Exposed: Our Power Grid
Today’s electric power grid is very different from the one my grandfather built in a small town in Norway during the 1930s. There were no computer controls and the reliability was poor compared with today’s standard. Personally, I helped develop some of the automation in the current US grid during the late 1970s and some of those solutions might still be operating. I was well versed with control systems, SCADA and power-system modeling. During those days the key issues were high uptime and low cost. Protecting against hackers and people with malicious intent did not enter our minds.
Today the situation is very different. The electric grid is highly automated and efficient. We enjoy a system that moves electric power long distances with an impressive reliability. We are so accustomed to electricity being available by the flip of a switch that we cannot imagine what we will do if it suddenly was unavailable for extended periods.
There is essentially no public discussion about how we might manage if the electricity in our large cities is unavailable for days and weeks. When a major blackout hit New York City in 1977, it resulted in widespread looting, vandalism and violence. The blackout that started on August 14, 2003 in Ohio resulted in a loss of 61,800 MW of load that served 10 million people in Ontario Canada plus 45 million people in eight states in northeast of the US. The total economic impact of this event was about $6B. The 2003 event lasted as little as a few hours for some people and as long as two days for others. Can you imagine the impact of a blackout that lasts for days and weeks? Experts with experience in analyzing the grid know that people determined to cause damage can create huge impact. It is unfortunately easier to cause such damage than the public thinks.
We have for several years adequately protected the computers used by the military, financial institutions, and others. There are best practices to protect secrets, fend off thieves, and make sure the computers continue working. These issues, despite receiving quite a bit of publicity, are easier and of less consequence than protecting the electric grid. Damaging the electric grid by a cyber attack has the potential of having catastrophic impact. Furthermore, the source of such an attack would probably not be traceable due to the ease of using nested proxy servers to mask where the attack is coming from.
Unfortunately, the electric utilities appear to be unwilling to acknowledge the seriousness of the problem and do what it takes to make the grid more resilient. A key reason for this reluctance is that the electric utilities are a regulated industry and they do what the state public service commissions ask them to do. Furthermore, they usually ask for permission from these commissions to recover their expenses before they embark on expensive projects.
As you can see, there is a built-in mechanism to go slow, not to spend money, and not to be proactive. The industry is simply not organized in a manner that enables it to move rapidly in response to accelerated sophistication of cyber hackers, some of whom are believed to be funded by nation states.
During the last three years, I have followed the Smart Grid Cyber Security work at National Institute of Standards and Technology (NIST). They have coordinated the activities of about a hundred volunteers who have debated and documented cyber security guidelines for the electric grid resulting in a three volume document named NISTIR 7628. Unfortunately, the utilities have not adopted these results to any substantive extent.
Several years ago, a software “worm” called Stuxnet was inserted by clandestine means in the computers controlling Iran’s uranium enrichment plant with the result that many centrifuges were made inoperable by malicious control signals generated by Stuxnet in 2010. Although Stuxnet is well analyzed and documented, I am not aware that the electric power industry knows how to protect the electric grid against this type of malware.
By discussing these issues, my hope is that the public will demand solutions, the state utility commissions will approve rate recovery for substantive cyber security projects, our politicians will provide leadership and regulation, and the brightest IT minds will seek careers in the electric utility industry. As a result, the grid my grandfather started in his hometown and the solutions I contributed to when I was young, will continue to provide reliable power regardless of the intentions of bad actors.
 NISTIR 7628: Guidelines for Smart Grid Cyber Security; http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf