The US Power Grid Needs Better Security

A recent poll showed that more than 90 percent of Americans believe the government is not doing enough to protect the electric grid from cyber-security attacks. Their fears appear to be justified.

In March 2018, the US government revealed its concerns about Russian incursions into the operating systems of domestic electric power plants and noted that the efforts to disrupt date back to 2013. These attacks have the capability to bring down all or part of US electricity service.

Such large-scale grid cyberattacks were foreseen. The Departments of Energy and Homeland Security identified the grid’s vulnerability to cyber-attacks some time ago and called for new protective measures in the DOE-led January 2017 Quadrennial Energy Review.

The study, which analysed the entire US electricity system, noted that that the key critical infrastructures underpinning the nation’s economy and national security, transportation, water, finance, natural gas, oil, communications/IT, depend upon a reliable electricity “uber-network.”
 
A 2012 report by the National Research Council concluded that a cyber-attack could black out a large region of the nation for weeks or even months.

Public health and safety would be in jeopardy from an extended, widespread power outage, resulting in loss of life support systems in hospitals, nursing homes, and households, disruption of clean water supplies and sanitation, and a massive breakdown of the transportation system.

The economic disruptions from an extended blackout would also be enormous.

A 2015 Lloyds of London study found that a cyber-attack on 50 generators in the Northeast could leave 93 million people without power and cost the economy over $234 billion.

We’ve already seen previews of a successful cyberattack on the grid stemming from operational failures and extreme weather. The 2003 Northeast blackout left 50 million people without power for four days, causing economic losses between $4 billion and $10 billion.

In Puerto Rico, 400,000 people are still without power six months after Hurricane Maria, with staggering impacts on the commonwealth’s economy and well-being.

Russia, Iran, North Korea and others have large-scale, offensive cyber-attack programs.

The CIA has concluded with “high confidence” that Russian military attackers crippled computers in Ukraine’s financial system last year. This followed 2015 and 2016 cyber-attacks that disabled part of Ukraine’s electric grid.

Global security analysts say Russia is using Ukraine as a cyber-war testing ground. The US also appears to be in their crosshairs as the overall US-Russia relationship hits new lows, evidenced most dramatically by their interference in our 2016 elections.

According to DHS and the FBI, Russia appears to be laying a foundation for a large scale cyber-attack on US infrastructure. The Dragonfly 2.0 hackers, identified by DHS as Russian government cyber actors, pursued a prolonged cyberattack (since 2015) on a US power plant and computer networks controlling the grid.

Industry and government have been trying to address cyber vulnerabilities.

In 2015, Congress expanded DOE’s authority to take immediate measures in response to cyberattacks on the grid in the FAST Act. Congress has also proposed additional legislation to address grid-related cyber-defense deficiencies with resilience measures for electricity infrastructure.

These bills, introduced but not passed, focus on state assistance, authority to address cybersecurity gaps for other energy infrastructures, and identification of cyber secure products for the grid. Energy Secretary Rick Perry should also be commended for setting up a new cybersecurity office at DOE.

These actions are important but not enough.

It is time for a comprehensive examination of how the US can anticipate, recover, and deter cyber-attacks. They need to fund development and deployment of advanced designs and technologies to protect their grid and to provide states the tools they need to contribute to the defense of the nation’s electricity system.

They need to incorporate mandatory reliability and resilience measures into every aspect of our electricity system and the Internet. They must also address state-sponsored cyber-attacks at the legal, regulatory, operational and diplomatic levels, including the development of international protocols.

But the hardest part may be modernising our jurisdictional system to ensure seamless federal authority to prepare for and respond to cyber-attacks.

The DOE study concluded that the electricity system is a national security asset.

National security is inherently a federal responsibility and cyber-security attacks do not respect jurisdictional boundaries. It is time to adopt a regulatory system that meets 21st century realities. The US economy and national security depend on it.

The Hill

You Might Also Read: 

US Accuses Russia Of Attacking Energy Infrastructure:

 

« Snowden: The Deep State’s Influence On The Presidency
Julian Assange Has Internet Connection Cut »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Chatham House Cyber Conference

Chatham House Cyber Conference

14 June 2023 - Connect with cyber security experts and senior policymakers to explore the role of cyber security in the global economy and how to deliver an open and secure internet.

ZeroDayLab

ZeroDayLab

ZeroDayLab is one of Europe’s leading IT Security Consulting companies, delivering IT Security Testing engagements for a broad range of public and private sector organisations across the UK and EMEA.

CybSafe

CybSafe

CybSafe is a cloud-based platform focussed on addressing the human component of cyber security - an intelligent approach to awareness training.

Cybint Solutions

Cybint Solutions

Cybint provides customized cyber education and training solutions for Higher Education, Companies and Government.

RIGCERT

RIGCERT

RIGCERT provides training, audit and certification services for multiple fields including Information Security.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

Tech-Recycle

Tech-Recycle

Tech-Recycle was formed to help companies and individuals securely, ethically and easily recycle their IT and office equipment. We destroy all data passed to us safely and securely.

Aversafe

Aversafe

Aversafe provides individuals, employers and certificate issuers around the world with a first line of defense against credential fraud.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

Pragma Strategy

Pragma Strategy

Pragma is a CREST approved global provider of cybersecurity solutions. We help organisations strengthen cyber resilience and safeguard valuable information assets with a pragmatic approach.

Luxembourg House of Financial Technology (LHoFT)

Luxembourg House of Financial Technology (LHoFT)

Offering start-up incubation, co-working spaces including a soft-landing platform, the LHoFT connects and creates value for the entire Luxembourg FinTech ecosystem.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

SK Shieldus

SK Shieldus

SK shieldus are a converged security provider with business capabilities in both cybersecurity and physical security based on Big-Tech.

Magna5

Magna5

Magna5 is a managed IT service provider focusing in network and server monitoring, backup and disaster recovery, cybersecurity, help desk and SD-WAN.

McKinsey & Company

McKinsey & Company

McKinsey & Company is a global management consulting firm. We are trusted advisor to the world's leading businesses, governments, and institutions.

CyBourn

CyBourn

Cybourn's diverse offerings include engineering, analysis, product development, assessment, and advisory services in the cybersecurity space.