Exposed: Our Power Grid
Today’s electric power grid is very different from the one
my grandfather built in a small town in Norway during the 1930s. There
were no computer controls and the reliability was poor compared with
today’s standard. Personally, I helped develop some of the automation in
the current US grid during the late 1970s and some of those solutions
might still be operating. I was well versed with control systems, SCADA
and power-system modeling. During those days the key issues were high
uptime and low cost. Protecting against hackers and people with
malicious intent did not enter our minds.
Today the situation is very different. The electric grid is highly
automated and efficient. We enjoy a system that moves electric power
long distances with an impressive reliability. We are so accustomed to
electricity being available by the flip of a switch that we cannot
imagine what we will do if it suddenly was unavailable for extended
There is essentially no public discussion about how we might manage
if the electricity in our large cities is unavailable for days and
weeks. When a major blackout hit New York City in 1977,
it resulted in widespread looting, vandalism and violence. The blackout
that started on August 14, 2003 in Ohio resulted in a loss of 61,800 MW
of load that served 10 million people in Ontario Canada plus 45 million
people in eight states in northeast of the US. The total economic
impact of this event was about $6B.
The 2003 event lasted as little as a few hours for some people and as
long as two days for others. Can you imagine the impact of a blackout
that lasts for days and weeks? Experts with experience in analyzing the
grid know that people determined to cause damage can create huge impact.
It is unfortunately easier to cause such damage than the public thinks.
We have for several years adequately protected the computers used by
the military, financial institutions, and others. There are best
practices to protect secrets, fend off thieves, and make sure the
computers continue working. These issues, despite receiving quite a bit
of publicity, are easier and of less consequence than protecting the
electric grid. Damaging the electric grid by a cyber attack has the
potential of having catastrophic impact. Furthermore, the source of such
an attack would probably not be traceable due to the ease of using
nested proxy servers to mask where the attack is coming from.
Unfortunately, the electric utilities appear to be unwilling to
acknowledge the seriousness of the problem and do what it takes to make
the grid more resilient. A key reason for this reluctance is that the
electric utilities are a regulated industry and they do what the state
public service commissions ask them to do. Furthermore, they usually ask
for permission from these commissions to recover their expenses before
they embark on expensive projects.
As you can see, there is a built-in mechanism to go slow, not to
spend money, and not to be proactive. The industry is simply not
organized in a manner that enables it to move rapidly in response to
accelerated sophistication of cyber hackers, some of whom are believed
to be funded by nation states.
During the last three years, I have followed the Smart Grid Cyber
Security work at National Institute of Standards and Technology (NIST).
They have coordinated the activities of about a hundred volunteers who
have debated and documented cyber security guidelines for the electric
grid resulting in a three volume document named NISTIR 7628. Unfortunately, the utilities have not adopted these results to any substantive extent.
Several years ago, a software “worm” called Stuxnet was inserted by clandestine means in the computers controlling Iran’s
uranium enrichment plant with the result that many centrifuges were made
inoperable by malicious control signals generated by Stuxnet in 2010.
Although Stuxnet is well analyzed and documented, I am not aware that
the electric power industry knows how to protect the electric grid
against this type of malware.
By discussing these issues, my hope is that the public will demand
solutions, the state utility commissions will approve rate recovery for
substantive cyber security projects, our politicians will provide
leadership and regulation, and the brightest IT minds will seek careers
in the electric utility industry. As a result, the grid my grandfather
started in his hometown and the solutions I contributed to when I was
young, will continue to provide reliable power regardless of the
intentions of bad actors.
 NISTIR 7628: Guidelines for Smart Grid Cyber Security; http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf