Protecting power grids from cyberattacks has become a significant challenge around the world. State-sponsored hacking teams have been attacking power stations and other parts of the power grid for years. In a move to protect the US power grid, President Trump has signed an executive order that bars US power grid entities from buying and installing electrical equipment manufactured outside the US.
In the executive order, President Trump writes: “Foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life.
“The bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.”
It is not the first time the US has attempted to shore up its power grid. Last year, Kate O’Flaherty reported in Forbes that the US Government was resorting to using “retro” technologies to protect power grids. It came after several reported attacks against US Critical National Infrastructure (CNI). The thinking was that manual systems would make cyberattacks more difficult.
Power Grids under attack worldwide
Nation-state attackers, both those sponsored by and part of national cyber teams, are attacking power grids around the world. Most countries are seeing a significant increase in attacks. Like other countries, the US is both a defender and an attacker of power grids. Last year, the New York Times reported that the US was stepping up its cyberattacks on Russia’s power grids. It was seen as a warning to Russia to rein in its attacks against the US CNI.
Cyberattacks against the power grid in Ukraine have caused multiple outages in the last three years. The National Cyber Security Centre (NCSC) in the UK has also issued multiple warning over attacks on CNI.
One of the challenges of defending any CNI, let alone power grids, is the parlous state of cyber defence. This is about more than training. Processes and regulators have to do more to improve security. The EU published the Network and Information Security (NIS) directive to provide a better framework. As Bernard Parsons, CEO, Becrypt, points out, it is a good start but more needs doing.
Old equipment is hard to identify
CNI is unlike corporate computing. The longevity of systems means that they are open to attack for much more extended periods. Many of those older components were not designed to be updated, use old protocols and securing them is difficult.
Aleksander Gorkowienko, Managing Consultant for Spirent Communications, explains. “It means combining old interfaces, old protocols with new ones and many are in clear text because that is how they were designed 20 or 30 years ago and no-one thought about security at that time.” Gorkowienko also points out that organisations are struggling to identify many of those older systems.
As part of the executive order, the US is creating a new working body to look at the equipment used in the US power grid. The goal is to identify all equipment that is foreign made and at risk of being exploited. It brings together teams from the departments of Energy and Defense, Homeland Security and National Intelligence among others.
What isn’t clear, is if this also includes equipment created by companies that are now foreign-owned such as Westinghouse. It was one of the major players in the US nuclear power industry. Last year, Toshiba sold its US-based nuclear business to a Canadian company, Brookfield.
It is also worth asking how the teams will identify all the affected equipment? The US power grid is complex, and there are a lot of small power generation companies. It could take years or even decades to document what exists, where it is, and the risks it poses.
A new task force to set future standards
The executive order sets out the creation of the Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security. It will set out the standards for future procurement of equipment for the US power grid. It is a multi-agency body that has been given a year to report on what is needed going forward.
The Task Force will also investigate the power distribution system to see how secure it is. Many of the attacks that have been seen in the past two years have not necessarily been against generators. Taking down the distribution network can have far-reaching consequences and can cause power plants to shut down to prevent overloads.
Who will pay for updating and replacing the US power grid?
How will affected equipment be replaced or secured? Who will pay for this? Private companies? It is unlikely, given the costs likely to be involved. One of the biggest power generators in the US, Pacific Gas and Electric, has struck a deal that means it should emerge from bankruptcy in June. It is already struggling with the costs associated with replacing older equipment. Any additional charges could push it back into bankruptcy.
There are also significant questions as to where the US will get the replacement equipment. It does not have the manufacturing or skills base to create all the replacement equipment.
The US Department of Energy also lacks the depth of skills required to test and approve new generations of software for the power grid. The debacle of Boeing and the FAA allowing it to self-certify software for the 747 Max is still fresh in the mind of US lawmakers. Would they allow energy companies to self-certify software for a “secure” power grid? If not, who will do it?
Enterprise Times: What does this mean?
The executive order makes sense at a macro level. However, the complexity of the task must not be understated. The US has one of the most complex energy utility markets in the world and multiple generations of power generating equipment.
Identifying a lot of the older equipment that is vulnerable is also a non-trivial task. Some may be Internet-facing while most will be behind corporate firewalls. It is why many attacks start with phishing campaigns to get inside the networks of power generation companies. Attackers then transition to IIoT systems that are poorly integrated with newer IT systems. Any attempt to secure these systems needs to recognise that there is a need to look at where the attacks start and improve security at that point.
There is also a significant question mark over the costs associated with manufacturing and replacing equipment deemed at risk. Can the US power industry afford a mass-replacement of equipment? Will consumers be willing to see their utility bills jump to cover the cost? Will a future US Government add another trillion dollars to the national debt by paying for the upgrades?
