When it comes to the smart grid, new and improved also means vulnerable and more prone to attack.
Just last year, the Department of Homeland Security (DHS) cyber emergency team responded to more than 80 incidents involving energy companies.
“If you’re a utility today, depending on your scale, you’re under attack at this moment,” said Robert Weisenmiller, chairman of the California Energy Commission in a report on the Homeland Security News Wire.
The U.S. electric grid is constantly under attack despite attempts by utilities to boost physical security and cyber defenses. While cyber attacks get quite a bit of the news coverage, physical security needs to work hand in hand with its digital counterpart, especially since last year’s attack on a Pacific Gas and Electric Co. substation in San Jose, CA, where unknown attackers cut telephone lines to the Metcalf substation, then disabled 17 transformers with precise gunfire.
Efforts by utilities to make the electric grid “smarter” by deploying sensors, automation, and communications technology have created new ways for hackers to sabotage the electric grid; and while cyber security spending has increased to eliminate some weaknesses in the smart grid, the threat still remains. Smart meters still operate side by side with old and sometimes outdated hardware systems.
“There are some very good hackers out there, and they’re not going to take ‘no’ for an answer,” said Andy Saunders, managing consultant for the IOActive smart grid security firm said in the report. “They’re going to keep throwing things at these devices and systems.”
A 2013 congressional survey of more than 150 utility companies found at least one utility was the target of roughly 10,000 attempted cyber attacks each month; and more than a dozen utilities reported daily, constant, or frequent attempted cyber attacks including phishing, malware infection, and unfriendly probes.
Representative (now Senator) Edward Markey (D-Massachusetts) and Henry Waxman (D-California) wrote in response to the survey that although the utilities did not report damage to any of their computer systems, “there did not appear to be a uniform process for reporting attempted cyber attacks to the authorities; most respondents indicated that they follow standard requirements for reporting attacks to state and federal authorities, (but they) did not describe the circumstances under which these requirements would be triggered, but largely indicated that the incidents they experienced did not rise to reportable levels.”
Eliminating the threat of cyber attacks is impossible.
Instead, utilities must continue to explore new ways to prevent, respond, and share information of an attack with federal agencies and fellow utilities.
Scott Aaronson, senior director for national security policy at the Edison Electric Institute, said some utilities are deploying government-funded, Cybersecurity Risk Information Sharing Program, which monitors utility networks for signs of hacker activity using unclassified and classified information to identify threats. Reports of new malware can then end up shared with government agencies and utilities.