caHome
caMail
caManagement
caBlog
caSupport
Billing
caAtlas
caWeb
Many major power producers, including Exelon Corp. are currently discussing with regulators and stakeholders a detailed plan for preventing and responding to cyber attacks designed to disrupt the country’s electric system.
Discussions at the IHS CERAWeek in Houston
According to Exelon Chief Executive Officer Christopher Crane during a panel at IHS CERAWeek in Houston, questions that remain unresolved in the discussion include who is in charge and would substations that are hit be considered a crime scene.
Crane said, “Think about the civil unrest in Philadelphia and Baltimore and some of the communities we serve if you have multiple days of power not flowing.”
The debate arises as U.S. power grids are upgraded from an analog to a digital system, increasing the potential that the systems that manage the flow of electricity to millions of Americans could be shut down by a cyber attack. Some of the many challenges include the differences in security requirements across the country and the world, how the grids share power in times of high demand and the substantial task of bringing together industry, government and the technology community to find solutions.
Eversource Energy CEO Thomas May said in the same panel discussion, cybersecurity is listed among the top risks in many power companies’ regulatory fillings. Adjustments to the grid will have to be made in the context of physical and cybersecurity issues together, according to Nick Atkins, CEO of American Electric Power Co.
Hackers Gain Access to Power Grid with Renewables Through Open Back Door
The process of creating a greener electricity grid is boosting its vulnerability to computer hacking, increasing the risk that spies or criminals can cause blackouts. According to computer security experts advising governments and utilities, adding wind farms, solar panels and smart meters to the power distribution system opens additional portals through which hackers can attack the grids. Where usually the grid took power from a few sources, it is now absorbing it from thousands. In 2014, that realization came, just as the hackers known as “Dragonfly” and “Energetic Bear” gained access to power networks across the U.S. and Europe.
New back-door entry paths for hackers to raise havoc with the grid are being provided by the communications networks and software that link green energy sources to the grid as well as the electronic meters that send real time power usage to consumers and utilities. The hackers known as “Dragonfly” and “Energetic Bear” gained access to power networks across the U.S. and Europe should be a reminder of how vulnerable the system has become.
Utilities are already grappling with other challenges to the grid, which may spend what may run into the billions of dollars for computer security. Grid managers are being forced to run systems that communicate real-time data on power flows to consumers and power plants, by a new multitude of energy inputs. As a result, it is bringing networks that were previously closely controlled into contact with computer and telecommunication systems used by millions.
Electric Grid Attacks that have been Documented
Many documented attacks, both cyber and physical have been reported on the electric grid which resulted in equipment damage, service disruption and long term repair. President Barack Obama signed an executive order in February of 2014 calling for work to assess which parts of the grid are most at risk. Many utilities are not waiting for the government’s findings though. In February, Dominion Resources Inc., owner of Virginia’s larges electric company, told investors it will spend $500 million over five years to harden critical substations. Regulators have been asked by American Electric Power Co.’s Ohio utility to grant the right to levy a special charge for cyber security.
Millions are being Budgeted
Almost a third of the 61 power and utility companies surveyed by Ernst & Young LLP stated that they are spending more than $3 million a year — at least $183 million in total — on information security including protection from cyber threats.
In 2013, utility chief executive officers started meeting with senior Homeland Security officials to discuss not only ways to detect attacks, but also block them and prepare to restore power quickly when one succeeds.
The story is much similar in Europe. According to International Data Corp., a market research based in Framingham, Massachusetts, consulting and testing services associated with cybersecurity at utilities there will be more than double to 412 million euros ($564 million) a year by 2016.
Converting to Smart Meters
The energy industry was already the sixth-most targeted sector worldwide in 2013. In the U.S. it was the top target, accounting for 59 percent of the 256 attacks recorded by the U.S. Department of Homeland Security. Nearly all the details of the incidents are kept secret to prevent damage to the companies that were victimized.
Traditionally, all power use was measured by mechanical meters, in which a utility worker was required to inspect and read them. Utilities now are converting to smart meters that communicate data on flows minute by minute both to customers and utilities. The British government’s goal is to have most homes to using smart meters by 2020, opening millions of new access points for attackers. Programs similar to this are in place across the U.S. and Europe as well.
Anytime more software is introduced, more complexity is introduced as well, and inevitably more potential holes to the system.
Vulnerabilities that Smart Meters Bring
According to Nick Hunn, chief technology officer at WiFore, a U.K.-based wireless technology consultant, energy companies are only starting to understand the vulnerabilities that smart meters bring.
In the U.K. every meter being deployed has a “relay” that can disconnect a household from the power supply. This is controlled from a computer keyboard by the utility. It would take just one small piece of code inserted by a rogue programmer to disconnect the power from millions of meters and disable the remote connection to the utility since the same code goes into all meters.
‘Dragonfly’ Incident
In February 2013, hackers thought to be in Eastern Europe began targeting renewable energy power companies with spam and gained access to networks at three companies a few months later. While Symantec didn’t name the companies, it is said most of the incidents were in Spain, the U.S., France and Italy.
These hackers used a French website of a clean power provider as a “watering hole,” where victims from the targeted company visit and pick up infected code, according to Symantec. They were able to gain access to industrial control systems and install malware that can duplicate itself and spread to other computers.
While “Dragonfly” was one of the more recent in a series of breaches affecting energy companies, the U.S. traced dozens of surveillance sorties in 2012 and 2013 on gas pipelines and electric utilities to the People’s Liberation Army in China.
Teenager Breaches Hundreds of Servers
“There’s a reluctance to talk about these attacks because no one wants to disclose their vulnerabilities,” according to Sameer Patil, associate fellow of Gateway House, a researcher in Mumbai specialized in terrorism and national security. There has been attacks seen from Chinese and Pakistani hackers against Indian utilities.
One of the very few cases that reached the public included a 17-year-old in the Netherlands who was arrested in March 2012 in Barendrecht for breaching hundreds of servers maintained by KPN NV, a telecommunications company providing smart-meter services to utilities.
Reliability is being challenged by the amount of renewables being integrated into the grid because there are more information and computer technology components being introduced into the grid. The amount of cyber vulnerabilities is increasing.
According to Peter Terium, chairman of the management board of RWE AG, Germany’s second-largest power company, even the most secure and well tested networks are not entirely impregnable. Nothing is un-hackable, ultimately.
Source: bloomberg.com
