Every day, hackers ranging from high school kids to Iranian Revolutionary Guards search for ways to control or disrupt the flow of power in the United States or steal consumer information, according to regulators and security experts. And even as utilities boost cyberdefenses, the hackers seem to be targeting the ever-growing number of devices and computer systems linked to the grid.
"If you're a utility today, depending on your scale, you're under attack at this moment," said Robert Weisenmiller, chairman of the California Energy Commission. Some utilities, he said, face thousands of probes each day.
Government regulators have recently focused on the physical security of the grid, following a possible terrorist attack last year on a Pacific Gas and Electric Co. substation in San Jose. Unknown assailants striking at night cut telephone lines to the Metcalf substation, then knocked out 17 transformers with precise gunfire before fleeing.
But cyberattacks are gaining more attention. Last year, a cyberemergency team within the Department of Homeland Security responded to more than 80 incidents involving energy companies, according to a report from the Bipartisan Policy Center think tank.
The threat has grown more difficult to fight over time. Efforts to make the electrical grid "smarter" by using sensors, automation and communications technology have created new potential pathways for hackers to explore, experts say. Specifically, the 476,000 miles of high-voltage transmission lines spanning the country to the millions of digital smart meters now installed in American homes.
Relentless Hackers
"There are some very good hackers out there, and they're not going to take 'no' for an answer," said Andy Saunders, managing consultant for the IOActive smart grid security firm. "They're going to keep throwing things at these devices and systems."Solid information on grid cyberattacks is difficult to find since utilities rarely discuss the subject in public.
"Like most in our industry, there's very little we can share publicly on the topic of cybersecurity," said PG&E spokeswoman Jody Fox. "We have a responsibility to our customers and to the public at large to keep confidential any specific information about our cybersecurity measures that could be used by malicious actors looking to gain access to our systems."
IOActive warned in 2009 that smart meters were vulnerable to a computer worm attack that could cut off electricity to whole communities. The industry has since started using encryption technology and boosted spending on security.
"Doing all that has removed some of the vulnerabilities, but what that doesn't do is remove the threat," Saunders said.
The situation is complicated by the hodgepodge nature of the grid. Smart meters built this year co-exist on the same network with power-plant gear installed decades ago, pieces of which may predate the Internet. And the computer systems that control all those disparate pieces of equipment have changed over the years.
"Fifty years ago, cybersecurity was not high on the priority list," said Annabelle Lee, senior technical executive at the Electric Power Research Institute, a research organization that serves utilities. "You still have a large amount of that legacy equipment that's going to be out there for a long time."
The federal government has long worried about the potential devastation a cyberattack could wreak, both for individual companies and the entire country.
In 2007, government researchers staged an experimental cyberattack, dubbed "Aurora," on an electric generator within a U.S. Department of Energy lab in Idaho, causing the generator to self-destruct. The Department of Homeland Security then worked with energy companies on ways to thwart a real attack.
Working Group
The utility industry and several federal agencies have formed a working group of top-level executives and government officials who meet regularly on the subject.Utilities are also deploying a government-funded system called Cybersecurity Risk Information Sharing Program that monitors their networks for signs of hacker activity, using both unclassified and classified information to identify potential threats. Details of new malware can be shared among government agencies and utilities almost immediately, said Scott Aaronson, senior director for national security policy at the Edison Electric Institute, a utility trade association.
And in November, more than 230 companies and government offices participated in a two-day simulation of a coordinated physical and cyberattack on the nation's electric grid, in an exercise known as GridEx II. The simulation included denial-of-service attacks on company networks and assaults on substations.
"It's an evolving threat, and we need a constantly evolving response," Aaronson said.
Respond and Recover
However, eliminating the threat is an impossible task, he said. Instead, the utilities must constantly find ways to prevent attacks and respond and recover quickly from a breach."You can't protect everything from everything," he said.
So far, several experts said, no blackout in the United States has been definitively pinned on a cyberattack. A National Journal article in 2008 argued that hackers in China may have caused a 2008 outage in Florida and played a role in the 2003 blackout that cut power to 55 million people in the northeastern United States and Canada.
Officials blamed the incidents on other causes.
©2014 the San Francisco Chronicle