Nearly every week we see reports that demonstrate how vulnerable modern society is to cyberattack. This month, we saw a disturbing report about how vulnerable wind farms are to physical and cyberattack. WIRED reported on investigations conducted by researchers at the University of Tulsa on behalf of wind site owners regarding how the investigators were able to gain entry to wind farm sites and hack into the operating systems of wind turbines produced by a number of different manufacturers. The investigations definitively determined that hackers could take control of individual turbines and whole facilities to cause damage to the site and disrupt power production.
There are a number of lessons from the University of Tulsa study. First, as we rely more and more on remote and distributed generation, if it is tied to the grid, cybersecurity has to be taken as serious as is with other components of the grid. Second, the Tulsa work determined that physical security was a much the culprit as easy hacking. Wind turbines, like many other remote sites and equipment, have historically been protected by simple combination locks or padlocks intended to deter the occasional thrill seeker or mischief maker. This level of protection was easily defeated by the Tulsa researchers. Today we must protect facilities from a breach by serious criminals or terrorists.
Another disturbing report this month came from E&E News, which learned that U.S. authorities are investigating a cyber intrusion affecting multiple nuclear power generation sites this year. A spokesperson from the North American Electric Reliability Corp. (NERC) confirmed the agency was aware of the incident, code-named "Nuclear 17," and had shared information with its members about it.
NERC separately posted a public alert this month about the grid-focused malware that experts claim was used last December to briefly knock out power to part of Ukraine. The cybersecurity firm Dragos Inc. has named this malware "CrashOverride " and claims it could be used in the U.S.
At the beginning of the year Utility Dive did a survey of utility executives to learn what issues they found important. The results indicated 36% of utility executives believe physical and/or cyber grid security is "very important" today and another 36% believe it is "important." That is reassuring, but are utilities taking serious action to address the risk and what about the 28% of the companies that aren’t that concerned? If their systems are besieged, how will that affect the rest of the grid?
Any utility executives not sweating yet about cybersecurity must have the “Teflon man” gene. Alternatively, they might feel they are already totally prepared. After all, in addition to alerting us about possible risks, NERC has implemented a number of critical infrastructure protection (“CIP”) regulations to ensure utilities are as prepared as possible for a variety of natural and man-made risks. However, the recent events sited above reinforce that we must have system safeguards and backup safeguards because it is almost impossible to protect every point of entry. We know from the NERC CIP regulations that safety of employees and the public is our top priority and physical security of sites is often the most important aspect of this mandate. As demonstrated at the wind farms, a physical site breach can lead to essential data breaches
It is clear the bad guys will continue to try to breach our systems. Accordingly, we have to continue staying a step ahead with physical security using surveillance, thermal imaging, night vision cameras, key pads, biometric entry systems, door alarms, intrusion detection and so on. On the cybersecurity side, it will be necessary to continue to improve our authentication, access, encryption and detection and threat mitigation systems.
We can only hope that with all the attention now focused on physical and cyber risks, all utilities are working on the assumption that these risks are of the highest importance. We can no longer be complacent because a system like our grid may only be as strong as the weakest link.