The number of direct physical attacks on U.S. power grids soared 77 percent last year to 163, a record-high, according to the US Energy Department. Reliable electricity is essential to the convenience of modern life, and also functions as a crucial contribution to America’s economy and level of comfort. Yet citizens take it for granted, rarely thinking about it much. The reality, unfortunately, is that the power grid has also become a rapidly growing target for criminals, including cybercriminals, and it would be no big surprise if the list of culprits eventually begins to include some of the same adversaries that have already played an active role in many other high-profile attacks.
Power Grid Cybersecurity
Energy is one of the 16 sectors that the Department of Homeland Security has identified as critical infrastructure in the U.S. It is arguably the most important, because it supplies the energy required to power every other essential infrastructure sector. Regrettably, the electric grid is insufficiently secure against both physical attacks and cyber intrusions.
Past Cyberattacks on Critical Infrastructure
When there is a disruption in the electrical grid, it’s often merely a matter of short-lived inconvenience. But what if the outage engulfed not just a confined area but a wide swath of the country, and the power went out for a week or more? Many aspects of life would freeze, and the likelihood of potential casualties would skyrocket. Minor annoyances, such as the inability to recharge a cell phone or the lack of internet, would quickly yield to greater concerns, such as having no water to drink, no household heat or air conditioning. In addition, there might be no gas for automobiles or generators, and both local and national emergency systems, such as the ability to call an ambulance might be inoperative as well.
Since last September, attacks were reported on 18 substations and one power plant each in Florida, Oregon, Washington and the Carolinas. The attacks underscored the vulnerability of the U.S. electric grid, which keeps electricity flowing across more than 470,000 miles of circuits and includes more than 7,300 power plants, 160,000 miles of high-voltage power lines and 55,000 transmission substations.
Substations, which increase electricity voltage so that it can flow into big transmission lines, are the biggest targets. But they are mostly in rural or semi-rural areas and typically unprotected.
Two of the biggest power grid attacks occurred in December: About 45,000 people were left in the dark in North Carolina for days early that month, and two weeks later, 14,000 people lost power in the state of Washington. The perpetrators of the Washington outage were arrested in early January and charged with the crime. They told the police that they disrupted the power supply so that they could burglarize a business.
Most of the time, however, the criminals are not caught, which leaves one to wonder about the motive for many attacks. A number of authorities have posited that domestic extremist groups are often the culprits in a bid to sow unrest by taking down swaths of the grid.
What is certain is that the number of attacks is increasing – more than 100 in 2022, which is the highest number in a decade. One small piece of good news is that state legislators are taking notice, including in North Carolina, South Carolina and Arizona. These three have introduced bills requiring 24-hour security at substations or tougher penalties for damaging them.
The federal government is looking hard at the issue as well as well, although there is considerable room for improvement. As the lead federal agency for the energy sector, the Department of Energy (DOE) has developed plans to implement a national cybersecurity strategy for protecting the grid. The Federal Energy Regulatory Commission (FERC), which regulates the interstate transmission of electricity, has similarly approved mandatory grid cybersecurity standards.
At this juncture, however, neither of the plans fully incorporate all the key characteristics of an effective national strategy. For example, both plans lack the requirement of a complete assessment of cybersecurity risks to the grid. This could be troublesome given that an organized cybercrime group may decide at some point to enter the U.S. power grid attack fray, and with much greater financial wherewithal. While these groups may be experienced in ransomware operations, they lack experience in this new attack target, and that could cause more damage than originally intended.
An improperly or carelessly directed attack might conceivably create a coast-to-coast blackout in the U.S. Or, instead, if an attack disables communications at a control center – which covers a broader territory – long-haul electricity transmission might be blocked.
Another problem with organized adversaries is that there is often only speculative evidence of who the perpetrators may be. While some cybercrimes are traceable, many more are unresolved, including some of the biggest attacks. In 2014, for instance, state-sponsored attackers working for the Chinese government allegedly penetrated the federal Office of Personnel Management and Budget and stole personal information of roughly four million Americans. A few years later, the Department of Justice announced charges against Chinese military-backed criminals in a cyberattack against consumer credit reporting agency, Equifax.
Russia, too, has come under blame. It was charged, for instance, for trying to influence the 2016 Presidential election, as well as believed to be the culprit of a cyberattack on Ukraine in 2015 that cut off power for several hours to about 230,000 people. However, these accusations remain unproven.
Many power grid experts anticipate new records for grid attacks this year and thereafter. Some say that a number of individuals and extremist groups online have already signaled electricity infrastructure attacks as part of their playbook. Along with that, as more wind and solar power plants spring up, these will offer more entry points for attackers.
While a comprehensive cybersecurity protection plan is not yet part of the DOE and FERC proposals, it should rise to a level of urgency as new initiatives are developed to protect this vulnerable critical infrastructure sector.
Cybersecurity Solutions to Protect Power Grids
Cybercriminals may be inventive, but so are cybersecurity solution providers. As this issue becomes a growing priority for the energy industry, companies like Fortra’s Tripwire innovate new ways to harden industrial systems against intrusion. Industrial operators can now enforce policies for best practice frameworks like MITRE ATT&CK and the Center for Internet Security Critical Security Controls alongside North American Electric Reliability Critical Infrastructure Protection (NERC CIP) rules with automated tools like Tripwire® Enterprise. If you'd like to learn more best practices for protecting critical infrastructure against cyberattacks, read Navigating Industrial Cybersecurity: A Field Guide.
About the Author:
Robert Ackerman Jr. is the founder and managing director of AllegisCyber Capital, an early-stage cybersecurity venture capital firm based in Silicon Valley. He is also co-founder and a board director of DataTribe, a seed and early-stage foundry, based in Fulton, Md., that invests in young cybersecurity and data science companies.
Bob has been recognized as a Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.” Previously, as an entrepreneur, Bob was the president and CEO of UniSoft Systems, a leading UNIX systems house, and founder and chairman of InfoGear Technology Corp, a pioneer in the original integration of web and telephony technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Achieving Resilience with NERC CIP
Explore the critical role of cybersecurity in protecting national Bulk Electric Systems. Tripwire's NERC CIP Solution Suite offers advanced tools for continuous monitoring and automation solutions, ensuring compliance with evolving standards and enhancing overall security resilience.