by K.T. Weaver, SkyVision Solutions

On October 21, 2015, Gregory C. Wilshusen, U. S. Government Accountability Office (GAO), Director for Information Security Issues, presented Congressional testimony to the Subcommittees on Energy and Research and Technology, Committee on Science, Space, and Technology, House of Representatives.

The Energy Daily reported the energy industry headline for the GAO Congressional testimony as follows:

“Despite the known vulnerability of some advanced meters and other smart grid technology to hackers, the Federal Energy Regulatory Commission is not monitoring industry compliance with voluntary cybersecurity standards set for grid modernization.”

Key statements from the testimony include the following:

“[C]ybersecurity experts have demonstrated that certain smart meters can be successfully attacked, possibly resulting in disruption to the electricity grid.”

“As government, private sector, and personal activities continue to move to networked operations, the threat will continue to grow.”

“Reported incidents affecting the electricity subsector have had a variety of impacts, including hacks into smart meters to steal power, failure in control systems devices requiring power plants to be shut down, and malicious software disabling safety monitoring systems.”

“[The Federal Energy Regulatory Commission] FERC does not know the extent to which [voluntary cybersecurity] standards have been adopted or whether they are effective.”

What follows are selected excerpts from the published testimony for Gregory C. Wilshusen:

“Thank you for inviting me to testify at today’s hearing on efforts by federal agencies, including the Department of Energy, and industry to mitigate cybersecurity threats to U.S. power systems.  As you know, the electric power industry is increasingly incorporating information and communications technologies (ICT) and networks into its existing infrastructure (e.g., electricity networks, including power lines and customer meters).  This use of ICT can provide many benefits, such as greater efficiency and lower costs to consumers.  Along with these anticipated benefits, however, cybersecurity and industry experts have expressed concern that, if not implemented securely, modernized electricity grid systems will be vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security.”

“This vision — the smart grid — would increase the use of IT systems and networks and two-way communication to automate actions that system operators formerly had to make manually.  Electricity grid modernization is an ongoing process, and initiatives have commonly involved installing advanced metering infrastructure (smart meters) on homes and commercial buildings that enable two-way communication between the utility and customer.   Other initiatives include adding ‘smart’ components to provide the system operator with more detailed data on the conditions of the transmission and distribution systems and better tools to observe the overall condition of the grid (referred to as ‘wide-area situational awareness’).”

“Like threats affecting other critical infrastructures, threats to the electricity industry and its transmission and distribution systems are evolving and growing and can come from a wide array of sources.  Risks to cyber-based assets can originate from unintentional or intentional threats.  Unintentional threats can be caused by, among other things, natural disasters, defective computer or network equipment, software coding errors, and careless or poorly trained employees.  Intentional threats include both targeted and untargeted attacks from a variety of sources, including criminal groups, hackers, disgruntled insiders, foreign nations engaged in espionage and information warfare, and terrorists.”

“We and others have also reported that smart grid and related systems have known cyber vulnerabilities.  For example, cybersecurity experts have demonstrated that certain smart meters can be successfully attacked, possibly resulting in disruption to the electricity grid.  In addition, we have reported that control systems used in industrial settings such as electricity generation have vulnerabilities that could result in serious damages and disruption if exploited.  Further, in 2007, the Department of Homeland Security, in cooperation with the Department of Energy, ran a test that demonstrated that a vulnerability commonly referred to as ‘Aurora’ had the potential to allow unauthorized users to remotely control, misuse, and cause damage to a small commercial electric generator.”

“Moreover, in 2008, the Central Intelligence Agency reported that malicious activities against IT systems and networks have caused disruption of electric power capabilities in multiple regions overseas, including a case that resulted in a multi-city power outage.”

“In January 2014, the Director of National Intelligence testified that industrial control systems and SCADA systems used in electrical power distribution and other industries provided an enticing target to malicious actors and that, although newer architectures provide flexibility, functionality, and resilience, large segments remain vulnerable to attack, which might cause significant economic or human impact.”

“Further, in 2015 the Director testified that studies asserted that foreign cyber actors were developing means to access industrial control systems remotely, including those that manage critical infrastructures such as electric power grids.  As government, private sector, and personal activities continue to move to networked operations, the threat will continue to grow.”

“Cyber incidents continue to affect the electric industry.  For example, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team noted that the number of reported cyber incidents affecting control systems of companies in the electricity subsector increased from 3 in 2009 to 25 in 2011.  The response team reported that the energy sector, which includes the electricity subsector, led all others in fiscal year 2014 with 79 reported incidents.  Reported incidents affecting the electricity subsector have had a variety of impacts, including hacks into smart meters to steal power, failure in control systems devices requiring power plants to be shut down, and malicious software disabling safety monitoring systems.”

“In summary, as they become increasingly reliant on computerized technologies, the electricity industry’s systems and networks are susceptible to an evolving array of cyber-based threats.  Key entities, including NERC [North American Electric Reliability Corporation] and FERC, are critical to approving and disseminating cybersecurity guidance and standards, while NIST [National Institute of Standards and Technology], DHS, and the Department of Energy have additional roles to play in providing guidance and providing other forms of support for protecting the sector against cyber threats.”

“Moreover, without monitoring the implementation of voluntary cybersecurity standards in the industry, FERC does not know the extent to which such standards have been adopted or whether they are effective.”

Conclusions and ‘Lights Out’

Based upon the GAO Congressional testimony, it is known that cybersecurity threats are evolving with regard to the electricity grid and that the continued move toward networked ‘smart’ systems further causes the threats to grow.  There are voluntary cyber security standards which theoretically establish a baseline level of protection, but no one is monitoring compliance with these standards.  It is not hard to predict that this story is not going to end well.

Ted Koppel, a retired veteran journalist, just authored a timely new book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.”  It is appropriate to end this article with a few quotes from this new book.  Koppel’s book generally asserts that a major blackout of our nation’s power grid caused by a cyberattack is not just a possibility but a likelihood.  Unfortunately, there are those in government and industry who downplay the risks.  Quoting from the book:

“It was Ed Markey, then a congressman, who back in 2010 solicited the opinions of some of the nation’s top national security experts on the vulnerability of the grid.  He provided a redacted version of that confidential letter for this book.  When I asked Markey to respond to officials at the Department of Homeland Security who insist that the grid is resilient, he said, ‘They are ignoring the warning of almost every national security expert who has studied the issue’.”  [emphasis added]

Koppel also quotes George Cotter, a former chief scientist at the National Security Agency:

“Incredibly weak cybersecurity standards with a wide-open communications and network fabric virtually guarantees success to major nation-states and competent hacktivists.  This [electric power] industry is simply unrealistic in believing in the resiliency of this Grid subject to a sophisticated attack.  When such an attack occurs, make no mistake, there will be major loss of life and serious crippling of National Security capabilities.” [emphasis added]

One section in the Koppel book discusses the threat posed by utility registered ‘smart’ thermostats to the electricity grid:

“The ‘smart’ thermostat that automatically lowers the temperature in a customer’s home at night or warms his kitchen before he gets up in the morning has to be connected to the company’s billing department, which in turn needs to be connected to whatever department actually conveys electricity to the home.  Each connection provides another potential attack surface.

In theory, the administrative network is ‘air-gapped’ from the operational side of each power company, meaning that there is no physical connection between the two.  Power companies insist that those two networks are absolutely separate and not connected.  Whenever Homeland Security or the Federal Energy Regulatory Commission has hired computer forensic experts to investigate this claim, however, they have found minute connections.  A Verizon/ Secret Service study concluded that two-thirds of companies across a spectrum of industries didn’t realize they had been breached until someone outside the company informed them.  Another study, conducted by the cybersecurity firm FireEye, found that it took on average 279 days before companies that had been breached came to realize it or were told by someone else.

The problem with air-gapping, one academic specialist warned me, is that it fails to take the human factor into account:  ‘Every time a worker brings in a thumb drive or laptop from home and hooks it up to an ‘isolated’ system, the mobility of workers bridges the air gap’.”

Despite the fact that ‘smart’ meters and other so-called ‘smart’ devices increase the likelihood of a successful cyber attack, both government and industry move forward with deployments.  Rather than spending billions of dollars on ‘smart’ meters, we should spend the money helping to defend our nation against major cyberattacks and planning on how to deal with the aftermath for the eventual successful attack.  But alas, officials of sufficient authority will not listen or act until it is too late.  The GAO’s testimony and Ted Koppel’s book offer ominous warnings to “a nation unprepared.”

If you have time, watch a 3-minute video clip involving an interview with Ted Koppel on his new book (below).  As stated by Mr. Koppel, “the Department of Homeland Security does not have a plan for the civilian population in the event that this happens.”

[The above video contains material used pursuant to the Fair Use Doctrine under 17 U.S.C. 107 and is presented in the public’s interest for non-commercial purposes.]

Source Material for this Article

Critical Infrastructure Protection: Cybersecurity of the Nation’s Electricity Grid Requires Continued Attention; GAO-16-174T: Published: Oct 21, 2015. Publicly Released: Oct 21, 2015; available for review at https://skyvisionsolutions.files.wordpress.com/2015/10/gao-critical-infrastructure-protection-673245.pdf

“GAO: FERC in the dark on compliance with voluntary smart grid cyber standards,” at http://www.theenergydaily.com/ced/transmission/GAO-FERC-in-the-dark-on-compliance-with-voluntary-smart-grid-cyber-standards_13221.html

Subcommittee on Energy and Subcommittee on Research and Technology Hearing: Cybersecurity for Power Systems, October 21, 2015; full video at https://www.youtube.com/watch?v=V_xuv65vVKs

Koppel, Ted (2015-10-27). Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath; Kindle Edition; available at http://www.amazon.com/dp/B00UQERM4C/ref=pe_385040_118058080_TE_M1T1DP

“The O’Reilly Factor” FOX News Network program, Ted Koppel interview which aired October 27, 2015.

Additional Relevant References

“Is America completely unprepared for a power grid cyberattack?,” at http://www.pbs.org/newshour/bb/america-completely-unprepared-power-grid-cyberattack/; also see https://www.youtube.com/watch?v=TN8AscHzeFQ&feature=youtu.be and https://www.youtube.com/watch?v=a-lxZtHjhkg

Can cyber-hackers shut down the power grid? at https://youtu.be/z2-rkZOL8C4

Copyright Notice © SkyVision Solutions and Smart Grid Awareness, 2013 – 2015.  Unauthorized use and/or duplication of original material from this site without express and written permission from this site’s author and/or owner is strictly prohibited.  Excerpts and links may be used, provided that full and clear credit is given to SkyVision Solutions and Smart Grid Awareness with appropriate and specific direction to the original content.