By: Constance Douris, Contributor
If a mass power outage were to result from a successful cyberattack on the electric grid, national security and economic stability would be threatened. This is because hospitals, banks, factories, pipelines, financial networks, water systems, telecommunications and military bases would simply not function without electricity.
It is believed that Russia has used cyberattacks to penetrate the U.S. State Department, Department of Defense and the White House. China is also very active in cyber and uses viruses and botnets to access targets. Those same skills can be applied to hack the grid and potentially leave large areas of the nation without electricity.
Ukraine is an example of a country that had to shut down its grid twice in one year as a result of a cyberattack. The threat of such an incident no longer is hypothetical. Operators of the grid need tools to detect and correct malicious threats in networks before they cause serious damage.
The electric grid is adopting distributed energy resources to balance supply and demand. These third-party sources include renewable energy, energy storage, demand response and electric vehicles. Because all of these resources are interconnected and dependent on the internet and data to operate, they increase the cyberattack exposure of the grid.
Utilities already collect and store energy consumption data to bill customers for electricity. Imagine what kind of havoc would result if this information was altered or deleted due to a cyber hacker. Networks must be secure to protect such valuable data.
Energy consumption data is also valuable to industry in designing more products and services related to the grid. Such data allows companies to run algorithms and evaluate energy use to create new solutions and efficiencies. For instance, Oracle provides software services for consumers to reduce electricity consumption and FirstFuel offers energy analytics to reduce service costs.
These are just two examples of many companies that need energy data to create efficient solutions. They also highlight the value of energy information and how it must be protected from cyber threats to ensure authenticity.
The U.S. electric grid is made up of two systems. The first is the distribution system where utilities deliver electricity to customers. The second layer is the bulk power system which includes facilities and control systems necessary to operate an interconnected grid.
One vulnerability of the U.S. grid is that cybersecurity standards do not exist for the distribution system. This is particularly dangerous because the bulk power and distribution systems are linked. A successful cyberattack on one or two utilities could create a ripple effect, destabilizing electricity in large areas.
Government leadership is needed to create a grid equipped with adequate cyber protection. For instance, utility commissions determine what percentage of profits investor-owned utilities can retain. They also authorize which investment costs can be recovered through customers rates. Thus, utility commissions directly enable or hinder utilities’ ability to invest in cyber protection.
Utilities own, operate and generate revenue by managing grid resources. Thus, they should have the responsibility to seek and fund cybersecurity solutions to protect electricity availability. According to the research firm Zpryme, U.S. utilities will spend over $7 billion on grid cybersecurity by 2020.
Congress could also introduce legislation requiring a minimum level of cybersecurity for the distribution system. However, individual utilities must also have the freedom to tailor cyber solutions to their specific needs — each facility has unique network weaknesses and strengths.
Industry has created various solutions to boost cybersecurity for utilities. For instance,the Defense Advanced Research Projects Agency awarded Raytheon a contract to create products that provide warnings of possible cyberattacks. In addition, Raytheon provides solutions for operators to detect cyber threats in advance, before damage occurs.
Regulators and policymakers need to work together to determine cyber strengths and weaknesses on the grid. They must implement clear requests for solutions, such as mandatory cybersecurity evaluations and risk analyses, so that all utilities in the country understand their cyber vulnerabilities. Such awareness eventually leads to informed decision making and clear cybersecurity goals.
Adding decentralized energy resources to the electric grid will make it more efficient. However, they will also expand the attack surface for cyber threats. Policymakers and industry need to work together to identify weaknesses and deploy technologies to prevent malicious attacks from compromising critical infrastructure. Citizens should not have to worry about surviving without electricity due to a successful cyberattack on the grid.
(Raytheon is a contributor to my think tank).