A sophisticated cyberattack on the U.S. power grid could cause nearly $250 billion in economic losses and, under the most severe circumstances, cost more than $1 trillion to the U.S. economy, according to a recent report prepared by Lloyd’s and the University of Cambridge Centre for Risk Studies. The Business Blackout Report considers the impacts of a cyberattack on the U.S. power grid using a hypothetical attack scenario that plunges 15 states, including New York City and Washington, D.C., into darkness. Although the scenario is improbable, it highlights the gravity of the emerging risk of cyberattacks on our national power grid and the urgency with which companies in the electricity industry need to become compromise ready.
Evidence collected by the U.S. Department of Homeland Defense (DHS) shows that cyberattacks on key energy infrastructure – particularly the electric system – are increasing in both sophistication and frequency. The size and complexity of the national power grid make it a highly vulnerable target by numerous threat actors seeking to wreak havoc, including terrorist organizations, nation-states, hacktivists, cyber-criminals, and even disgruntled employees. The DHS’s Industrial Control System Cyber Emergency Response Team (ICS-CERT), which works with private industry to reduce risks to critical infrastructure, reported that for the second year in a row it received and responded to more incidents in the energy sector (79) than in any other sector of critical infrastructure. It is thus unsurprising that U.S. utilities are expected to spend about $7 billion on cybersecurity by 2020.
The Modern Grid
The U.S. electric grid is a complex network of power plants and transformers connected by more than 450,000 miles of high-voltage transmission lines. Electricity from transmission lines is reduced to lower voltage at substations, and distribution companies deliver electricity to homes and businesses. The grid is currently undergoing a major evolution with new technologies to make the grid more reliable, resilient, and efficient. Many industrial control systems (ICS) that operate the electric grid, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC), were not originally developed to be connected to the Internet, and thus, network security was not a top concern. But as the grid and the ICS that operate it are modernized with the new “smart grid” technologies that allow remote monitoring and control, it becomes more susceptible to cyberattacks.
The national grid is actually composed of three discrete grids systems or “interconnections” that transfer power around the country: the Eastern, Western, and Texas Interconnections. Electricity cannot be steered along specific routes but flows based on physical laws – the path of least electrical resistance. As a result, power system operators must continually adjust generators to keep the grid operating within a narrow range of voltage and frequency. Because of the difficulty of transferring power between the three major interconnections, the delivery of power within the grid is overseen by the North American Electric Reliability Corporation (NERC). NERC developed reliability standards for the bulk power system that are enforced by the Federal Energy Regulatory Commission (FERC), including the Critical Infrastructure Protection (CIP) Standards. The newest version of NERC’s CIP Standards (Version 5), the key provisions of which become effective April 1, 2016, establishes a new classification scheme for bulk electric system (BES) cyber systems so that all cyber assets that could impact BES facilities are now in scope for CIP Standards. This new classification scheme, which classifies BES cyber systems based on whether a system has a low, medium, or high impact on the reliable operation of the BES, is expected to encompass assets and organizations not previously subject to CIP Standards. The CIP Standards establish a baseline level of protection against cyberattacks for the bulk power system by setting forth standards relating to, among other things, cyber asset identification, security management controls, systems security, and incident reporting and response planning. However, not all organizations that make up the national grid are subject to CIP Standards. For example, distribution system utilities responsible for delivering electricity to retail customers generally operate outside of these standards and, instead, are subject to disparate state and local oversight with few mandatory cybersecurity requirements. The lack of consistent cybersecurity standards across the increasingly “connected” national electric system creates a greater risk that cyberattacks could cause a devastating disruption to our electric power system, such as the hypothetical scenario described in the Business Blackout Report.
The Cyberattack Scenario
The Business Blackout Report analyzes the potential costs to the U.S. economy and the insurance industry that could result from an advanced cyberattack on the nation’s electric grid. In the hypothetical scenario, an unidentified group motivated to cause significant disruption inside the U.S. employs a small team of sophisticated hackers who are knowledgeable about reverse engineering in the domestic electricity sector and grid systems. The hacker team utilizes several known tactics to penetrate the security measures protecting the electric grid, including identifying laptops of key personnel with access to multiple power plants; “phishing” attacks designed to compromise the corporate network in order to gain access to the control systems; and hacking of remotely accessed control systems. Ultimately, the team is able to install malware into a number of plant generator control rooms. Although the malware compromises more than a hundred control rooms, launching an attack is only viable on 10 percent of the control rooms. Yet, due to the systemic design of generator control rooms, the malware can be deployed to more than 70 generators. For months the malware lies undetected until it is triggered by the hackers in July during peak demand in order to maximize the likelihood of widespread disruption. After systematically disabling security systems that ensure synchronization between generators and the grid, the hackers are able to damage 50 generators in rapid succession, destabilizing the grid and triggering a widespread blackout in 15 states in the Northeast and leaving 93 million people without power.
The report then paints a bleak picture of the aftermath as power is gradually restored across the region. People are injured in traffic and industrial accidents as power is suddenly lost, and the loss of power during the hot summer weather results in numerous deaths over the following weeks. The blackout shuts down factories and businesses that generate almost one-third of the nation’s economic production. Sectors of the economy that depend on electronic financial transactions, email, and the Internet for commercial activity are forced to shut down. Regional airports cannot operate due to lack of power for security screening equipment, and all subways and electric trains are nonoperational during the crisis. Maritime ports are unable to operate without electricity, causing disruption in the supply chain that has ripple effects beyond the affected region. Ultimately, the report estimates that the cyberattack costs the U.S. economy between $243 billion and $1 trillion, depending primarily on the length of time required to restore power across the region.
The Need for Greater Preparation
As these cascading effects of a massive cyberattack on our grid illustrate, a significant interruption to the nation’s electricity supply can have dire consequences that are difficult to overstate. The current efforts to modernize the electric system introduce systemic vulnerabilities at a time when cyber threats are rapidly growing in frequency and sophistication. Although compliance with mandatory standards for bulk electric systems may be enough for some energy companies to prevent fines, the potential exposure from a sophisticated cyberattack is far too great for energy companies not to be proactive in developing a comprehensive cybersecurity plan that evolves as quickly as the threat landscape. Cybersecurity preparedness for companies in the critical infrastructure sector goes beyond investment in, and use of, technology to defend against cyberattacks. It requires building multifaceted response teams that can effectively prepare for, and steer the company through, a sophisticated cyberattack and its aftermath. Importantly, responding to a successful cyberattack on the electric power system will not only require cyber-specific responses, such as identification and removal of malware, it will also require traditional disaster response operations to deal with the aftermath of a widespread attack. As the electric power system continues to undergo massive technological upgrades at a time when cyber threats are rapidly evolving in complexity and frequency, cybersecurity is and will remain a significant issue and top priority for the electric power sector.