Advertisement

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

A widespread power blackout would be a major catastrophe. The Northeast blackout of 2003, which impacted 55 million people in seven U.S. states and the Ontario region of Canada, resulted in economic losses in the billions and even resulted in fatalities due to accidents, carbon monoxide poisoning and the incapacitation of emergency services.

That blackout was caused by a combination of technical problems and human error, and many believe weather conditions to be the only other major threat to the power grids that keep electricity flowing through our towns and cities. But an increase in computerized, “smart” power grids, while offering multiple benefits to the efficiency of energy transmission, have opened these vital structures up to a new threat—cyberterrorists.

At a recent meeting of the U.S. president’s National Infrastructure Advisory Council, Terry Boston, the former CEO of PJM Interconnection, which is the nation’s largest power grid operator, revealed that the company’s systems faced up to 4,000 attempted cyberattacks per month. Boston suggested training federal Department of Energy employees to work with the employees of power grid operators for better coordination in the event of a major attack. The volume and seriousness of this threat has not gone completely ignored—in May, President Donald Trump issued an executive order on cybersecurity which included an assessment into the United States’ ability to respond to a cyberattack on the nation’s power systems.

However, according to Michigan Technological University associate professor and researcher Chee-Wooi Ten, whose research focuses largely on power infrastructure cybersecurity, not all in the power industry have caught up to the rising threat of cyberterrorism.

“The attackers only need one successful login in a million to penetrate into the right control network. As I discuss this with engineers, there are reactions that they believe this could happen, but it does not seem to be an imminent threat, and they quickly run to the conclusion that this is not a critical priority because it is highly unlikely this will happen,” said Ten in an interview with Forensic Magazine. “It is a high-impact, low-probability event. It may not happen but it is a possibility that that can happen if the substation control automation is not well set up and protected with technologies.”

Ten explains that many power grid systems are prepared to withstand the impact of a weather event such as a thunderstorm, but not necessarily the targeted threat of a cyberattack, which may compromise entire substations—connected to many lines—as opposed to a line here or there.

“A contingency is typically based on N-1 in which the N is the sum of all components in a transmission network. In some cases there may be N-2 or higher but it is not exhaustive,” he explains. This security scheme prepares the system to lose one or two components in the event of a lightning strike or other weather event. “However, a substation compromise is a complete different story than electrical short circuits caused by storms.”

If a hacker were able to hack into multiple substations, they could cause a domino-like spread of power outages due to nearby areas being overloaded with the electricity redirected from compromised areas.

“We do not know if a power system may balance the electrical load with generation. That is when the grid may become unstable and the protection schemes will kick in to disconnect wherever they see fit from the local perspective,” Ten said. “This is what has been referred to as a cascading effect, a ripple effect if you may, that will weaken the entire system’s operating conditions. That cascading outage may continue to lose more components over time due to the load-generation imbalance and eventually lead to widespread blackout like the (Northeast blackout) we had in 2003.”

This is how a hacker may be able to wreak far-reaching havoc through only one or a handful of successful attempts. A major power outage could achieve a cyberterrorist’s goal of sending a message, weakening infrastructure or dealing a blow to the economy, as some believe may have been the goal of the recent NotPetya ransomware attack, which cost businesses in Ukraine and across the world millions of dollars yet only yielded about $10,000 in paid ransoms.

Ten says an effective approach to improving cybersecurity for power grids would be to encourage cooperation between those with knowledge about cybersecurity and those with knowledge about power grids and their physical components, so the two can work together to assess the risks and how they can best be dealt with.

“As you can understand now, it is not a conventional cybersecurity problem. Folks from IT as well as engineers who understand power grid reliability would have to work together to understand risks. This is an integrated approach,” he concluded. “Right now we do not have quantitative guidance from NERC CIP addressing the connections between cyber and the physical components. So holistically we should combine these two together for analysis. It will take some time to merge that culture into an integrated one so that the risks are better modeled and understood in planning.”

Advertisement
Advertisement