It’s hard to scan a movie or best-seller’s list without coming upon a dystopian story – or many. Perhaps that’s why we don’t appear to take seriously the threat of hackers disabling the grid.
We’ve become habituated. That was last week’s episode.
But no. As a recent report from the U.S. Department of Homeland Security indicates we really do need to worry. We now have evidence of hackers, possibly a hostile government, disabling a power grid. This happened in the Ukraine in December when 225,000 people from three utility companies lost power. The power systems are operating again, but under constraints.
A group of American investigators traveled to the Ukraine to learn what happened. Among them were representatives from the FBI, U.S. Department of Energy, and North American Electric Reliability Corporation.
The team found that the power outages were caused by coordinated, remote cyber intrusions, “probably following extensive reconnaissance of the victim networks,” says the Homeland Security report.
Security experts say the same kind of enemy information gathering is happening on the U.S. grid. Several energy companies have reported repeated probes for weaknesses by hackers.
“They can’t’ beat us in the air, they can’t beat us on the sea or ground. So they are going to go after us where we are vulnerable and that is in protection of our infrastructure,” said William Anderson, a former Air Force assistant secretary and now a defense consultant who specializes in energy.
Decentralizing the grid creates a kind of safety net. It’s harder to simultaneously attack several independent targets than one big interconnected grid. Plus, advanced microgrids can perceive an intrusion or disruption on the grid and quickly island to become self-sustaining sources of power.
But don’t feel comforted. We’ve only just begun to decentralize the grid. Microgrids exist in the hundreds in the U.S. when we probably need them in hundreds of thousands for protection. We may not reach that level for decades. As Anderson points out, it took us more than 100 years to build today’s electric grid. Building a grid-of-microgrids in the U.S. could take another 40-50 years if we use the same regulatory and development approach, he said.
“We should be going all-hands-on-deck building these things,” he said.
Of course even a decentralized grid does not afford total protection. In fact, unsecured distributed generation could act as a portal for hackers to infilitrate the grid. Realizing this, the microgrid industry has focused on creating microgrid controllers – the brain of the system – that are secure.
Microgrid cybersecurity strategy
John Carroll, business development director for IPERC (short for Intelligent Power & Energy Research Corporation), a microgrid company that works with the military, describes a “defense-in-depth cybersecurity strategy,” the company takes.
“This effectively hardens the command and control system of the microgrid and prevents any cyber disruption of generation dispatch, load control and distribution automation. The further refinement of the employment of cybersecure microgrids is one potential answer to cyber hardening our electric grid, one piece at a time,” he said.
Igor Stamenkovic, global technology manager at Eaton, said that today’s microgrids are designed specifically to withstand cyberattack.
“The microgrid today, especially the controls and communications system, is cutting edge technology. They are built with the means to provide very secure communications to avoid cyberattacks or minimize their effect,” he said.
The bad guys, of course, keep coming up with new means of cyberattack. The microgrids constantly upgrade software in response, as do utility cyber-security systems. One fear, however, is that malicious code already exists on the grid, lying dormant and undetected, in equipment manufactured in foreign countries and perhaps installed years ago.
In anticipation of severe storms or cyberattack, some jurisdictions are prioritizing where they install microgrids initially. A handful of states with micogrid policies, most of them in the Northeast, are focusing first on certain critical facilities, those services that society absolutely cannot do without when the power goes out. These include hospitals, police, water, waste treatment, communications, government, grocery stores, gas stations and emergency shelters.
Consequences of an extended outage
But as Anderson points out, we are an electricity-dependent society. An extended outage would require power at more than just some critical facilities in a few states.
“What we are talking about are catastrophic failures that would suggest not a two-hour or two-day grid outage. We’re talking weeks, months and potentially years depending on the severity of the attack. This is a serious issue which we are just beginning to get our heads around,” Anderson said.
Imagine an outage that encompasses 1,000 square miles. “There is not enough gas in your tank. How do you evacuate? You have millions of people in the same situation. No food is coming in. People who have health issues, like diabetics who need insulin…insulin needs to be refrigerated and after a few days the insulin goes bad,” he said. “You see a waterfall of disaster that occurs.”
Even in the U.S.’ worst disasters, storms like Katrina and Sandy, relief supplies arrived within days and the grid was back online in two weeks.
“In a situation where the grid does not come back in two weeks, it is not long after that you spiral down in a situation where you are back in the Middle Ages. We are not prepared as a society to deal with that,” he said. “If the automation goes away, to be very blunt, a lot of people die in relatively short order.”
So as we undergo a noisy and raucous political season, why isn’t more made of our vulnerable electric grid?
Anderson doesn’t seen apathy as the problem, but something even more troubling.
“The country in my mind has been very slow to respond to this issue. Some people have said it is because the right people don’t really think it’s a big issue. I think it’s more that folks do realize how big the issue is, and we don’t necessary have all of fixes available today to deal with the problem,” he said.
So maybe the possibility of electric grid collapse isn’t, afterall, a story told too often, but a story too terrible too tell.
What’s your take on U.S. cybersecurity for the electric grid? Post your thoughts on Microgrid Knowledge’s LinkedIn Group.