffic lights, and could threaten lives if heating, air conditioning and health care systems exhaust their backup power supplies,” read the USA Today report. The examination, led by USA Today and more than 10 Gannett newspapers and TV stations across the country, analyzed thousands of pages of official government records, federal energy data, as well as a survey of more than 50 electric utilities. Key findings from the study revealed:
- The industry’s security guidelines are written and enforced by an organization funded by the power industry itself. The number of security penalties it issued decreased by 30% from 2013 to 2014.
- Critical equipment, including transformers, is often visible in plain sight, merely protected by chain-link fencing and a few security cameras.
- Less severe cyber attacks occurred more often than once every four days.
As former chairman of the Federal Energy Regulatory Commission Jon Wellinghoff explains, the issue of power grid security becomes even more alarming considering its reliance on other physical equipment and a small number of critical substations. The result is the high likelihood of “cascading failures” – in other words, the failure of a single element requires energy to be extracted from other areas. If multiple operations fail simultaneously, this cascading effect could leave millions in the dark for days, weeks or even longer. “Those critical nodes, in fact, can be attacked in one way or another,” said Wellinghoff. “You have a very vulnerable system that will continue to be vulnerable until we figure out a way to break it out into more distributed systems.” Tripwire Senior Security Analyst Ken Westin adds this risk continues to increase as more critical infrastructure becomes connected to IT networks, which are in turn, connected to the Internet. "Most industrial control systems use antiquated software and protocols intended for stability and efficiency, not security, as these systems were not originally designed to be accessed by the modern interconnected networks we have today," said Westin. Previous incidents impacting the industry have led to small yet essential steps to the improvement of policies and procedures protecting the nation’s power grid. In 2013, a coordinated attack against a northern California Pacific Gas & Electric Metcalf substation served as a wake-up call to the industry. As a result of the incident, FERC ordered the implementation of new rules for physical security, requiring utilities to identify potentially vulnerable critical infrastructure and map out security plans.
“It’s one of those things: One is too many, so that’s why we have to pay attention. The threats continue to evolve, and we have to continue to evolve as well.” –Cheryl LaFleur, Federal Energy Regulatory Commission Chairman
Additionally, PG&E announced a $100 million investment in 2014 over the next three years on substation security for several high-priority facilities, including enhanced intruder detection systems. The company also partnered with other utilities and industry associations to share information in a collaborative effort to identity new and innovative ways to further protect the electric power industry. Nonetheless, records from hundreds of other recent incidents prove that similar weaknesses continue to threaten the security of thousands of electric facilities across the nation, opening the gate for more cyber and physical attacks to come.