The threat is very real: On New Year’s Eve, the Los Angeles Times reported that malicious software “tied to Russian intelligence agencies” was found on a laptop computer belonging to Burlington Electric, a utility that serves about 20,000 people in northern Vermont.
The laptop was not directly connected to the grid and no outages occurred. However, the incident is another indication of how vulnerable the grid is. Indeed, there is a long history of cyber-attacks on critical infrastructure. It’s an alluring target for hackers, whether they are state sponsored, members of organized crime or lone wolves. Taking out the grid impacts many people simultaneous. Such attacks are relatively easy since the control networks were designed before the utilities were online and therefore are inherently less insecure that networks built from the ground up with mass connectivity in mind.
The threats and dangers are pretty well known. There are at least two steps that energy managers can take: Deploy redundancy and become educated.
Renewable energy is potentially a partial answer simply because the infrastructure – which increasingly includes storage – has the side benefit of bypassing the grid. Clearly, it only is a partial and temporary solution. However, it is far better than having the lights go completely out. While a move to solar and/or wind energy buttressed by storage won’t be made solely because of its redundancy features, such capabilities certainly are a potent side benefit.
Education also is a key. The U.S. Department of Homeland Security (DHS) is, according to Signal, is “expanding and enhancing” is training to the government and private sector:
A mix of web-based independent study and instructor-led courses is designed to develop the knowledge and skills needed to implement critical infrastructure security and resilience activities. The unclassified courses are open to all U.S. operators, engineers and security professionals who play a role in securing the country’s infrastructure. The courses also are sometimes open to select international participants.
Some of the training occurs at the Idaho National Laboratory facility in Idaho Falls, which belongs to the U.S. Department of Energy (DoE). That part of the training replicates physical tanks, pumps, breakers, switches and email servers, the story says.
The prospects for private business are dire. Daniel Wagner and Dante Disparte, Managing Director and Founder and CEO, respectively, of Risk Cooperative used a column at Huffington Post to describe a continual game of whack-a-mole:
[D]oes an ordinary business stand a chance if hackers choose to penetrate its security system? Cyber-attacks are difficult to prevent, given the relative ease with which hackers can find a single system vulnerability, and the impossibility of plugging every conceivable security hole. Cyber-security professionals are in essence playing an endless game of cat and mouse, whereby a would-be attacker attempts to enter a system while security professionals attempt to defend a computer system from attack by applying continuous patches. The adversary then quickly moves to exploit the latest discovered vulnerability. That is why many computer security programs produce patches numerous times per day – even for home computers.
The reality is that energy managers must do three things: Understand that cyberattacks on their facilities or the grid likely will happen, educate themselves on how to react and, as best they can, deploy technology that will cushion the blow.