America's electricity grid is a big, juicy target for cyberattacks – and it's getting more vulnerable as interactive "smart grid" features and other Internet-based connections are grafted onto an old, insecure system, a major new study reports.
Despite development of new cybersecurity standards, the electric utility industry is creating more new vulnerabilities than it is patching and, thus, losing ground to attackers, the Massachusetts Institute of Technology "Future of the Electric Grid" study found.
"Millions of new communicating electronic devices ... will introduce attack vectors – paths that attackers can use to gain access to computer systems or other communicating equipment," the report states. "That increase[s] the risk of intentional and accidental communications disruptions," including "loss of control over grid devices, loss of communications between grid entities or control centers, or blackouts."
Every new "smart meter," as well as new sensors and major equipment at generating plants, will soon be connected to communications modules – resulting in millions of components from hundreds of manufacturers and software from many developers. The presence of "so many interfaced components increases system complexity as well as the number of potential cyber vulnerabilities," the study found.
Shoring up cybersecurity for the power grid would cost about $3.7 billion, a relatively small amount compared with the $476 billion that a "smart grid" upgrade could cost, according to a report earlier this year by the Electric Power Research Institute.
Even so, it is "difficult to make the business case" for cybersecurity investments because the probability of a devastating attack is so low. One problem: Regulations that mandate action often end up as a mere checklist for utilities – without actually improving security, because cyberthreats keep evolving.
Cybersecurity for the power grid is of concern to many. The Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corp. jointly oversee development of cybersecurity standards for power companies in the bulk power system. The National Institute of Standards and Technology is working on another set of standards. The Department of Homeland Security (DHS) and the Department of Energy (DOE) are weighing in, too.
In May, the White House offered its plan to put the grid in DHS hands. In July, a Senate bill proposed putting oversight authority with FERC and DOE. Action could come in the Senate as soon as January.
None of these portend a single body with national regulatory oversight of cybersecurity standards – and not just for bulk power that is transmitted long distances over high-voltage lines, but also for local distribution systems, the MIT report notes.
"The federal government should designate a single agency to have responsibility for working with industry and to have appropriate regulatory authority to enhance cybersecurity preparedness, response, and recovery across the electric power sector, including bulk power and distribution systems," the study recommended.
The report regards cyberattacks as inevitable. Therefore, the US needs another specialized entity to conduct forensic investigations – something akin to the National Transportation Safety Board (NTSB) that, in the transportation world, swoops in to analyze the causes of accidents and recommends action, the study says.
Other experts endorse the findings.
"The report correctly concludes that the complexity and diversity of communications will make prevention an impossible task," writes Michael Assante, former chief security officer for NERC, in an e-mail. "It will be very important that the industry is able to learn from mistakes and near misses in order to best manage operational risk to the system. I fully support the concept of establishing a NTSB-like function with industry involvement that spans the entire system from Generation to Distribution."
James Lewis, a senior fellow and cybersecurity analyst at the Center for Strategic and International Studies, a think tank in Washington, agrees that a single agency is needed to make the grid cybersafe.
"We need one place that has the authority and expertise and pays attention to cybersecurity or we'll wake up one day and the lights won't go on," he writes in an e-mail interview. "The Administration and some on the Hill want that place to be DHS, but there is a lot of skepticism that can only be overcome by actual accomplishment. Right now, no one makes sure the grid is secure and it is our biggest vulnerability to attack."