The nation’s energy systems can’t keep up with the growing threat of the U.S. going dark after a cyberattack by North Korea, Islamic State radicals or anyone with a grudge. According to experts, threats to the electrical grid, water utilities and other elements of energy infrastructure are likely growing in number and complexity with each day.
In just the past two months, U.S. utilities have been placed on alert twice, as much as the public knows: once after Islamic State radicals attacked downtown Paris and again after a December attack in Ukraine that knocked out the country’s power for several hours. Just last week, the inspector general for the nation’s nuclear power regulator said in a report that the Nuclear Regulatory Commission “is not optimized to protect the agency’s network in the current cyberthreat environment.”
“Here is the deal, of course it’s important that the grid have sophisticated cybersecurity,” but “to assume that we can keep up with the hackers is ridiculous,” said Scott Sklar, a long-time utility consultant and president of the Stella Group who has been advising lawmakers on some of the holes in the government’s approach to Internet-based attacks.
The Federal Energy Regulatory Commission, the national labs, the Pentagon and the intelligence community all have teams looking at the threat. But “how you put up a strategy from all that looking is the question that remains unanswered,” he said. The Department of Energy also has created a public-private partnership focused on information sharing with the utility industry.
But Sklar said those efforts address the issue only from the “100,000-feet level,” and he suggests government officials “spend more time with the practitioners in the field,” something he says not all government agencies are willing to do.
Another issue is that the federal response looks at threats only to the wholesale electrical grid that it oversees, which means the big transmission lines that move energy from the power plants to homes and businesses. That leaves the wires in towns and cities, the distribution grid under the states, more vulnerable to hackers and would-be attackers.
And that has states concerned. Cyberthreats are managing to dwarf concerns about President Obama’s far-reaching climate regulations on grid reliability, said Travis Kavulla, the new president of the National Association of Regulatory Utility Commissioners.
“The cyberthreats that are out there seem to target not just those high-voltage facilities that are subject to federal regulation, but the lower-voltage system which is the province of state regulation,” he said, adding that the group’s winter meeting in Washington next month will be dominated by discussion on cybersecurity.
“Cybersecurity will be the issue which receives probably the most focus, even more than the earthshaking regulations on carbon dioxide the EPA has issued,” he said.
“I believe most investor-owned utilities understand that, if they experienced a worst-case scenario — an outage of many months, for example — they would not merely have an unprofitable year. They would almost certainly be bankrupted and nationalized,” Kavulla said.
“That risk is, or at least should be, a powerful incentive.”
Congress appears to be struggling to strike the right balance in dealing with the issue. While a comprehensive cybersecurity bill was signed into law last month, the Senate Energy and Natural Resources Committee still sees room for a grid-specific bill that would create new collaboration with the states. The Enhanced Grid Security Act is part of a comprehensive energy bill that is expected to be voted on the floor soon, commitee staff say.
“We cannot hold back important policies that are essential to America, at a time when energy security is so important,” said Energy committee Ranking Member Sen. Maria Cantwell, D-Wash, when the bill passed out of committee last year. She joined Chairwoman Sen. Lisa Murkowski, R-Alaska, in passing the measure.
Annabelle Lee, with the independent industry-funded Electric Power Research Institute, said the industry faces a difficult situation.
“The difficulty for the electric sector … is that from the protection side we have to try and be right 100 percent of the time,” Lee said. “The bad guys only have to be right once.”
Her group has been working with the Energy Department on ways to plan for threats, and the industry was just put through a worst-threat test scenario in November with the government.
New mandatory federal cybersecurity standards for utilities go into effect April 1, but they will cover only the wholesale side of the grid, not the part the states control, Lee said.
Sklar said one of the best ways to protect the grid is to be off the grid. He has been pushing the idea of keeping some parts of the grid “dumb” to protect them from being hacked. He said the grid is getting smarter each day with new interconnected devices, smart thermostats and even renewable energy, which is making it more accessible via the Internet, and therefore more vulnerable.
Sklar has worked with the Navy on net-zero energy buildings that can produce as much power as they consume, making them independent from the commercial grid if necessary. He said being “partially” grid independent is part of the solution, but a balance has to be struck.
Michaela Dodge, security policy expert at the conservative Heritage Foundation, said there are also problems with how people perceive the threat. On one side of the spectrum, “there are many that believe the planning scenarios are not realistic,” while on the other side there are those that think the country will never be attacked, which “is not wise.”
Dodge has been looking at scenarios in which a nuclear weapon is detonated above the U.S., creating an electromagnetic pulse, wiping out the grid. She said it’s a threat that needs to be considered, primarily from large national actors like China and Russia, but also from North Korea, Iran and anyone looking at ways to attack the United States.
“It’s a perfect asymmetric way to destroy the U.S.,” Dodge said. “What we are talking about is a nuclear weapon detonated in upper atmosphere” to create a magnetic field that fries all electrical devices. The grid is “a vulnerability” that enemies can exploit, she said. It’s hard for countries to pull off, but not impossible.
She said the question policymakers should be asking is not whether countries have the ability to do this kind of attack, but when.
