Partner Perspectives

Securing Our Electric Power Grid Is Critical

Highly complex infrastructure systems require protection against cyberattacks.

Electricity is so much a part of our everyday lives that we really only think about it when it is not there. That is why it is so important to build better security for our national electric power grid and other critical infrastructure.

The power grid is a highly complex system, with multiple layers of defense, backup systems, safety mechanisms, and human operators. These layers successfully protect the system from most single-point failures. As Professor Richard Cook points out in his paper How Complex Systems Fail, catastrophe requires multiple small failures joining together in a cascading effect. The 2003 blackout in the northeastern part of North America clearly confirmed this scenario, moving so quickly that it only took seven minutes from the initial failure to the full blackout – too fast for human operators to counter. It then took between two and seven days to restore power to customers.

Change introduces new forms of failure. The power industry is continually upgrading and evolving its systems, from generation to delivery. Smart meters enable time-of-day pricing, connected thermostats can be turned down during times of peak demand, and renewable energy sources need to be constantly monitored to adjust for fluctuations in their production. A lot of this involves equipment that is network-connected. And network connections mean the potential for cyberattacks.

Whether it is a gang of criminals trying to disrupt the electricity for extortion, terrorists attempting to damage it for headlines, or nation states attacking it as part of their intelligence or combat strategy, the end result of a successful attack is blackouts, economic damage, and potentially weeks or months of repair. And the risk of a successful attack is not theoretical, as repeatedly demonstrated by simulated attacks, field trials, and cyberwar games, dating back to at least 2007.

In our Internet of Things Security Solutions Group, we have been actively working on better protections for the electric power grid and other critical infrastructure. Our work with the Center for Strategic and International Studies (CSIS) has shown that this is a real and present danger. Of the 200 organizations from around the world that we surveyed, 85% have experienced network infiltration, 65% frequently find sabotage-capable malware on their systems, and 25% have been subject to cyber-based extortion.

Building security into the power grid is challenging, due to the importance of service availability and the amount of legacy infrastructure. Since December 2013, we have been field-trialing a joint project with Wind River for critical infrastructure protection at Texas Tech University, where our solution withstood penetration testing and protected the system from the Heartbleed vulnerability and Havex attacks. This solution, developed in collaboration with the Discovery Across Texas smart grid project, separates security management from operations, providing device identity, malware protection, and data protection in a secure platform. By understanding the needs of the industry, the solution works with both new and legacy infrastructure, with little or no changes to business processes or application software.

Electricity is critical to the daily operations of people, businesses, and governments around the world, and we need to improve its defenses against malicious attacks before some criminal group decides to demonstrate its capability to make us powerless.

Recommended Reading: