The Department of Homeland Security (DHS) sent alarm bells ringing across the power sector Monday when it announced that Russian-backed hackers have infiltrated utility control rooms, gaining the "ability to throw switches" and cause potential blackouts in a campaign that claimed "hundreds" of victims.
The announcement, made during an unclassified DHS web briefing, stoked some of the worst fears of power sector leaders — namely of a coordinated attack to compromise electricity delivery across broad swaths of the United States. Security concerns are a central focus for utility leaders, who rank them as the top issue facing the industry in sector surveys.
Some grid security experts, however, question the DHS's framing of the issue, particularly the ability of hackers to cause potential blackouts across large areas.
"[M]essaging ... around 'throwing switches' and causing 'blackouts' is misleading on the impact of the targeting that took place," Robert Lee, CEO of cybersecurity firm Dragos, said in an emailed statement. "What was observed is incredibly concerning but images of imminent blackouts are not representative of what happened."
"The very real possibility of localized action is out there, but the grid is not going down tomorrow, next year, or anytime in the near future."
Joe Slowik
Adversary Hunter, Dragos
Instead, cybersecurity experts say the DHS findings, first released to utility leaders a year ago, show that adversaries are surveilling the power system and could cause local disruptions, but are not yet able to trigger widespread outages.
"The actions so far are indicative of reconnaissance and operational preparation of the environment, so the sort of information you would need at a later date to be able to perform some sort of action," said Joe Slowik, an adversary hunter at Dragos. "The very real possibility of localized action is out there, but the grid is not going down tomorrow, next year, or anytime in the near future."
In Washington, the Trump administration has used security concerns to support its push to keep uneconomic coal and nuclear plants online, arguing that their retirement constitutes a grid emergency because of threats to gas pipelines that supply fuel to other generators. Utility companies, however, say there is no imminent threat of outages that demands urgent action based on cybersecurity concerns.
"Grid operators have been working closely with the government on this particular threat for the better part of the last year," said Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, the trade group for U.S. investor owned utilities. "So, no emergency today, and we are keenly aware of those threats and have been working to mitigate them ever since they were communicated to us."
Parsing the threat
Monday's DHS briefing is part of an agency effort to spread awareness of the cyberthreats to U.S. energy infrastructure, but "not much has changed" in its assessment since the information was first disclosed in July 2017, Slowik said.
The difference, he said, is in the agency's framing of the threat — particularly its assertions that adversaries can flip switches on power infrastructure, and that attacks have affected hundreds of victims.
"When you combine those two, it sounds like a very scary situation — that there are hundreds of places where some nasty adversary could start flipping switches and causing blackouts, but that's not the case," Slowik said. "If you look at how these attacks have played out and the adversary in question, what their trade craft amounts to is that these are very manual, very human-in-the-loop operations."
Causing a widespread blackout would require an adversary to disrupt multiple elements of critical power infrastructure at once, Slowick said, likely necessitating an automated attack with a level of sophistication not yet observed among hackers.
"The only way to get into a truly cascading, widespread effect is to have persistent, dedicated access to multiple sites across the country where you could then simultaneously launch the appropriate sort [attack] at the same time so you overload the system," he said. "That level of coordination and automation is just not something that we see existing anywhere."
The upshot, experts say, is that if an adversary shifts from reconnaissance to an outright attack, it may be able to disrupt power to a single city for a short time, but likely not an entire region.
"The concept of being able to get our power and start flipping switches, that is actually a realistic threat," said Alexander Heid, chief research and development officer at SecurityScorecard, a cybersecurity firm. "If and when that happens, it's going to affect localized areas and so it's not like the entire country goes off."
Such an attack could look like the one Russian-backed hackers launched against Ukraine in 2015, disrupting power to parts of Kiev for a few hours, Slowik said, rather than an event like the 2003 Northeast weather-related blackout, which deprived multiple states and Canadian provinces of power for days.
"Everything leading up to the deployment of the malware itself [in Ukraine] was very manual in nature, so you couldn't scale that attack across a country as big as Ukraine, let alone as big as the United States," Slowik said.
‘Inherent' grid protections
While all experts agree that even a short outage to a major city would have serious consequences, the complexity in both the bulk power system and individual energy assets makes it naturally difficult for such problems to spread.
"When you talk about the grid, you're really talking about a system of systems of various different components that are interoperable, sort of working together, but also sort of isolated from one another," Slowik said. "To get into cascading [outages] … it's a very minimal risk of that happening anytime soon simply because the grid has been designed to respond to natural disasters, lightning strikes, etc."
Individual power system assets also provide some natural protection from widespread outages due to their unique operating systems, called industrial control systems.
"Industrial control systems are, by definition, some of the most important assets in the energy grid, but they are also probably the most unique," Aaronson said. "Therefore they have an inherent security because of the way they are configured and deployed.
To flip enough switches to cause a cascading outage, Slowick and Aaronson said a hacker would have to devise and deploy unique bugs for each industrial control system it wished to target.
"At that point it's cheaper to just to drop a bomb on it as far as I'm concerned," Slowik said.
In Washington, the Trump administration has singled out control systems for natural gas pipelines for scrutiny, saying in a leaked memo this spring that they are "increasingly vulnerable to cyber- and physical attacks."
Due in part to that risk, the White House in March directed the Department of Energy to prepare plans to keep retiring coal and nuclear generators online, saying their onsite fuel supplies provide more security than gas plants fed by pipelines.
Cyber experts, however, say there are threats to each type of energy infrastructure. While coal and nuclear plants may have fuel onsite, Slowick noted, they also rely on cooling systems potentially vulnerable to hacking, need transmission lines to deliver power, and present large, centralized targets for hackers, among other vulnerabilities.
"Every generating form has its own form of weakness. All it takes is someone motivated to suss them out and find them," he said. "The idea that coal or nuclear represents an unhackable, reliable standard is ignoring a lot of very real pain points that exist within those generating types as well."
One emerging threat to existing power assets of all types can come from upgrades that connect them more readily to the internet, Heid said.
"What you have are these, these large, critical infrastructure setups that previously had no internet connectivity ... and now they've been quote unquote upgraded," he said, "which basically means they're more accessible and easier to use, which goes both ways from a user and an attacker's perspective."
Sometimes, such upgrades can expose critical infrastructure to the internet without operators even knowing it. Heid said SecurityScorecard once found an IP address that could open an entire hydroelectric dam with the push of a button.
"There was no password on it. It wasn't really a hack that we did," he said. "The issue is that this is a very, very common thing. It's a misconfiguration, but the company didn't even know that it had been exposed to the internet."
Security and human nature
Beyond the workings of the grid itself, one of the greatest threats to utility cybersecurity comes not from U.S. adversaries, but from our response to their activities, cautioned Mike Legatt, CEO at Resilient Grid, a software company that provides situational awareness and emergency response capabilities to critical infrastructure operators.
"The risk of our responding to a perceived risk is higher than the perceived risk itself," said Legatt, who holds Ph.Ds in neuropsychology and power systems engineering.
Legatt worries that panic over the perceived threat of Russian hacking will lead policymakers to design slapdash solutions — whether it's subsidizing aging plants or another option.
"Our people care really deeply about the safety of the system and everyone that counts on it, so we have this tendency to just very quickly respond and create something, anything that we believe is going to get us out of the imminent danger that we perceive ourselves in," he said.
"The whole point of critical infrastructure is that it's always under attack."
Mike Legatt
CEO, Resilient Grid
Some cyber experts think that may already be happening. Earlier this month, the Federal Energy Regulatory Commission issued a new rule that will expand reporting of cyberthreats from utilities and their vendors, requiring them to report attempted attacks, not just successful ones.
Slowik worries that rule, if finalized, will "inundate" FERC and the North American Electric Reliability Corporation with information on minor hacking attempts, making it more difficult to identify true threats.
"That desire to get on top of this threat leads to a decision where you're probably almost doing more harm than good and you'll really miss valuable details," he said, "because now you're being swamped and too much information because they're not collecting or the limiting yourself to the right information."
FERC directed NERC to make changes to its reporting requirements within six months, which Slowik said could give the entities time to narrow their scope of inquiry.
"I think until someone sits down and really thinks about what defines an intrusion attempt, [the rule] is going to generate a lot more noise than it's going to generate actual value," he said.
Regardless of the reporting requirements, Legatt urged utility leaders and policymakers to resist the urge to alter their proven techniques for ensuring reliability simply because threat to the power system comes from a hacker, rather than a hurricane or wildfire.
"The whole point of critical infrastructure is that it's always under attack. The power grid is always trying to keep the lights on through severe storms," he said. "When you're focused on maintaining the reliability of a system, you anticipate, think through, and try to insulate against future attacks. In that sense, I think this just fits that same paradigm."