Because it’s so huge and so dependent on digital communication and computerized control software, the United States electricity grid is difficult to defend. And as a growing number of Internet of Things (IoT) devices continue to connect to smart grid systems, the number of potential targets grows as well.
Earlier this year, Russian hackers penetrated the computers of multiple U.S. electric utilities and were able to gain access to critical control systems, including privileges capable of causing power outages. They breached the system with common hacking techniques, including the use of “spear phishing” emails to targeted employees and credential gathering.
While human error inevitably weakens the security of some of the thousands of digital devices needed to protect the grid, there’s no doubt that sophisticated hackers could find and exploit unknown vulnerabilities. That’s why it’s important for electric utilities, grid operators, and vendors to remain vigilant, deploying multiple layers of defense.
Who’s At Risk?
Since major players are required by U.S. federal rules to follow certain basic cybersecurity measures, smaller and midsized electricity distribution companies with inadequate resources to invest in full cybersecurity protections tend to be more vulnerable.
There are more than 3,000 utilities in the United States. Finding sufficiently skilled workers who understand how the computerized and physical components of the grid work together and how to protect them is an ongoing challenge for them.
Additionally, these utilities rely on complex supply chains for equipment, software, maintenance, and other business functions, and there’s no way to ensure that those partners are implementing protections as rigorous as the utilities. Connecting to a vendor’s supposedly trusted and safe computer systems opens utilities to even more potential avenues of attack.
In an article published in The Conversation, the authors make the following suggestions for fixing these potential issues:
- All utility companies, even the smallest, should adopt basic security protections like those required of large utilities.
- All companies that are part of the grid should participate in coordinated grid exercises to improve cybersecurity preparedness and share best practices.
- All utility companies should take steps to ensure the hardware and software they use are from trustworthy sources and have not been tampered with or modified to allow unauthorized users in.
- Companies should ensure they engage in ongoing processes that let systems and staff adapt over time to stay ahead of the threats.
- Researchers must explore ways that emerging technologies like cloud computing, blockchain, and big-data analytics could play a role in reducing risks without introducing additional weaknesses.
- Researchers should identify more advanced ways to secure the grid, and reduce these systems’ complexity in order to limit current and unknown risks.
What Can You Do?
Get yourself and your team up to speed on the latest smart grid technologies. Modernizing the Smart Grid is a four-course program coming soon from IEEE, developed by experts in the field to help organizations face one of the biggest frontiers in electrical engineering today. Pre-order this program today, or request information from an IEEE Content Specialist.
Govindarasu, Manimaran, and Hahn, Adam. (7 Aug 2018). As Russians hack the US grid, a look at what’s needed to protect it. The Conversation.
(15 Mar 2018). Alert: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. United States Computer Emergency Readiness Team.