Update on Energy Threats and Responses in Cyber War

Back in June, I wrote a short blog about cyberattacks on the energy sector. The blog emphasized spear phishing and ransomware as contemporary cyber espionage concerns for energy companies, with disruption of critical energy infrastructure as a real, but lower probability threat.

Threats and responses to protect critical energy networks and infrastructure continue to develop, warranting a quick update.

At the federal level…

Some in the U.S. Senate Intelligence Committee believe manual analogue technologies should serve as a strategic protection mechanism for critical infrastructure, going so far as to introduce legislation for such retro-style investments. And other experts think “manual control” is a good fall back plan.

The October 2016 “distributed denial of service” cyberattack on web services provider Dyn Inc. – where armies of hacked home electronics devices (or “internet of things” devices) blocked access to popular websites like Twitter and Netflix – raised major concerns about similar strategies to impact critical energy infrastructure.

Luckily, in July, FERC approved an order requiring NERC to develop standards for industrial devices that connect to the transmission grid.  The subsequent “supply chain” security standards will help manage and mitigate risks associated with industrial control system hardware, software, and computing and networking systems that help run the bulk power system. The standards are not intended to be a one-size-fits-all solution, rather, will require certain parties to develop plans to meet specific security objectives. The NERC standards, due in 2017, could prove instructional for other agencies dealing with standards for consumer “internet of things” products.

And just this week, the White House and the Government of Canada released a strategy report on how the two countries would work together to protect and strengthen the electricity grid from cyberattacks and climate change related impacts. The White House also released its action plan for implementing the joint strategy.

More broadly on cybersecurity…

In July, the Obama Administration issued Presidential Policy Directive 41 (PPD-41) on U.S. Cyber Incident Coordination, identifying roles and responsibilities in the event of a significant cyber incident. However, some believe the directive focuses too much on the government response, failing to recognize the private sector owns much of the critical infrastructure assets.

Earlier this month, the nonpartisan Commission on Enhancing National Cyber Security, released its “Report on Securing and Growing the Digital Economy”. The report identifies a variety of imperatives and recommendations for improving cybersecurity and response, including protection of critical infrastructure, as well as recommendations for the first 100 days of the new administration.

The Obama Administration also is rushing to finalize its revised National Cyber Incident Response Plan – which identifies threat, asset, and intelligence responses to cyberattacks – before the inauguration.

But huge gaps remain at the distribution utility level…

While the bulk power system has to adhere to mandatory critical infrastructure protection (CIP) rules issued by FERC and developed by NERC, distribution utilities are mainly protected by voluntary standards issued by state agencies or cooperative utility boards. And some utilities are doing better than others.

Avangrid, Inc. has gained attention for its engagement with Phishme, implementing secretly fake phishing campaigns to train employees and raise awareness about cyber espionage.

Iowa-based MidAmerican Energy Co. has run cyberattack simulations that disabled computers, corporate networks, and even generation plants, in order to test a cyber mutual assistance program created by the electric power industry.  The program enables other utilities to provide expertise and assistance to a utility under cyberattack.

In November, the Michigan Public Service Commission directed staff to develop new cybersecurity rules including annual reporting on cybersecurity investments, employee training, data breaches, and other requirements.

NREL’s Cyber Physical Systems Security and Resilience Center has developed a distribution grid-level test bed for smart grid technologies, allowing hackers to attack the system to identify vulnerabilities, enabling solutions to be developed. But, they also found solutions can be expensive.

And physical threats still exist…

A July article from the Wall Street Journal highlighted how distribution utilities are still extremely vulnerable to physical threats of sabotage.

In September, someone shot a transformer at Garkane Energy Cooperative substation, cutting out power to 13,000 customers. Damage was estimated at $1 million and would take six months to fully repair.

Lastly, a course change on cyber may be coming…

President-elect Trump’s campaign plans on cybersecurity included, for example, establishing a Cyber Review Team to assess and make recommendations to improve cyber defenses and vulnerabilities, enhancing U.S. Cyber Command, and developing offensive cyber capabilities. Trump has been critical of Obama’s cyber approach, as well as critical of cyber intelligence writ large.

Like many countries, the U.S. is already in catch up mode with respect to cyber defense, and it seems the energy sector has significant room for improvement to address risks.

Christina Simeone

Kleinman Center Senior Fellow
Christina Simeone is a senior fellow at the Kleinman Center for Energy Policy and a doctoral student in advanced energy systems at the Colorado School of Mines and the National Renewable Energy Laboratory, a joint program.