Could hackers knock out the power grid?
A year ago, Ukraine lost power after computer breaches
Worries over cyberattacks on the USA are increasing in the aftermath of a presidential election in which the CIA alleged that Russia used such means to influence our electoral process.
For the moment, the vulnerability of polling and political operations to hacking gets most of the attention.
But this week will mark the one-year anniversary of the first publicly acknowledged cyberincident to take down portions of a power grid, one of the most critical components of a nation’s infrastructure.
On Dec. 23, 2015, about 225,000 customers of three electric distribution companies in western Ukraine lost power as a result of computer breaches and malware plants that investigations indicate began six months before.
Though caught unawares by the incursion, the Ukrainian companies restored electricity within several hours, using oldfashioned manual controls rather than suddenly unreliable computers.
As for responsibility for the sabotage, Ukraine blames Russia. Could it happen here? Executives with the U.S. power industry, which participated with Ukraine and U.S. government agencies in an inquiry of last year’s blackout, have insisted for months that such an occurrence is unlikely here.
Days from the one-year anniversary of the Ukraine event, a top official with the U.S. organization responsible for enforcing security and reliability standards for bulk power systems said he’s more certain than ever that such a risk within our borders is minimal.
“The chain of events there is very unlikely to happen here,” said Marcus Sachs, the senior vice president and chief security officer at the North American Electric Reliability Corp. (NERC), a non-profit industry organization that oversees generation and transmission facilities and their control systems in the USA and Canada.
“We know people are trying it all the time, but to be fair, it hasn’t happened, which is likely due to hidden resilience from our enforceable standards, training and operational diversity,” Sachs said at NERC’s offices in Washington. “What we’re constantly trying to learn is why does it work here as well as it does, and we’re uncovering little things that (the) Ukraine (incident) helped us with.”
According to Sachs, formerly the vice president for national security policy at Verizon Communications, the resilience results largely from mandatory standards developed by NERC in response to legislation passed by Congress in 2005.
Those standards require utilities to routinely check their computer systems for dangerous exposure on the Internet, including sophisticated measures to protect the software that collects data from remote locations to control equipment.
They also include more mundane steps, such as providing reminders to change passwords.
“As we started going through it, we began to see the No. 1 problem was hygiene, a lack of just doing common-sense things,” Sachs said of inquiries into the Ukraine blackout.
“Half the computers there were using pirated or stolen or recycled software. Upgrades hadn’t been happening. Patching wasn’t happening. All of the things we’ve been teaching people to do since the 1990s, like change your password from time to time, and don’t put it on a sticky note, they weren’t doing that.”
Some still worry about U.S. preparedness for a cyberattack on the grid, among them former TV anchor Ted Koppel, whose 2015 book, Lights Out, accused the power industry and the government of demonstrating insufficient attention to the potential for a blackout and the public turmoil that could follow.
“When Koppel says the grid is a mouse click away from collapse, he’s wrong,” Sachs said, though he agreed with the author’s claims that government efforts to prepare the public for potential crises such as cyberattacks on infrastructure are muddled.
“I think he’s spot-on there,” the NERC official said. “There’s still a lot of infighting within the government.”