Could cyberspies bring down the U.S. electricity grid? Will the push to make that grid smarter reduce or enhance that threat?
A report from the Wall Street Journal on Wednesday, citing unnamed U.S. intelligence officials who claim that spies have hacked into power grid systems and left software meant to disrupt them, is sure to add fuel to the debate.
Chinese and Russian spies are among those suspected of the intrusions, unnamed officials said. While they didn't give details on how the nation's electricity grid had been compromised, they did say the intrusions fit into a broader pattern of spies seeking to find ways to disrupt military, government and other information and computer networks.
But the billions of dollars now being spent to bring two-way communications and controls to large swaths of the U.S. electricity transmission and distribution grid – the essence of the so-called "smart grid" – could open up some new avenues for malicious actors to tamper with the grid, security experts warn (see Smart Meter Installations Grow Nearly Fivefold and Security Concerns Behind Slowdown in Itron Rollout?).
One such avenue was raised last month by security firm IOActive, which claimed it had proven that networks of smart meters, which allow two-way communications and controls between customers and utilities, could be hacked to boost or cut power to millions of homes at once. That could crash the grid, all with as little as $500 worth of equipment and the proper training, the firm said.
Still, on balance, adding smart grid technologies should increase, not detract, from the grid's overall security, experts at the Electric Power Research Institute (EPRI), a utility industry group, said Tuesday.
Utilities and companies seeking access to the $4.5 billion in stimulus package matching grants set aside for smart grid projects are sure to be putting such security concerns at the top of their to-do list, they added.
EPRI was just awarded a contract to develop a "smart grid interoperability roadmap" for the National Institute for Standards and Technology, the government agency that will be setting ground rules on what the government will require from smart grid projects.
While that roadmap won't be developed in time to affect how the $4.5 billion in smart grid stimulus grants will be given out, it will influence future decisions – and "cybersecurity requirements and standards will be a huge part of that," said Mark McGranaghan, director of power delivery research at EPRI.
And with proper security in place, things like smart meter deployments, distribution automation and integration of legacy utility systems will "make the grid stronger and more dynamic," rather than more vulnerable, said Brian Seal, senior project manager with EPRI.
It's important to note that large swaths of the power grid are already automated, often with decades-old technology, Seal said.
"There are switches upstream – switches on feeders, on entire transmission sections – that are remotely controllable via communication systems, and have been for many years," he said. "A malicious person could trip one of those and affect huge numbers of end users in a single stroke."
But those systems aren't likely to be interconnected with corporate networks or the Internet at large, McGranaghan said. That means that they'll continue to be hackable mainly through old-fashioned "social engineering" methods – in other words, fooling an insider into giving away access information or other such types of human-to-human con jobs.
Of course, some utility legacy systems are slowly being integrated with corporate networks or the Internet, and that does open them to potential cyber-attack, said Madhava Sushilendra, a senior project manager with EPRI.
But utilities that are switching over to new information systems are also gaining the wealth of security experience that the banking, medical records and other industries have been developing for more than a decade, he added.
As for the software that alleged cyberspies had installed with the aim of disrupting parts of the U.S. power grid, as described in the Wall Street Journal, McGranaghan and the other EPRI experts weren't familiar with when or where they had been placed or how they might disrupt the grid.
The North American Electric Reliability Corp. (NERC), the regulatory agency taking responsibility for setting security standards for some utility operations, said Wednesday that it was unaware of any cyber attacks that have threatened the power system to date.
But Sushilendra noted that utilities currently don't have any means by which they must report such security breaches, although NERC is working on a system for doing so.
Even so, installing malicious "Trojan horse" software couldn't do things like set off a blackout by opening and closing breakers, he said.
"One has to have complete knowledge [of the system] and actively hack into the system to do things like" that, he said.
Seal added that the nation's electricity distribution system is highly decentralized, leaving would-be cyber attackers a limited range of influence.
"There is no Internet-like interconnected machine here, where you sort of get in behind a firewall, and then you've got nationwide" control of electricity transmission, he said. "The systems are very isolated from an intelligence and communication point of view."
As for the IOActive claim that smart meters open a new front for hacker-caused blackouts, Seal noted that the firm was likely testing smart meter deployments that are now in early stages, in which security functions may not be turned on.
Fully implemented smart meter systems are expected to have the same security protections as those in place for the nation's banking industry and transportation networks, he said.
Utilities are "taking baby steps, creeping forward and taking every effort to lock these systems down," he said. "They are very aware that a misstep could set things back 20 years – and they do not want to make those missteps."