Sophisticated hackers could crash the US power grid, but money, not sabotage, is their focus for now – Utility Dive

DOE Secretary Jennifer Granholm in June told CNN that enemies of the United States have the capability to shut down the U.S. power grid, and “there are very malign actors trying, even as we speak.”

Granholm was discussing President Joe Biden’s push to better secure the utility sector, which faces a growing threat from ransomware and attacks on operational technology. There are mandatory security requirements and high levels of redundancy built into the U.S. bulk power system, but when asked if a sophisticated hacker has the capability to crash the grid she replied soberly, “Yeah, they do.”

That may bring to mind worst-case doomsday scenarios, but security experts say there is little imminent risk that hackers will cause a widespread blackout, despite a near-constant barrage of attacks on utilities and grid assets.

“I don’t think the threat to reliability is imminent” even as more operational technology (OT) is internet accessible, said Lila Kee, general manager for GlobalSign’s North and South American operations. “Attackers are getting smarter and as we move OT online the threat surface will be wider, but what these hackers are doing is espionage. They’re going after data, they’re going after [intellectual property].”

“Most cyber attacks today are financially motivated.”

Kevin Perry

Former director of critical infrastructure protection, Southwest Power Pool

“If they wanted to go after the OT networks, from a sabotage standpoint, that’s an act of war,” Kee said. “And I don’t think even some of the biggest state actors are going to poke that bear.”

There are a variety of hackers and groups, “and their goals are similarly varied,” Kevin Perry, formerly the director of critical infrastructure protection at Southwest Power Pool, said in an email. Perry retired in 2018.

“Most cyber attacks today are financially motivated,” Perry said, with hackers attempting to steal credentials, company or customer financial information, or intellectual property. “Basically, information that can be used for financial gain.”

But “there are attackers whose aim is to disrupt the business, either with ransomware or by attacking and manipulating the business-critical systems,” Perry added.

An act of war 

Crashing the grid would require a sophisticated attack and knowledge of electricity systems. Like Kee, Perry also sees little appetite for the most dramatic attacks.

“OT systems are very complex and the attacker will need a certain level of knowledge and sophistication. That [would] most likely be a nation-state backed hacking group,” he said. “An activity of a nation-state actor that intentionally causes a blackout will likely be viewed as an act of war and will likely result in a kinetic or electronic response, or both, once the actor has been positively identified.”

“Sophistication can ultimately be bought.”

Scott Aaronson

VP for security and preparedness, Edison Electric Institute

Right now, hacking groups in Russia, China, Iran and North Korea, are all known to have high levels of sophistication. The electric industry, however, says it is prepared for a future where more hackers have those capabilities.

“Sophistication can ultimately be bought,” Edison Electric Institute (EEI) Vice President for Security and Preparedness Scott Aaronson said. EEI represents investor-owned utilities, which provide electricity for about 220 million people in the U.S.

Taking down the grid would require a very complex attack but “we are preparing for that possibility today,” Aaronson said.

Less sophisticated attacks are frequent, say experts, and often have little or no impact on operations.

“We’ve responded to intrusions at generation plants and within control centers,” said Ben Miller, vice president of professional services and research and development for Dragos, a security firm focused on operational technology (OT) environments. “But did those cause a blackout or outage? No.”

The attacks were opportunistic and in many cases hackers may not have even known what OT environment they were in, Miller said.

“Gaining access into a grid facility is certainly in the realm of possible, even accidentally,” Miller said. But between gaining access and having a particular impact “is a lot more sophistication than ransomware or a malicious piece of malware, and it does rise into that state-aligned category.”

And the U.S. grid is designed with such redundancy in mind, that even if a hacker were able to take down the largest generating asset on the grid — the 6.8 GW Grand Coulee Dam in Washington — it would not cause a blackout, said security consultant Tom Alrich.

“Plants being down should never be the cause of an outage,” Alrich said. “That’s the whole idea of a reliability coordinator. They make sure there’s always enough backup to cover any contingency.”

All that said, experts agree it is possible for hackers to cause a blackout. 

“Now, if you start to have a bunch of plants go down at the same time, that’s another story,” Alrich said. “But plants are not the problem. … When you’re talking about really serious attacks, you’re talking about attacks on control centers or attacks on substations.”

A brief history of energy cyberattacks

For the most part, the United States has avoided grid impacts from cybersecurity threats. A 2018 attack interrupted communications on the Midcontinent Independent System Operator, grid but customers ultimately felt no reliability impacts. But there is history.

The most well known grid cyberattack in the world occurred in 2015 when hackers knocked out power to almost a quarter million people in Ukraine. The attack, widely attributed to Russia-backed hackers, was possible because “there was not proper isolation between the IT and OT systems,” said Perry.

Hackers compromised IT systems via a successful phishing email attack, he said, and were then able to move throughout the network to attack the utility’s energy management system. They downloaded malicious firmware that impacted grid operators’ ability to communicate with substations while also controlling key equipment.

“When there’s a ransomware attack in the IT network, it will inevitably result in an outage on the OT network.”

Tom Alrich

Security consultant

Experts say the Ukraine outage remains largely consistent with how hackers could attack the U.S. grid today.

Other vulnerabilities have been studied. In 2007, Idaho National Laboratory’s Aurora Generator Test proved a cyberattack could physically destroy a generator by connecting it to the grid out of phase, which leads to extreme torque and the machine breaking down.

Most recently, the North American Electric Reliability Corp. (NERC) said the 2020 SolarWinds attack, in which sophisticated malware was inserted into the software supply chain, exposed a quarter of the electric utilities it regulates to the vulnerability. The electric sector could take years to determine the full impacts of that attack, say experts.

And the attack on Colonial Pipeline, which transports refined oil products, had no electric grid impacts but is an example of unintended consequences. Hackers attacked Colonial’s IT system and the company defensively shut down the pipeline.

 “When there’s a ransomware attack in the IT network, it will inevitably result in an outage on the OT network,” Alrich said. Utilities aren’t going to turn off the power to mitigate a cyberattack, he said, but the MISO attack is an example where a control center was taken offline to avoid impact.

SolarWinds and Colonial are good examples of the threats facing the energy sector, said NERC Senior Vice President Manny Cancel, who is also CEO of NERC’s Electricity Information Sharing and Analysis Center (E-ISAC).


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.