The U.S. electrical grid is a massive and complex system on which the nation’s way of life depends. It is difficult to think of a single societal component not wholly reliant on a steady supply of electricity. An unfortunate side effect of this criticality is electric utilities operate under constant threat as a variety of bad actors seek ways to penetrate the system and wreak havoc.
Hackers probe continually for the weak link in a system. The email account of a critical employee with administrative privileges could open access to an entire system. When that system is the electric power grid, the stakes are high. Some federal agencies have gone as far as saying a successful cyberattack could cause large portions of the U.S. to lose power for days or even several weeks. Insurance firm Lloyd’s of London says a cyberattack on the Eastern Interconnection could cause as much as US$1 trillion in damage.
To date, no cyberattacks against U.S. utilities have resulted in permanent or long-term damage to operation of the grid. However, according to a report prepared by the Idaho National Laboratory, an arm of the U.S. Department of Energy (DOE), electric utilities have seen a steady rise in cybersecurity- and physical-security-related threats. Utilities of all sizes take these threats seriously. In industry surveys, they list cybersecurity among their top concerns. However, with 3300 utilities, 200,000 miles (322,000 km) of high-voltage transmission lines, 55,000 substations and 5.5 million miles (8.8 million km) of distribution lines, there are several portals through which hackers could gain access to critical and vulnerable systems.
Targets Large and Small
Public power utilities are no more or less vulnerable than large investor-owned utilities that serve most of the electric power customers in the U.S. In fact, some public power utilities serve large metropolitan areas — such as Los Angeles, California; Austin, Texas; or Jacksonville, Florida — but most serve communities with less than 4000 customers.
Many public power utilities serve tight-knit communities where neighbors trust neighbors and security threats are not necessarily top of mind. In the past, the relatively small size of an electric utility could lead management to believe the utility is not an attractive target to hackers and cybercriminals. This dynamic has changed. Recent reports show some hackers are taking aim at a variety of targets — even nonutility targets. In January 2019, a Wall Street Journal article outlined how hackers are probing the vulnerabilities of the electric grid by targeting vendors that work with utilities.
Smaller targets can be attractive to hackers, particularly if they have a tangential relationship to larger targets. Industry and government recognize this dynamic and are working together to protect the grid from cyber threats.
Many public power utilities find it challenging to hire a qualified cybersecurity expert. In conjunction with the DOE, an American Public Power Association program is trying to bridge the cybersecurity expertise gap by training existing utility employees on the fundamentals of cybersecurity to lock out hackers.
The American Public Power Association hosts cybersecurity trainings such as this one at Kansas Municipal Utilities in McPherson, Kansas. Photo Courtesy of the American Public Power Association.
In July 2016, the DOE provided the association with $7.5 million to help public power utilities improve the strength and cybersecurity of their systems. Over the three-year course of the program, known as Cybersecurity for Energy Delivery Systems (CEDS), the funds were used to develop security tools, educational resources, updated guidelines, and training on strategies to improve the culture of cybersecurity and physical security at small distribution utilities.
Through the CEDS program, public power utilities large and small can access a variety of tools to help thwart cyberattacks. CEDS gives association members access to cybersecurity and resiliency assessments, a cybersecurity scorecard, cybersecurity training, and cybersecurity and resiliency tools. Among the activities undertaken through the CEDS program are exercises, utility site assessments and information sharing with other association members.
One of the key steps in the CEDS process is to educate utilities about cybersecurity risks and measures they can take to reduce their vulnerability. One of the first steps is for utilities to complete a self-assessment survey. The assessment is based on the DOE’s Cybersecurity Capability Maturity Model (C2M2), which helps organizations of all sizes to evaluate, prioritize and improve their cybersecurity capabilities. The C2M2 assessment has 312 questions, which can be a heavy lift, especially for smaller public power utilities. Therefore, the association has whittled the survey down to 14 foundational questions.
The Public Power Cybersecurity Scorecard, the streamlined process based on DOE’s C2M2 survey, is an online self-assessment tool that enables public power utilities to assess cyber risk, plan improvements, prioritize investments and benchmark their security posture. The scorecard provides utilities with a starting point from which they can address cyber risks. After completing the assessment, a utility receives guidance, reports and tools to help improve its cybersecurity. Once the utility reaches a certain level, it can shoot for the next target.
The association rolled out the scorecard last April and has seen good participation so far. However, there is more work to do as it wants to educate 2000 public power utilities on practicing cyber vigilance. The association’s interim goal is to bring about 400 utilities on board by the end of 2019. While a survey showed most utilities were doing something about cybersecurity, it also revealed the need for more training and workforce development.
A Nebraska Public Power District grid operator monitors the flow of electricity to utility customers. Photo Courtesy of NPPD.
Franklin Public Utility District (PUD) is one utility that went through the C2M2 process. In fact, Franklin PUD helped the association to pilot its Public Power Cybersecurity Scorecard. After learning about the C2M2 at an association workshop, going through the survey process was eye opening for the utility.
The results gave Franklin PUD a benchmark that could be used to gauge the maturity, in C2M2 parlance, of its cybersecurity preparedness. Information Technology (IT) Manager Chris Schow was able to present the results to the utility’s leadership and get them to adopt the framework. The survey also enabled Franklin PUD to identify gaps and plug holes in its cybersecurity defenses. The process helped the utility’s leadership to realize cybersecurity is not just an IT problem.
So far, Franklin PUD has conducted three assessments, one at the corporate level, one on its broadband unit, and one on its supervisory control and data acquisition operations. The utility’s initial goal was to achieve what the DOE calls maturity indicator level (MIL) 1 status for its corporate network. MIL is a marker of progress on the path to cyber preparedness. A status of MIL1 means an organization has a cybersecurity strategy. MIL2 means an organization has defined its cybersecurity objectives and aligned them with the organization’s strategy. MIL3 indicates an organization’s cybersecurity strategy is updated to reflect changes to business and the threat profile.
Franklin PUD’s next goal is to work toward a higher maturity level across the utility. It now reviews its cybersecurity stance monthly. This is a piecemeal but practical approach because of the realization everything cannot be done at once. Smaller utilities must start at square one and build cyber maturity
The U.S. electric grid is a modern marvel of connected generating units and transmission and distribution lines. Cyber-criminals aim to disrupt this system. Photo Courtesy of Lafayette Utilities System.
A Pervasive Culture
One of the practices Franklin PUD instituted is conducting regular exercises to help utility employees fend off phishing attacks. Phishing is the act of using deceptive emails and websites to trick people into divulging sensitive information, such as passwords. Franklin PUD now conducts monthly training exercises, mostly through videos supplied by a vendor, that focus on issues like safe web browsing and safe email practices.
The utility also sends an email to employees to attempt to trick them into clicking on a link or opening an attachment. If the employee fails the test — that is, they click on the link or open the attachment — they must attend more training sessions. A single click on a fraudulent link by a critical employee with administrator privileges can open the door for a hacker to penetrate a utility’s system.
The monthly exercises, combined with a report phishing email button Franklin PUD installed on its computer systems, have borne results. Schow noted employees are reporting phishing emails more frequently. This enables him to send alerts to all employees to be on guard against a threat and block a phishing attempt at the source at the company’s firewall.
Another public power utility reported the use of auto-reporting tools has resulted in a rise in the number of employees who recognize a phishing attempt from about 20% to 80%.
One of the first steps in strengthening the chain of defenses against cyberattacks is instilling an awareness of the risks and prevalence of those attacks among all employees, a process CEDS is helping to implement.
It is important for all utilities to develop a culture of cybersecurity. It is not just one person’s job; it is everybody’s job.