At the end of July, the Department of Homeland Security hosted a first of its kind cybersecurity summit in New York, bringing together stakeholders from the private sector, academia and multiple federal agencies, including defense and intelligence.
“I won’t sugar-coat it,” Homeland Security Secretary Kirstjen Nielsen told attendees, “Everyone and everything is a target.”
Comparing the threat to America’s critical infrastructure to a coming “Cat 5 hurricane,” she warned, “Our adversaries’ capabilities online are outpacing our stove-piped defenses. In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us.”
For those working in cybersecurity and among the nation’s more than 3,000 utilities, these warnings were not new.
Gregory White is the director of the University of Texas San Antonio Center for Infrastructure Assurance and Security, one of the nation’s centers of academic excellence in cyber operations. Since 2002, government and private utilities have been working to address possible attacks on critical infrastructure.
“This is not a recent development,” White noted. “What is different now is that folks are finally waking up to the possibilities.”
In recent years, there seems to be one wake-up call after another. In 2016, the United States experienced the greatest number of cybersecurity breaches in U.S. history, including 16 targeting utilities, and of course, the cyberattacks around the presidential election.
According to one risk assessment, the impact of a cyberattack that shut down parts of the U.S. power grid could be massive, costing as much as $1 trillion. Intelligence agencies have been wary to calculate the possible impact of a prolonged power outage caused by a cyberattack, which would have carry-over effects on virtually every other piece of critical infrastructure.
One of the most shocking developments came in March when officials at DHS and the FBI confirmed Russian government cyber actors penetrated the computers of multiple U.S. electric utilities in a 2017 campaign and gained remote access to energy sector networks.
Last month, officials provided more details about the extent of the campaign that is likely still ongoing, noting the hackers gained enough access to cause blackouts and otherwise control critical systems. “They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial-control-system analysis for DHS told the Wall Street Journal.
“You’re starting to see adversaries get more comfortable engaging in computer network attacks,” said Frank Cilluffo, the director of the Center for Cyber and Homeland Security (CCHS) at George Washington University. “This is more than simply probing and identifying vulnerabilities in the industrial control systems but actually demonstrating a capability to exploit them.”
For America’s private utility companies, who control a significant portion of U.S. energy generation and the bulk of the transmission and distribution system, the problem has become overwhelming. Few if any industry leaders went into business imaginging they would have to defend their daily operations against foreign intelligence agencies or nation-state actors.
In a recent survey of utility executives, a majority named physical and cybersecurity as the most pressing concern for their companies.
At a recent CCHS conference, Duke Energy’s leading cybersecurity executive, Brian Harrell said the company was hit by more than 650 million cyber attempts in 2017 aimed at breaching the system. A successful breach could potentially affect 7.6 million customers in the Southeast and Midwest and the company’s 50 gigawatts of electricity generation.
Amid the threat, companies like Southern and Duke have invested millions in cybersecurity, physical security upgrades and most importantly redundancy.
As Fanning sounded the alarm over grid security, he also explained that even if “the bad guys” got to “the crown jewels,” Southern has a second system synced-up within milliseconds, to ensure the power supply for the company’s roughly 9 million customers. Fanning boasted, “You wouldn’t know if that happened.”
According to Laura Schepis, executive director of the Partnership for Affordable Clean Energy and longtime coordinator of public-private cybersecurity efforts, the Trump administration has played an important role in continuing to push for grid security.
“When the Trump administration came in for the transition, I was really encouraged by the focus, attention and dedication they gave to it — bringing in industry partners, reaching back to take experts from the Obama administration and treating cybersecurity as a really high priority issue,” she said.
Just last month, the Department of Homeland Security created the National Risk Management Center, a joint center to coordinate the defense of the country’s critical infrastructure. The center brings together interagency expertise in coordination with leaders in the private sector, who own and operate roughly 90 percent of the nation’s critical infrastructure.
The Department of Energy is also at the center of a series of cybersecurity exercises to test the grid’s resilience and provide hands-on training to test how utility companies and the government would respond to an attack. According to E&E News, a major exercise is being planned for November, where participants will test their ability to bring the grid back online following a simultaneous cyberattack on electric, oil and natural gas infrastructure.
A decade ago, cybersecurity advocates struggled to get the attention of the federal government, let alone the resources needed to share information and shore up the grid. “Over last 8-10 years, there has certainly been a more useful, fruitful partnership,” Schepis said.
It is still too soon to tell how effective the new partnerships and interagency groups will be in preventing what some worry could be a crippling attack on the grid.
Collectively, government agencies and individuals in the private sector have enough information to identify and disrupt the next major cyberattack. The problem continues to be too little coordination and information-sharing among the different stakeholders. Comparing the situation to the state of intelligence sharing before the 9/11 attacks, Nielsen acknowledged that “we still have trouble ‘connecting the dots.’”