U.S. lawmakers are concerned about the lack of preparation for a possible long term power outage caused by a cyber-attack against the energy sector. For all of the marvel the electric grid’s engineering achievement merits, it is increasingly at risk.
Part of this is merely due to the age of many of its essential components. The American Society of Civil Engineers (ASCE) has noted: “Altogether, our nation’s electric energy infrastructure is a patchwork system that has evolved over a long period of time, with equipment of widely differing ages and capacities. For example, about 51% of the generating capacity of the U.S. is in plants that were at least 30 years old at the end of 2010. Most gas-fired capacity is less than 10 years old, while 73% of all coal-fired capacity is 30 years or older. Moreover, nationally, 70% of transmission lines and power transformers are 25 years or older, while 60% of circuit breakers are more than 30 years old.”
The figures speak for themselves and are alarming: the US network is obsolete and aging. The world’s largest economy is far from having a power grid at its image.
“41% of cyber-attacks are targeting enterprises of energy, particularly oil and gas.” This phrase by General Keith Alexander from the National Security Agency, shows how cyber security and the fight against cyber-attacks should be at the heart of concerns of the oil and gas industry.
According to The Global Cost of Cybercrime, compiled by the Center for Strategic International Studies on behalf of McAfee, each year, an estimated 375 to 575 billion dollars is the cost of cybercrime to the global economy. The cost to the United States alone is estimated at $ 100 billion per year, or 0.64% of country’s GDP.
The global energy industry is regularly targeted. In 2010, the computer worm Stuxnet was used to attack Natanz centrifuges used by Tehran to enrich uranium. In 2012, in the space of a few days, cyber-attacks have targeted Saudi Aramco and RasGas Qatar in order to bring a halt to production. Some 30,000 computers at Aramco were put out of use.
Although it did not create operational disruptions, it caused physical disruption to vital energy supply chains. Certainly, it was a vigorous wake-up call to the energy industry across the world. While the means of cyber attacks are virtual, the impact can be physical: even the biggest and wealthiest are not immune from cyber incidents.
The reality today is that these attacks are far stealthier than anything the industry has seen before as the energy system operations become more electrically interconnected. And the increasingly complex nature of these cyber attacks corresponds directly with the growing level of danger they pose to the power sector.
The Transportation and Infrastructure Committee of the House of Representatives is worried, to the point that it took up the question of preparing the United States to the risk of cyber-attacks on its electric distribution network. In an opening speech at the meeting held last month on the subject, Congressman Lou Barletta from Pennsylvania, chairman of the Subcommittee on Economic Development, Public Buildings and Emergency Management, made a consequential number of hearings on the issue of cybersecurity and focused on how to stop the “bad guys.” But he believes that “the consequences from a massive cyberattack that brings down, for example, a large portion of the electrical grid for an extended period of time” has not received comparable attention.
Yet Lou Barletta stressed that “the federal government has realistic estimates or scenarios for states to plan” for a major hurricane or earthquake. But for a cyberattack with dramatic repercussions on the physical world, “The federal government does not have this basic planning scenario,” especially for an electric power interruption lasting for few days. In case of break of several weeks, or a month or more, “local government has to potentially plan for increased public safety, water treatment, sheltering or evacuation, fuel delivery for generators and many other contingencies.”
According to the US Department of Interior, the energy sector was the target of “more than 40% of all reported cyber-attacks”. Lou Barletta also help remind the public of a Ukrainian precedent, last December, when a cyber-attack contributed to spark a widespread power cut. The relatively dilapidated facilities there allowed for a rapid power recovery, in the space of a few hours, manually.
This is not always the case. Last year, Verizon teams were forced to intervene with a critical infrastructure operator running several informational critical functions (IT) and operational (OT) on the same AS400 system. Attackers could take advantage of vulnerabilities in web customer applications to access the identifier, compromise the AS400 and interfere from there with the proper functioning of the water distribution circuit—modifying the chemical parameters of the water treatment.
The consequences of such attacks are easily imaginable and catastrophic. It seems obvious that all energy industries should be able to deal with cyber-attacks, but also prevent such events from happening by implementing strong protection and cyber security prevention programs. Once an industry is attacked, the longer term proactive precautions are more important than the origin of the attackers: whether they are based in China, Russia or elsewhere.
For those still skeptical about one’s capability to hack a network, The Red Team Security Consulting company were able to break easily into a power company in the Midwest. A sobering 15 minutes video proves that power companies need to step up their game in the fight against cyber attackers or it could be “lights out.”
A focus on resilience should not hide the importance of the fight, in the long term against cyber-attacks. Given the increasing number of attacks the United States will face in the coming years, improving the resilience of its electricity grid is now a priority.
If resiliency appears more attractive in the eyes of private actors as a more efficient, short-term solution, public authorities should not lose their sight on the importance of preventing a dramatic “lights out” scenario. Treating the symptoms as to say, cyber-attacks, is important as long as we also tackle the root of the problem: infrastructure.