Every year Connecticut releases a review of its critical infrastructure. This year’s report provided a statistic that may have sent chills down the backs of electric grid security experts.
The state’s electric, gas and water utilities often see more than one million “distinct probes” in a single day.
Actually, this isn’t uncommon among utilities. Electric power giant Duke Energy recently revealed it fended off about 650 million intrusion attempts last year.
While some attempts are from private actors, many are from powerful nation states. And it’s not just giant utilities that are targets. In a 2014 test run with cybersecurity company N-Dimension, the National Rural Electric Cooperative reported the average small utility is being probed or attacked every three seconds.
Vulnerabilities At The Bulk Power Level
While our bulk power SCADA systems are better defended than distribution utilities, they are not immune to attacks. Hackers who have already breached many utility networks remain in reconnaissance mode.
The ability to access utility networks and attack grid assets was first revealed during the 2015 and 2016 assaults on Ukraine’s power grid. Cybersecurity firm Dragos conducted the forensic analysis on those attacks. According to Dragos CEO Robert Lee, the aspects of the 2016 attack suggested “it was meant to be used multiple times. And not just in Ukraine.”
Connected Devices: Entry Portals And Weapons
Obviously, vulnerable SCADA-driven systems are of great concern. However, the soft underbelly of the utility industry will likely be exposed during the proliferation of Internet-connected distributed energy devices.
The Connecticut report says as much. It acknowledges the Internet of Things “proliferates the number of ways a company can be hacked and penetrated and offers more platforms to attack.” The document further warns that IoT devices often fall outside traditional vulnerability scanning and security patching for computers and network devices.
The report also notes that the industry relies on broadband cable infrastructure to connect to these devices. That dependence grows daily as more connected assets join the grid. This is a large reason why Connecticut’s review of it critical infrastructure suggests communications companies also be part of the annual cyber review.
Those who need further proof we are becoming a world full of utility connected devices need only consult the just-released report on demand response (DR) from Smart Electric Power Alliance. It states that last year utilities reported over four million customers enrolled in direct air conditioning switch programs, 1.2 million customers with connected water heaters, and almost 1.4 million customers enrolled in smart thermostat programs. Each of those devices represents a potential attack vector.
That much we know. What we haven’t thought enough about is what might happen if these devices were hijacked.
A Bad Day For The Power Grid
In its recent paper Defending the Grid from IoT, Pacific Northwest National Laboratory gives us a glimpse of what might happen when DR aggregators are compromised.
A hacker programs multiple connected and distributed assets to change their behavior. Those devices could then immediately consume enough energy from (or release energy into) the grid to destabilize it. These devices could also be programmed to act at a certain time without human direction. This could create significant voltage fluctuations and volatility which would trip protective systems and cause blackouts.
Right now we’re talking about present-day targets like water heaters and air conditioners. Now imagine a world with bidirectional vehicle-to-grid integration. Electric buses and passenger vehicles would contain battery packs holding up to 600 kilowatt hours (kWh) and 100 kWh respectively.
An attacker’s signal to a fleet of hundreds or thousands of these connected vehicles could instantly manipulate these battery packs to release or absorb power. This could significantly destabilize the grid beyond the regional distribution system up to the bulk power level.
So whether attacking water heaters or electric vehicles, hackers could destabilize the grid without ever coming into direct contact with the power industry’s IT systems.
The scenarios are chilling. However, there are steps we can take now to prevent them.
Next Time: How To Better Protect The Grid