Utility officials wary of cyberattacks but say lengthy widespread outage is 'implausible'

Feb 24 - Urgent Communications

Developing protections and responses to cyber threats is a priority for utilities, but industry and regulatory efforts make it unlikely that the kind of widespread power outage contemplated in a book by renowned journalist Ted Koppel could happen to the U.S. power grid, key officials said during a recent webinar.

In his book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath , Koppel examines the notion that the aging U.S. electric grid is susceptible to a cyberattack that could result in a widespread power outage that could last for months, wreaking havoc across the nation. Koppel reiterated the significance of the cyber threat on the U.S. power grid during a pre-recorded interview with Martin Rosenberg—editor of The Energy Times —that was played at the beginning of a webinar, which is available on demand .

“I can’t think of any more critical utility through the nation than the electric power grid,” Koppel said during the interview. “Everything else—whatever you want to consider, whether it’s communication, transportation or the banking system—is helpless without electricity.”

The power grid’s interconnectivity—a major strength of the electric system—also is a significant vulnerability, particularly as remote access to critical components becomes more commonplace and the threat of cyberattacks increase, according to Koppel. While the most powerful nation states such as the U.S. , China and Russia have this capability, the fear of reciprocity likely prevents them from using their cyber capabilities to take down a power grid, just as they are reluctant to use nuclear force on each other.

What makes the notion of a power-grid cyber threat especially dangerous is that—although such an attack would be “incredibly complex” to execute—powerful nation states are not the only entities with the ability to launch an attack, according to Koppel.

“I refer to the Internet as—in addition to its many virtues—a weapon of mass destruction. This is unlike any weapons system that has ever existed before,” Koppel said.

“In the past, weapons of mass destruction have only been available to—and usable by—governments. Today, a group like ISIS doesn’t have an air force, doesn’t have a navy. It doesn’t have access to missiles. It is capable only of terrorism. But, as we’ve seen, even the sort of a retail terrorism of which they are engaging can be enough to absorb the attention of a nation like France or a nation like the United States .

“Imagine for a moment, with the capacity to inflict enormous damage on the United States from outside our borders by a single person—theoretically—using a laptop computer. And, with the understanding that it can be very difficult to track down in short order the source of a cyberattack, this is something we have never experienced before. We’re totally unfamiliar with it.”

But key players in the utility industry said they believe Koppel’s scenario of a large-scale power outage for an extended period of time is not realistic, in large part because of the efforts that industry and government officials have taken.

“At the end of the day, the grid is a very resilient piece of infrastructure—there is significant diversity in equipment and configurations, both within and across companies in the electric sector,” Caitlin Durkovich , assistant secretary for infrastructure protection at the U.S. Department of Homeland Security (DHS), said during the webinar. “At the end of the day, I think a nationwide blackout from a cyberattack is implausible.

“While there are vulnerabilities, there are significant layers of defense in place. And, at the end of the day, there is an operator sitting in a control room who can go flick a switch or make the fixes necessary to certainly divert the load. So, I think that Mr. Koppel’s assertion is highly implausible.”

Utility officials wary of cyberattacks but say lengthy widespread outage is ‘implausible’

“It is extremely unlikely, but I do think that it is prudent for us to be concerned,” Cauley said. “I think it is prudent for us to think in terms of worst-case [scenarios], and that’s why we do take such extreme measures in terms of playbook planning, coordination among agencies and [grid exercises of attack scenarios] to make sure that we understand our roles and responsibilities and what a large-scale crisis looks like.

“So, we do remain concerned about it, but it is extremely unlikely.”

Kevin Wailes , CEO of Lincoln Electric System in Nebraska , echoed this sentiment and said that the utility industry is known for taking steps to recover quickly from incidents that result . As an example, Wailes noted that the power grid was able to withstand a 2013 sniper attack on a Metcalf Transmission substation in California .

“I think it’s important to note that—in the Metcalf instance, as an example—there was no interruption of load associated with that incident, even though it was a major substation,” Wailes said. “The redundancy that is in the system—both with respect to the transmission-and-distribution structure, but also with respect to generation and reserves—is significant.

“Although it is extraordinarily important that we evaluate and prepare to respond to those worst-case scenarios, what the industry does on a routine basis—and we’ve been doing it for years, whether it is an ice storm or a hurricane—we basically respond to and address outage types of events. [We] probably practice it more than virtually any other industry.”

During the webinar, speakers acknowledged that there is no “silver bullet” solution to the cyber threat on utilities, but they noted that government and industry officials continue to develop and enhance a multi-layered program designed to reduce the likelihood of a successful cyberattack and enable a quick response the limits any damage.

 “You’ve heard all of my esteemed colleagues on this panel talk about the reality of a multilayered approach, because they need to protect, detect and mitigate—not just one or the other,” said Edna Conway , Cisco Systems’ chief security officer for the global value chain. “To me, the innovation lies in the early real-time detection, so that the mitigation can in fact be implemented on a risk-based approach.

“Realistically, you can’t affect everything. But, if you get real-time automated anomaly detection—and we’re seeing some of that in the Internet of Things and Big Data calculations—that allow an operational-level view real time and awareness to things that may not yet be a security breach but are anomalous and need further investigation.”

Utility officials wary of cyberattacks but say lengthy widespread outage is ‘implausible’

“We’re looking to partner with industry on some ideas that could be game changers for the industry in developing advanced capabilities and capabilities to mitigate and respond to cyber events,” Hoffman said. “Where we’re at is really trying to dive down into abnormal behavior and then get into some proactive stances for the industry in solving problems.

“But this is all part of a larger effort, where we’re looking at grid monitorization in general. There are multiple risks to the electric grid—whether it’s climate, whether it’s cyber, whether it’s weather or physical security—and we do need to modernize our grid at large.”

In its efforts to make the power grid as reliable as possible, the utility industry faces many of the same issues as other enterprises in terms of trying to balance the importance of security against enhancing functionality, access and ease of use by employees and contractors.

“Remote access is a part of the business in power operations,” Cauley said. “If you can imagine a vast grid, and we have contractors and vendors who help support the testing and maintenance, and we have workers all over the place who want to tap into portions and do their work, maintenance and testing.

“It is also a path for risk and exposure, so I think the [NERC] commission is correct in being concerned about that. All utilities have a good set of controls and procedures about who has access to these remote points and reviewing, in terms of contractor access and so on. So, the dialogue we’re having with the commission around the standard is how limiting and how tightly the controls need to be around that remote access.

“The disadvantage of tightening further is that it makes it harder to get the work done, make it more expensive and a cost factor, but it limits how effectively you can take advantage of the technologies that are available. So, it’s one of those tradeoff things of access and security versus cost, expedience and efficiency and being able to maintain the equipment and take care of it and make sure that the system is reliable.”

http://www.energycentral.com/functional/news/news_detail.cfm?did=38855022