A new measure is designed to make it harder for cyber attackers to take down the nation's electrical grid, but will it do more harm than good?
On Dec. 23, hackers targeted three Ukrainian electricity companies, plunging 225,000 people into darkness.
The attack was the first confirmed cyberattack to have caused a widespread power outage. Computer security experts who study industrial control systems argue that a similar attack could very well take place in the United States, and now Congress is poised to act on legislation that seeks to keep cyber hackers from being able to turn off the lights.
Many experts who work on protecting the grid from hackers argue that the Energy Policy Modernization Act is a step in the right direction — but say it could, and should, go much further.
The flagship provision of the 27 pages of that act devoted to cybersecurity grants the energy secretary emergency power to take control of the nation’s power grid in the event of a cyberattack — a measure designed to improve how Washington responds to a hack rather than preventing one in the first place. The bill also earmarks $100 million annually between 2017 and 2025 on cybersecurity research and development, training, and assorted measures to harden the grid against attack. The White House backs the measure with reservations, but its fate on Capitol Hill is uncertain.
Warnings that hackers could take down the electrical grid have often been dismissed as fear-mongering by contractors looking for new business, but a growing chorus of government officials is now emphasizing the need to protect it. On Tuesday, Homeland Security Secretary Jeh Johnson said the Ukraine hack was “fairly sophisticated” and should serve as a “wake-up call.”
A team of Homeland Security experts has decamped to Ukraine in recent weeks to investigate the breach and have confirmed in a public advisory that “external cyber-attackers” caused the outage. Washington has refused to directly accuse anyone for the attack, but Ukrainian officials have pointed the finger at Russia.
For all that, electric industry officials are remarkably sanguine about the threat posed by hackers. Asked whether events in Ukraine worried him, Marc Sachs, a senior vice president and chief security officer at the North American Electric Reliability Corp., offered a one-word answer: “No.”
“The Ukrainians made a lot of mistakes,” Sachs said in an interview, arguing that the U.S. power industry was subject to mandatory regulations that have forced operators to invest heavily in cyber security measures. “In terms of getting ahead of the problem, the United States and Canada are light-years ahead of Europe and Asia.”
The legislation was co-sponsored by Sens. Lisa Murkowski (R-Alaska) and Maria Cantwell (D-Washington state), was passed by the Senate Energy Committee in July, but is currently held up amid a dispute over federal funding for the water crisis in Flint, Michigan. That means it’s unclear if, or when, it will get a full Senate vote. If it passes the Senate, the measure faces another challenge in the House, which passed its own, different energy bill in December. Lawmakers will likely hash out the differences between the bill in conference committee.
The White House supports the Senate measure but has said it omits “key security considerations with regard to provisions dealing with cybersecurity and computing.” A senior Obama administration official declined to be more specific, but said the White House was open to working with Congress to improve the bill.
Cyber security experts from outside the government weren’t remotely as reticent about highlighting what the bill does well — and where it falls short in ways that could make problems worse.
Robert Lee, a former Air Force cyber warfare operations officer who has studied the Ukraine attack closely, argues that the groundbreaking attack shows the perils of trying to legislate cybersecurity. The attackers spent six months in the system and stole legitimate credentials in order to gain control of computers operating electrical breakers. “They used the system against itself,” said Lee, now an instructor at the SANS Institute, which provides cybersecurity training. “There is no technology that stops that.”
Indeed, the Senate legislation’s emergency authority — which matches language passed in last year’s highway bill — grants the energy secretary all but assumes that an attack will eventually happen. “We want to be very clear and very organized in an emergency as to who people are going to listen to,” said a Senate Democratic aide, speaking on condition of anonymity to discuss the bill’s drafting.
The bulk of the bill’s spending will go to the Energy Department and tasks it with coming up with tools and technologies to better protect the grid from cyber attack. It also tasks the department to enhance and test its emergency response capabilities in the event the grid is brought down by hackers. The bill includes provisions to improve workforce training, to identify grid vulnerabilities, protect the supply chain, and carry out forensic analyses of compromised systems.
According to Lee, possible improvements to the bill include tax incentives for companies that provide cybersecurity training for their staff and incentives to encourage companies to invest in new products with strong security features.
“Strengthening our defenses requires continuous improvement by the dedicated people who keep the lights on, government agencies and policymakers, said Michael Tadeo, a spokesman for the Senate Energy Committee. “While our collective work is far from finished, passing the energy bill is an important next step.”
The electrical industry faces major challenges in securing itself against a cyberattack, said Perry Pederson, a co-founder and managing principal of Langner Security, a consultancy working on cybersecurity for industrial control systems. Power companies often have computer systems that are decades old and securing such systems against state adversaries is no small task, requiring major investments, Pederson said.
The grid’s potential vulnerabilities extend well beyond the cyber realm. In 2013, one — perhaps two — individuals attacked a California substation by cutting fiber-optic cables running to the facility and then firing high-powered rifles at transformers there. The attack did not result in major power outages, but the incident nonetheless spooked U.S. officials who saw it as an example of the sprawling grid’s many points of vulnerability.
Industry, unsurprisingly, insists the grid is already secure.
In remarks Wednesday at a New American Foundation conference, Tom Fanning, the head of the Southern Company, one of the world’s largest utilities, said the power sector is among the most prepared in the United States for a cyber attack. “Is the U.S. grid 100 percent insulated from threat? Absolutely not,” Fanning said. “But are we safe? Yeah.”
The industry’s defenders point to such innovations as the Electricity Subsector Coordinating Council, a liaison group between the government and the industry that is co-chaired by Fanning as examples of how the Washington and grid operators are working together to improve grid security. The industry has an information-sharing body — the E-ISAC — that keeps operators informed about digital threats. A pilot information sharing program known as CRISP integrates classified government information and shares it in near-real time.
These kinds of provisions may protect the grid against low-level attacks but will likely do little to prevent a determined, well-resourced adversary from shutting off power. According to CIA Director John Brennan, the United States hasn’t suffered a power outage as a result of a cyber attack because the countries — Russia, China, and perhaps North Korea and Iran — that could pull off such an operation simply don’t want to. “Those who may have the capability do not have the intent,” Brennan told CBS last month. “Those who may have the intent right now I believe do not have the capability.”
Pulling off a cyber attack that knocks out power isn’t easy. “You actually need to know how these [operational technology] systems operate. They require a very specific set of commands to operate,” said Jason Christopher, senior technical leader at the Electric Power Research Institute. “You are talking about having an intimate, engineering understanding of the grid.”
Indeed, for all their preparations, the U.S. energy industry may very well be helpless in the face of a competent adversary. In the case of Ukraine, the attackers spent six months in the system, observing and learning how it functioned.
Translation: Islamic State hackers would love to knock down the U.S. grid but lack the skill and manpower to do it; China could do it, but why would they?
If an attack were to take place in the United States, Lee is concerned that the emergency provisions granted to the energy sector may make matters worse before they get better. American cyber operators are well-trained in how to take down a grid, but they lack the infrastructure to practice bringing one back online. If hackers were to take out power in New York City, Lee expressed concern that responders may damage the grid in trying to bring power back.
“Policymakers are being informed by Ted Koppel’s book Lights Out rather than how the grid actually works,” Lee said, referencing an alarmist book that has become a shorthand in the cybersecurity industry for how to think poorly about the topic.
Lee has a modest suggestion for how the NSA should prepare for an attack on the grid: The agency should buy a decommissioned power plant, hook it up to a mock grid, and use it as a training facility.
Photo credit: David McNew/Getty Images