Here’s Why It’s Absolutely Crucial Utility Companies Put Cyber Security at the Forefront of Risk Management

State-sponsored cyber attackers have all the time and resources they need to probe and then inflict damage on critical infrastructure.
By: | February 4, 2019

There is vast computing power now available to individuals and companies. But guess what? State-sponsored cyber attacks have even more resources.

And unlike terrorists, they don’t want high-profile failures or obvious denial-of-service storms. Quite the contrary.

The general M.O. for state-sponsored attackers is to take months or years to probe for small weaknesses on broad fronts, then slowly link the small breaches and work inward. As Leo Tolstoy put it, “the two most powerful warriors are patience and time.” (терпение и время; terpeniye i vremya; patience and time).

So Far, So Bad

A 2017 cyber attack on a small construction company in Oregon was an early thrust in the broadest and heaviest known hack by a foreign government into the U.S. electric grid. The company is a subcontractor for regional utilities as well as government agencies.

In that case the attack was big but not particularly sophisticated. It set off so many alarms that U.S. officials took the unusual step in early 2018 of publicly blaming the Russian government. Still, some experts believe two dozen or more utilities were penetrated.

A reconstruction of the attack revealed a glaring vulnerability at the heart of the country’s electric system. Rather than strike the utilities head on, the hackers went after the system’s unprotected underbelly — hundreds of contractors and subcontractors like All-Ways who had no reason to be on high alert against foreign agents. From these tiny footholds, the hackers worked their way up the supply chain.

More Connected = More Vulnerable

The problem gets worse as the growth of distributed networks (the “Internet of Things” or IoT) create potentially critical issues. Consulting firm Wood Mackenzie estimated there are 30 million grid-connected devices already in U.S. homes, with millions more to come.

The company forecasts 88,000 megawatts (MW) of ‘residential flexible potential’ by 2023 (by way of context, the total generation capability of the Texas grid is just under 80,000 MW).

From a cyber security perspective, that means there are tens of millions of potential connections that can allow hackers to connect to utilities. It also means the bad actors don’t have to go after the utilities’ centralized and relatively well-protected control systems.

To destabilize the grid, hackers may soon have tens of thousands of megawatts of relatively unprotected distributed flexible devices they can manipulate.

Worst Case Scenario

A “Business Blackout” scenario by the University of Cambridge Centre for Risk Studies and Lloyd’s of London suggests a range of $61 billion to $223 billion in economic losses, depending on the number of affected generators and whether it took two, three or four weeks to restore 90 percent of the power.

Read More: Cyber Grid Attack: A Cascading Impact

“This is a real risk management issue facing the power sector around the world right now,” said Nick Beecroft, emerging risks and research manager, Lloyd’s of London, who worked on the “Business Blackout” project. But even more, he said, it is a risk that “all of society has to confront as more and more of our infrastructure and economy become connected to digital networks.”

A Cause for Hope

It’s not surprising that the risk of state-sponsored cyber attacks is very much akin to reports of secret weapons by rival nations — Russian plans to develop a submarine drone armed with a nuclear weapon that would be detonated offshore and cause a tsunami; or Chinese development of “aircraft-carrier killer” ballistic missiles.

Presumably by the time the public becomes aware, authorities are already working on countermeasures. And so it goes with cyber threats to the power, water, and communications infrastructure.

In the summer of 2018, the Department of Homeland Security warned utilities of a new infiltration that could cause blackouts.

“Grid operators have been working closely with government on this particular threat for the better part of the last year,” said Scott Aaronson, vice president of security and preparedness at the trade association Edison Electric Institute.

“We are keenly aware of those threats and have been working to mitigate them ever since they were communicated to us.” &

Gregory DL Morris is an independent business journalist currently based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at [email protected].