Cybersecurity vulnerability of the U.S. power grid underscored in new report

28 May 2013 Geoff Zeiss

A report on grid cybersecurity released last week by US Representatives Ed Markey and Henry Waxman makes for fascinating reading.

Background

The U.S. bulk power system is relied on by 300 million people and is comprised of 200,000 miles of transmission lines and about a thousand gigawatts (GW) of generating capacity.  It is valued at over $1 trillion.  Most of the bulk power grid is owned and operated by private companies, municipally- and coop-owned utiltiies.

The components of the grid are highly interdependent.   An outage in one area can lead to cascading outages in other areas.  The classic example occurred in 2003 when four high voltage power lines in northern Ohio brushed trees and shut down. A computer system error caused a cascade of failures that left 50 million people without power for two days across the United States and Canada.  The largest blackout in North American history cost the economy an estimated $6 billion.

Vulnerabilities

This report makes the case that grid vulnerabilities pose substantial risks to U.S. national security.  It cites a 2008 report by theTask Force on Department of Defense (DOD) Energy Strategy that said that  “critical missions . . . are almost entirely dependent on the national transmission grid.”  About 85% of the energy infrastructure upon which DOD depends is commercially owned, and 99% of the electricity DOD consumes originates outside of DOD. In most cases, neither the grid nor on-base backup power provides sufficient reliability to ensure continuity of critical national priority functions and oversight of strategic missions in the face of a long term (several months) outage. An October 2009 report by the Government Accountability Office said that 31 of DOD’s 34 most critical global assets rely on commercially operated electricity grids for their primary source of electricity.

I remember a startling statistic in an Energy Information Adminstration (EIA) publication that the failure of 4% of U.S. substations would result in 60% of the U.S. losing power. The Markey and Waxman report also cites a declassified National Academy of Sciences report declassified that found that physical damage to large transformers could disrupt power to large regions of the country and take months to repair.

Very recently, the Department of Homeland Security testified that it had processed 68% more cyber-incidents in 2012, involving Federal agencies, critical infrastructure, and other select industrial entities, than in 2011.

Cybersecurity regulationElectricity_Grid_Schematic_English.svg

Measures to protect the U.S. electric grid from cyber-attack include mandatory reliability standards developed by the North American Electric Reliability Corporation (NERC) plus voluntary actions recommended by NERC.

In 2010, bipartisan cyber-security legislation called the GRID Act passed the House of Representatives.  This legislation would have provided the Federal Energy Regulatory Commission (FERC) with the authority to require necessary actions to protect the grid. However, this legislation did not pass the Senate.

Cybersecurity survey of U.S. utiltiies

In January of this year, Representatives Markey and Waxman requested information from more than 150 investor-owned utilities (IOUs), municipally-owned utilities, rural electric cooperatives, and federal entities.  More than 60% of the entities have responded including

  • 54 investor-owned utilities
  • 47 municipally-owned utilities and rural electric cooperatives
  • 12 federal entities

The Markey and Waxman report is based upon those responses.

Findings

The electric grid is the target of numerous and daily cyber-attacks.

More than a dozen utilities reported “daily,” “constant,” or “frequent” attempted cyber-attacks ranging from phishing to malware infection to unfriendly probes.

One utility reported that it was the target of approximately 10,000 attempted cyber-attacks each month. More than one public power provider reported being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.” A Northeastern power provider said that it was “under constant cyber attack from cyber criminals including malware and the general threat from the Internet…”  A Midwestern power provider said that it was “subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of  this activity is automated and dynamic in nature – able to adapt to what is discovered during its probing process.”

Most utilities only comply with mandatory cyber-security standards, and have not implemented voluntary NERC recommendations. 

Almost all utilities cited compliance with mandatory NERC standards. Of those that responded to a question of how many voluntary cyber-security measures recommended by NERC had been implemented, most indicated that they had not implemented any of these measures.

For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs, 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.

Most utilities have not taken concrete steps to reduce the vulnerability of the grid to geomagnetic storms and it is unclear whether the number of available spare transformers is adequate.

Only 12 of 36 (33%) responding IOUs, 5 of 25 (20%) responding municipally- or cooperatively-owned utilities, and 2 of 8 (25%) responding federal entities stated that they have taken specific mitigation measures to protect against or respond to geomagnetic storms.

Most utilities do not own spare transformers. Only twenty IOUs, six municipally- or coop-owned utilities, and eight federal entities reported owning spare transformers. While other utilities reported participation in various mutual assistance agreements or industry equipment sharing programs, none knew how many other utilities would claim contractual access to the same equipment in the event of a large-scale outage.

Geoff Zeiss

Geoff Zeiss

Geoff Zeiss has more than 20 years experience in the geospatial software industry and 15 years experience developing enterprise geospatial solutions for the utilities, communications, and public works industries. His particular interests include the convergence of BIM, CAD, geospatial, and 3D. In recognition of his efforts to evangelize geospatial in vertical industries such as utilities and construction, Geoff received the Geospatial Ambassador Award at Geospatial World Forum 2014. Currently Geoff is Principal at Between the Poles, a thought leadership consulting firm. From 2001 to 2012 Geoff was Director of Utility Industry Program at Autodesk Inc, where he was responsible for thought leadership for the utility industry program. From 1999 to 2001 he was Director of Enterprise Software Development at Autodesk. He received one of ten annual global technology awards in 2004 from Oracle Corporation for technical innovation and leadership in the use of Oracle. Prior to Autodesk Geoff was Director of Product Development at VISION* Solutions. VISION* Solutions is credited with pioneering relational spatial data management, CAD/GIS integration, and long transactions (data versioning) in the utility, communications, and public works industries. Geoff is a frequent speaker at geospatial and utility events around the world including Geospatial World Forum, Where 2.0, MundoGeo Connect (Brazil), Middle East Spatial Geospatial Forum, India Geospatial Forum, Location Intelligence, Asia Geospatial Forum, and GITA events in US, Japan and Australia. Geoff received Speaker Excellence Awards at GITA 2007-2009.

View article by Geoff Zeiss

Be the first to comment

Leave a Reply

Your email address will not be published.


*