On March 5, 2019 electricity grid operators in the Western United States experienced an unprecedented, coordinated attempt to disrupt their services. The attack, exploiting vulnerabilities in the internet facing firewalls – the devices meant to filter out unwanted or hostile traffic – caused short disruptions in the systems that monitor the health of the grids. The nerve centers that route power from where it is produced to where it is needed. This effectively “blinded” the operators for up to 10 minute stretches.
There were no consumer or business power disruptions during this incident but it marked the first occasion that this kind of cyber attack had been reported to the Federal Department of Energy. Two weeks prior to this event then-U.S. Director of National Intelligence Dan Coats warned that Russian hackers were capable of interrupting electricity “for at least a few hours,” similar to cyberattacks on Ukrainian utilities in 2015 and 2016 that caused hours long outages for about a quarter-million people.
While the Federal Government is not generally in the business of energy production and distribution, it does have ultimate responsibility for regulating those industries and providing guidance. The industry is governed by an interlocking set of organizations headed by the North American Electric Reliability Corporation (NERC) a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. Other agencies involved include the Federal Energy Regulatory Commission and the Department of Energy.
In the Trump Administration’s eagerness to promote fossil fuel extraction and power generation, the security of our energy distribution infrastructure has been left to a patchwork of agencies and excluded some that might help in resisting or repelling these attacks such as Department of Homeland Security or Federal Bureau of Investigation. Given the likelihood of foreign actors, it is disturbing that DHS played no role in the investigation or mitigation.
The March 5, 2019 attack was simple. It exploited a known vulnerability in the firewall system software to restart the devices over and over again. No data was stolen and no systems were tampered with but, if an element of the grid had malfunctioned during one of these episodes, the grid operator would not have known it.
NERC issued a “lessons learned” report in early September noticeably not identifying or speculating on the source of the attacks. It’s recommendations were prescriptive, similar measures that you would take on your home computer systems – keep them up-to-date with the latest security patches from the vendor, change passwords frequently and use complex (longer, mixing case, numbers, symbols) password combinations and limit access to the public internet.
The Trump Administration has embraced cyber warfare as another element in its arsenal. It is unclear if cyber defense is equally high on the agenda.
- The Federation of American Scientists (FAS) provides science-based analysis of and solutions to protect against catastrophic threats to national and international security. Here’s there word on threats to the power grid
- Department of Energy CyberSecurity Policy explains the DOE’s role in protecting our nation’s energy infrastructure
- NERC “Lessons Learned” document goes into detail about the March incident
- The Council on Foreign Relations warned of the threat in a 2017 report
Photo by Patrick Tomasso