The vulnerability of our electric utility system to cyber attacks

Print Friendly
13th annual Cyber Defense Exercise (photo: West Point Academy)

13th annual Cyber Defense Exercise (photo: West Point Academy)

As our electric utility system is moving from dumb and centralized to smart and decentralized, it is becoming increasingly vulnerable to cyber attacks. Are utility executives paying sufficient attention to these serious new risks? Energy expert Allan Hoffman, a former senior official at the U.S. Department of Energy, says the SONY hacking case should serve as a wake-up call to the energy industry.

The hacking of SONY’s corporate web site demonstrates the increasing vulnerability of companies to digital hacking – a danger emphasized again by the recent hacking of U.S. Department of Defense web sites. Unless we take steps to adequately protect our web-connected systems from these interventions I fear we will pay a terrible price. Too many of our public systems are now remotely controlled by wireless networks, and someone bent on doing damage and who knows how to hack can make us hostage if our systems are penetrated. My concern is less with SONY than with our centralized electric utility systems that power our homes, businesses, hospitals, water supply systems, and many other aspects of modern life.

Is it difficult to provide this cyber protection? The simple answer is yes, for several reasons: the growing numbers of wireless networks and cyber hackers, the cost of counteracting malicious hacking, the lack of newly trained professionals to address the hacking issue, and what I have long considered a major problem: the inability to focus enough attention on cyber security issues.

Capable hackers

Let me discuss each of the barriers in order.

Wireless networking is growing because it offers many advantages – reduced wiring requirements and related costs, remote operation and reduced manpower requirements, ability to monitor more variables continuously and control systems to a finer degree. Disadvantages arise when inadequate attention is paid to preventing hacker penetration into the network, thus allowing disruption of normal operations or allowing hackers to take control of the network. Also, the number of capable hackers is increasing rapidly.

Many schemes have been proposed for restricting unauthorized access to a network, usually using passwords, but often these passwords are not adequate to stop an experienced hacker and most people are resistant to remembering long, complicated passwords. Many companies are also not yet convinced of the need to spend the money on sophisticated protection systems, and some may see the consequences of a hacking as less costly than the required investment. At some level we can all relate to this mindset.

The U.S. Air Force is the largest single user of aviation fuel in the world

Costs are inherent in any attempt to prevent hacking, ranging from software and hardware costs to labor costs. There is some indication that SONY, an electronics company, spent too little on protection costs by underestimating the potential threat to its cyber systems. It is a mistake it won’t make again, and should serve as a wake up call to other corporate and government bodies.

The trained manpower issue is a critical one. As a vice president of Oracle Corporation noted in Congressional testimony: the vast majority of people available today to address cyber security issues are the ones who designed and implemented the current vulnerable information technology system. Should they be the ones to try and fix it, or do we need newly-trained cyber experts who are not so closely linked to today’s operating modes? Clearly there are people who have the requisite high level skills – think NSA – but are they available broadly on a global basis? Looks like a good field to get into as soon as possible.

Finally, let me address the issue of lack of attention to cyber security issues. I come to this discussion with some personal experience. Several years ago I served on a Department of Defense (DoD) committee reviewing energy proposals for military buildings and bases. Other members of the committee were from the various military services and the DoD Secretary’s office. DoD has always taken an interest in energy issues as a large part of their costs are energy-related – e.g., DoD maintains more than 500 buildings globally and the U.S. Air Force is the largest single user of aviation fuel in the world.

Many of the proposals we reviewed were for wireless networks on military bases that needed to go independent of the grid at times of grid failure or other times of emergency. Many of the proposals were technically sound, proposing wireless networks on bases that could switch to power sources on the base that were independent of the grid when needed (solar, wind, geothermal, minihydro, diesel) and making sure priority loads were covered first. These networks also allowed continuous monitoring of energy systems and improved energy efficiency on the bases at all times.

When I first raised the issue of network vulnerability to hacking I received a cordial hearing but no follow through. In year two, making a pest of myself again, there seemed to be more of an interest in potential hacking problems, perhaps stimulated by the reports of U.S. drones in Afghanistan transmitting unencrypted video signals to troops on the ground that were available both to the U.S. troops and the enemy troops the drones were tracking. I finally gained some traction in year three when the committee seemed more interested in requiring hacking protection in the proposals. Today the issue is hopefully more appreciated and getting much more attention.

Dumb system

Let me now tie all these concerns to our electric utility system. Today, and for most of the past century, it has been a highly centralized grid system where large central power plants distributed electricity radially via high voltage transmission lines and lower voltage local distribution lines. It was a ‘dumb’ system with little overall control and when one part of the grid went down lots of people lost their electricity supply until the grid problem could be fixed.

My impression is that until fairly recently utility executives were not paying sufficient attention to cyber security issues

Today we are developing a ‘smart’ grid with lots of electronic controls that allow isolation of problem areas to minimize the number of people affected, that facilitates transfer of power from one grid region to another, and that allows utilities access to consumer homes and businesses for better balancing of supply and demand. These ‘smart grid’ features offer many advantages to suppliers and consumers, ranging from improved energy security to reduced costs.

The downside is that electronic networks controlling these various features of the smart grid can be penetrated by sophisticated hackers, and my impression is that until fairly recently utility executives were not paying sufficient attention to cyber security issues. I hope this is no longer the case, but we all know of utilities that have underinvested in protecting their systems – e.g., Pepco in the Washington, DC/Maryland area who underinvested for years in trimming back trees that could fall on and disrupt power lines during storms.

The sooner we can begin to address these issues in a serious manner the more secure our energy systems will be. At this point we are highly vulnerable to physical sabotage attacks on our exposed power transmission line infrastructure and hacking attacks on our utility control networks. This is true in the U.S. and elsewhere. Let the SONY situation serve as the needed wake-up call.

Editor’s Note

Allan Hoffman worked at the US Department of Energy (DOE) in Washington DC for many years in various top-level policy and management positions.  He obtained his Ph.D in solid state (now condensed matter) physics at Brown University in 1967. He retired in 2012. 

Hoffman writes a blog, Thoughts of a Lapsed Physicist, in which he shares his perspectives on energy and related issues, based on his long years of experience in science and with the US government. 

He earlier wrote a blog post on cyber security: Vulnerabilities of U.S. Infrastructure: We Need To Pay More Attention 

For his earlier writings on Energy Post, see his author’s archive.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>