Feds struggle to plug power grid security holes

Published 10 April 2014

In 2013 Adam Crain, the owner of a small tech firm in Raleigh, North Carolina, discovered a flaw in the software used to monitor electrical substations. When he shared his discovery of weak points within the power grid with officials at DHS, the department immediately sent alerts to grid operators, advising them to upgrade their software.

There are a lot of people going through various stages of denial” about how hackers could disrupt the power grid, Crain said. “If I could write a tool that does this, you can be sure a nation state or someone with more resources could.”

The Los Angeles Times reports that current vulnerabilities in the power grid are attributable to newly adopted smart-grid technology, which allows operators to transmit energy from a diverse pool of resources. Smart-grid technology relies on devices in remote locations which constantly communicate with substations, those access points can be compromised by hackers.

The whole idea of a smart grid is to push equipment further and further away from the substations,” Crain said. “Some of it is even in people’s homes. It’s physically impossible to secure it all.”

With a smart-grid, a cyberterrorist can access a power substation by tapping into the control panel at an electric vehicle charging station.  

Improving the cybersecurity practices of utilities is ever more challenging due to the tensions between federal regulators and industry. Power companies warn that the complexities of the power grid require experienced utility operators, not federal regulators, to monitor security. “The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous,” said Gerry Cauley, chief executive of the North American Electric Reliability Corporation (NERC).

The Times notes that some regulators believe utilities tend not to consider security as a priority expenditure. In their defense, power companies point to the billions of dollars spent to upgrade outdated computer systems and fill security gaps. Utilities have contracted security firms like Booz Allen Hamilton to locate potentially mischievous devices hidden in their equipment. Security firms continue to help utilities review intelligence reports provided by federal agencies, and they often simulate cyberattacks. “It is the equivalent of war gaming, like the military does,” said Steve Senterfit, vice president of commercial energy at Booz Allen Hamilton.

Responding to requests from power companies seeking protection against the risk of cyberattack, appraisers from Lloyds of London visited many American utilities and concluded that security initiatives at about half the companies they reviewed are too weak for Lloyds to offer a policy.

When Lloyds won’t insure you, you know you’ve got a problem,” said Patrick Miller, founder of the Energy Sector Security Consortium.