Hackers taking down the U.S. electricity grid may sound like a plot ripped from a Bruce Willis action movie, but the Department of Homeland Security has recently disclosed new details about the extent to which Russia has infiltrated “critical infrastructure” like American power plants, water facilities and gas pipelines.
This hacking is similar to the 2015 and 2016 attacks on Ukraine’s grid. While DHS has raised the number of the Russian utility-hacking incidents it detected from dozens to hundreds, it still maintains that this infiltration has not risen beyond scouting mode. Russia denies having any role in the hacking, yet the specter of Russian sabotage in the U.S. now seems more realistic than it used to.
Clearly, there’s no time to waste in shoring up the grid’s security. Yet getting that done is not easy, as I’ve learned through my research regarding efforts in to stave off outages in hurricane-prone Florida.
There is no way to completely protect the grid. Even if that were possible, utilities tend to adopt new and better security procedures after mishaps, boosting the chance that some attacks will succeed.
Say, for example, a power company is building a substation. The utility would disclose what it spent on construction, prove that it picked its contractors responsibly and explain how this new capacity is enhancing its service. The regulator then must decide what rate hikes, if any, would be reasonable – after hearing out everyone with something at stake.
Following this routine is harder with cyberdefense spending. Security concerns make it tough if not impossible for utilities to say what they’re doing with that money. Regulators, therefore, have a hard time figuring out whether utilities are spending too much or too little or maybe even wasting money on an unnecessary expense.
If regulators blindly approve these rate hikes, it can be an abdication of their duties. If they reject them, utilities get penalized for shoring up their security and then lose an incentive to keep doing the right thing.
To err is human
Even though the idiosyncrasies of utility regulation make cyberdefense a more complicated issue than it might otherwise be, tools to manage this risk are available.
Mitigating the damage that human error can cause in response to malicious attacks, for example, may not demand any spending beyond what it costs to teach workers at utilities and their contractors to refrain from blindly opening perilous email attachments, the avenue into the electricity system used by hackers in the 2015 Ukraine attacks and in the system breaches the government recently disclosed.
They also need to guard against so-called watering-hole attacks. According to the new DHS revelations, Russian hackers set traps in websites that utility vendors were known to frequent – many of which had insufficient cybersecurity measures in place. They then leveraged that access to steal the credentials they needed to worm their way into utilities’ systems.
Indeed, hackers delivered almost 94 percent of all malware in 2016 through email systems. Clearly, more widespread awareness of the need to keep an eye out for phishing attacks will help secure infrastructure.
Regulators have been studying strategies that might enhance cybersecurity. Standards are already in place in the U.S., Canada and part of Mexico for utilities to assess their capability to prevent or detect cyberattacks.
It’s also important that regulators recognize that securing systems is an ongoing process. It can never really end because as system security measures change, hackers devise new ways to circumvent them.
Grid resilience strategies can help to maintain service regardless of the source of the outage. For example, many utilities have invested in “self-healing” systems that isolate glitches in the grid and quickly restore service amid outages.
Here’s an example of how that works. During Hurricane Matthew in Florida, in 2016, Florida Power and Light identified a threatened substation and isolated it from the rest of the grid. This measure protected its customers by ensuring that outages at that substation would not spread.
Utilities can also create microgrids, or portions of the grid that can be isolated from the rest of the system in the event of an attack. Most of these systems have been designed to improve resilience in the event of natural disasters and storm events. But they can help defend the grid against cyberattacks as well.
Public concerns over grid security are more justified than ever. But I believe that minimizing the risk of a catastrophic infrastructure attack is within reach. All it will take is for utilities to educate their workers on system security while the government updates its rules and practices – and for everyone involved to keep doing what they can to avert outages of all kinds and to restore power as quickly as possible when outages occur despite those efforts.
Editor’s note: This article was updated on July 24, 2018 to add news regarding the scale of the hacking and the discovery that hackers used watering-hole attacks.
Newly revealed letter details Rudy Giuliani’s work for Fraud Guarantee company owned by indicted henchman
A newly revealed letter sheds light on Rudy Giuliani's work for Fraud Guarantee, a company founded by his indicted associates Lev Parnas and David Correia -- and the document has been handed over to investigators.
Fraud Guarantee circulated an investor letter last year that shows the company would pay the consulting firm Giuliani Partners up to $2 million for the first year and give the former New York City mayor equity in the company, reported the Wall Street Journal.
‘Where’s Melania?’ The View hosts blister first lady for ignoring ‘bully-in-chief’ Trump’s attack on Greta Thunberg
A discussion on Donald Trump's bitter Twitter attack on 16-year-old environmentalist Greta Thunberg, after she aced him out of Time Magazine's Person of the Year, caught the attention of the panelists on The View, who hammered both the president and the first lady after they both protested the mention of their teen son Barron just weeks ago.
After co-host Joy Behar read the president's tweet from Thursday morning where he proclaimed, "So ridiculous. Greta must work on her Anger Management problem, then go to a good old fashioned movie with a friend! Chill Greta, Chill!" she called the president out for being jealous of the teen for getting the Time magazine cover he so desperately wanted.
Supermassive black hole at the center of our galaxy may have a friend
Do supermassive black holes have friends? The nature of galaxy formation suggests that the answer is yes, and in fact, pairs of supermassive black holes should be common in the universe.
I am an astrophysicist and am interested in a wide range of theoretical problems in astrophysics, from the formation of the very first galaxies to the gravitational interactions of black holes, stars and even planets. Black holes are intriguing systems, and supermassive black holes and the dense stellar environments that surround them represent one of the most extreme places in our universe.