Grid securityRussians hacked into America’s electric grid. Here’s why securing it is hard.

By Theodore J. Kury

Published 25 July 2018

Hackers taking down the U.S. electricity grid may sound like a plot ripped from a Bruce Willis action movie, but the Department of Homeland Security has recently disclosed new details about the extent to which Russia has infiltrated “critical infrastructure” like American power plants, water facilities and gas pipelines. This hacking is similar to the 2015 and 2016 attacks on Ukraine’s grid. While DHS has raised the number of the Russian utility-hacking incidents it detected from dozens to hundreds, it still maintains that this infiltration has not risen beyond scouting mode. Clearly, there’s no time to waste in shoring up the grid’s security. Yet getting that done is not easy.

Hackers taking down the U.S. electricity grid may sound like a plot ripped from a Bruce Willis action movie, but the Department of Homeland Security has recently disclosed new details about the extent to which Russia has infiltrated “critical infrastructure” like American power plants, water facilities and gas pipelines.

This hacking is similar to the 2015 and 2016 attacks on Ukraine’s grid. While DHS has raised the number of the Russian utility-hacking incidents it detected from dozens to hundreds, it still maintains that this infiltration has not risen beyond scouting mode. Russia denies having any role in the hacking, yet the specter of Russian sabotage in the U.S. now seems more realistic than it used to.

Clearly, there’s no time to waste in shoring up the grid’s security. Yet getting that done is not easy, as I’ve learned through my research regarding efforts in to stave off outages in hurricane-prone Florida.

A catch-22
There is no way to completely protect the grid. Even if that were possible, utilities tend to adopt new and better security procedures after mishaps, boosting the chance that some attacks will succeed.

Regulation at the state and federal levels makes it hard for utilities and regulators to work together to get this job done.

Utilities can charge their customers only what it takes for them to cover reasonable expenses. Regulators must approve their rates through a process that needs to be open to public scrutiny.

Say, for example, a power company is building a substation. The utility would disclose what it spent on construction, prove that it picked its contractors responsibly and explain how this new capacity is enhancing its service. The regulator then must decide what rate hikes, if any, would be reasonable – after hearing out everyone with something at stake.

Following this routine is harder with cyberdefense spending. Security concerns make it tough