InfrastructureU.S. power grid easy prey for hackers

The old technology used to manage the U.S. power grid is vulnerable to manipulation or sabotage, according to a study released last week.

Kevin Bullis writes in Technology Review that attackers could manipulate power-grid data by breaking into substations and intercepting communications between substations, grid operators, and electricity suppliers. This data is used by grid operators to set prices for electricity and to balance supply and demand, the researchers say. Grid hackers could make millions of dollars at the expense of electricity consumers by influencing electricity markets. They could also make the grid unstable, causing blackouts.

The attacks would be difficult to trace, according to Le Xie, an assistant professor of electrical and computer engineering at Texas A&M University, speaking at the IEEE SmartGridComm2010 conference in Gaithersburg, Maryland, last week. Vulnerabilities have existed in some grid systems for decades, but the threat is becoming worse as more substations become automated, and unmanned, making it easier for an attacker to access grid data.

As utilities move over to open communications standards as part of the migration to the smart grid, it could get even easier to intercept communications or hack into systems remotely.

Bullis notes that electric-grid operators forecast supply and demand a day ahead of time, and set prices for customers in different places in accordance. This helps keep supply steady and the grid stable. Power generators then allocate their resources based on this predicted demand and pricing. After they’ve supplied the electricity, the operators settle the accounts by looking at exactly how much power was generated by whom, and how it was distributed.

Xie and colleagues say this data is vulnerable to manipulation. Attackers could tap into the communications lines between the substations and grid operators, and inject false information. If they are careful, the new data will seem like ordinary fluctuations on the grid.

Xie gave an example of how attackers could manipulate grid data to make money. By manipulating this data, an attacker could make it seem like a transmission line between two cities was simply congested. This would force grid operators to take power from more expensive generators, increasing prices at that node in the grid. Armed with this information, the attacker could place bets via an online power market to make a profit. “The virtual trader basically gambles against the price difference between the day-ahead market and the real-time market,” Xie says.

Bullis writes that if someone wanted to cause a blackout, spurious data about how much power is flowing could be used to fool grid operators into overloading parts of the grid, tripping generators and leading to cascading failures. Again, if the attackers were careful, the erroneous data would go unnoticed. A blackout could then occur before grid operators have the chance to correct for the problem.

Fixing the vulnerability will not be easy either. It could take twenty years for utilities to replace old infrastructure with equipment with security measures, such as encryption. Requiring utilities to make the changes sooner would be expensive, says György Dán, a professor of electrical engineering at the Royal Institute of Technology in Sweden. Dán presented research separate from Xie on how such attacks could be accomplished, and what it will take to protect against them. A recent move to add more sensors to the grid, as part of a “smart grid” project that received $4.5 billion from the Recovery Act, could help. The researchers presenting at the conference showed that an attacker would have to corrupt more sensors to create a problem without getting caught.

On the other hand, adding these sensors, and the communication networks needed to access their data, could add new vulnerabilities by adding new points of entry. Deepa Kundur, a professor of electrical and computer engineering at Texas A&M, is developing simulations to help determine the risks involved. “It’s not yet clear whether the smart grid will be worth the risks,” she told Bullis.