Cisco Blogs
Share

Power Grid Security: Separating Reality from Hype

- February 26, 2016 - 4 Comments

We’ve all seen the news reports on power grid vulnerabilities and the possibility of an impending terror attack. Recently, Ted Koppel’s book, “Lights Out,” caused a wave of press around the issue. Similar spikes in press occurred in the year after the PG&E Metcalf substation sabotage and around the National Geographic special in October 2013, “American Blackout.” There are both good points and some amount of exaggeration in the reporting on grid vulnerabilities, so I’ll be debunking a couple of power grid security myths.

460x3

What the Press Said

The Associated Press credits anonymous top experts for revealing about a dozen times in the last decade, “…sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on…”

Rather than anonymous “top experts” you can find the results of an authoritative investigation, with attribution, in the 2007 report, “Top 10 vulnerabilities of control systems and their associated mitigations,” from the North American Electric Reliability Corporation (NERC) Control Systems Security Working Group.

Headlines about the cyberattack on the Ukraine power grid greeted us at the start of 2016. Ars Technica reported, “Highly destructive malware creates ‘destructive events’ at 3 Ukrainian substations.” Utilities Telecom Council Security offered a slightly different perspective in the Risk and Compliance Digest from January 6, 2016:

“Some news media have speculated that the attacks were launched by or for Russia, in retaliation for Ukrainian activists’ attacks on the power supply to Crimea. That linkage will likely be impossible to prove or disprove.

At present there is not enough evidence to positively conclude that this was a cyberattack or who is responsible. Regardless, the outage is fact. The discovered malware includes updated versions of known tools such as KillDisk, which is not in itself malware, and BlackEnergy. However there is no smoking gun – no piece of malicious code that definitively caused the outage. Researchers have yet to rule out the possibility of insider collaboration in the attack, possibly working in tandem with the malware.”

Instead of panicking, let’s fact check some claims.

Myth #1: Our power system is aging and outdated.

The Associated Press warns that “Many of the substations and equipment that move power across the U.S. are decrepit and were never built with network security in mind…”

460x2

It certainly is the case that many of the capital assets that comprise the United States grid infrastructure are used beyond their intended useful life of 25 years or longer. The initial operations certificates for nuclear power plants were 40 years. Of course they were never built with network security in mind because 40 years ago networks, if they existed at all, were local and limited (DECNet, Token Ring, etc.)

For reference:

The Hoover Dam was constructed in 1935.

The San Onofre Nuclear Generating Station (SONGS) Unit 1 started operation in 1968.

Cisco was founded in December of 1984.

Despite their age, utilities every year spend billions of dollars maintaining and upgrading electric power infrastructure systems to maintain the level of reliability we’ve come to expect.

For a closer look, watch this video of helicopter maintenance on an energized 765K Volt Line.

Myth #2: We are unprepared if the grid goes down.

Ted Koppel’s book primarily focuses on the potential consequences of an extended power outage, echoing the National Geographic special from 2 years earlier.

Ted states that, “The Department of Homeland Security has no plans beyond those designed to deal with the aftermath of natural disasters.” And that “We are unprepared…” Both Ted Koppel and National Geographic start with the assumption that the grid has been disabled for months to establish the assumed starting conditions against which the story of preparedness for months of no power is told.

460x

The North American utility industry would disagree with the impression created by these writings that nothing has been done. They have spent billions implementing ever more stringent versions of NERC-CIP and other grid reliability measures.

In addition to NERC-CIP, they have taken the following actions:

  • Developed the NIST Interagency Report 7628, Guidelines for Smart Grid Cybersecurity
  • Conducted GridEx, GridEx II, and GridEx III to exercise crisis response and recovery
  • Complied with Presidential Order 13636 from February 2013 on Critical Infrastructure Security
  • Applied recommendations from SuperStorm Sandy reports for grid resilience and response actions.
  • Followed the Critical Infrastructure Security provisions in the 2016 budget bill just passed by the House.

Is it enough? Can we relax?

As the famous quote goes, “Eternal vigilance is the price of liberty” and in this case, Eternal Vigilance is the price of security of our critical infrastructure.

Despite what has been done to secure the grid, the industry remains too smug about the disconnected nature of many critical systems.

In doing so, they overlook the fact that some of the most successful and devastating cyberattacks have been carried out against systems that were not connected to the internet, the most prominent example being Stuxnet and the damage to the Iranian centrifuge capability.

Despite having rifle bullets shot into the high voltage transformers in the Metcalf substation, not a single PG&E customer lost power. That’s a result of protections and redundancy that are an integral part of the design of the grid. Experiences with wide area outages and cascade failures have led to constant improvements in control systems and design redundancy.

Is it perfect? Certainly not. Can it be improved? Definitely.

We continue to learn from each large outage or natural disaster. The analysis of the 2011 Southwest Blackout jointly issued by NERC & FERC is one example. Lessons learned from Superstorm Sandy are another.

The Bottom Line

While vulnerabilities in the grid remain, considerable investment, study, and effort are being expended to identify vulnerabilities and secure the grid from cyber and physical attacks.

Events like Superstorm Sandy and the sabotage of the Metcalf substation have caused Federal, State, and Local governments and regulators to rethink critical power requirements and develop plans that are tested during crisis exercises.

There is always more that could be done. These are very real and serious issues that are being taken seriously with planning, projects, and spending that are always shifting balance of allocating limited resources to address concern for the physical and cyber security of critical infrastructure, or other pressing issues including renewable energy and affordable power.

How vulnerable do you believe the power grid is to attacks? Let me know in the comments section below.

To learn how to prevent power grid attacks, view our Power Grid Security solutions.

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

4 Comments

  1. We agree there is always more to be done. Complacency is not a friend when it comes to power grid security. Thank you for spelling this out in such an intriguing way. See also: http://goo.gl/DwceTS

    PS Do click on Rick's name to see other blog posts.

  2. The Night the Lights Went Out in Metcalf. While myths and urban legends take several years to formulate, current events and ICS-CERT alerts raise awareness immediately. It’s great to see the industry and PG&E (Pacific Gas & Electric) finally have detailed and open discussions on vulnerabilities within the electrical grid. Experienced salespeople use alerts as compelling events to highlight their pre-fabricated, selling hypotheses for executive buyers. Rookie salespeople use current events as starting discussion points on how their solutions-platforms lower risk to customers. Rick’s article provides a number of compelling starter points (Metcalf, Ukraine, ABC News, Associated Press, ICS-Cert, Stuxnet, etc.). Any of these examples can be left with customers to raise (quarterly) mindshare. Bottom Line: Knowledgeable salespeople leverage compelling events to advance buying discussions and strengthen their (strategic) customer relationships.

  3. After this article was posted, the Department of Homeland Security, at the ICS CERT website, https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01, has concluded that, "Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts."

Share