BY PAUL WESSLUND
About 3:30 in the afternoon last December 23, operators at three electric utilities halfway around the world in western Ukraine found themselves not to be solely in control of their computer terminals. Someone from outside the utilities had taken over the controls and started opening circuit breakers at more than 27 substations, cutting power to more than 200,000 customers. Thousands of fake calls clogged utility switchboards, preventing people from phoning in to get information about the outage. Utility workers switched to manual operations, and it took 3 hours to restore power.
That’s not a movie plot. And even if you missed or forgot about that news report from last year, people who run electric utilities haven’t. Attention to cybersecurity at electric utilities has been growing fast in the past few years, and the Ukraine attack pushed that trend into overdrive.
“It’s garnered a lot of attention from the federal government and throughout the industry,” says Barry Lawson, associate director of power delivery and reliability for the National Rural Electric Cooperative Association (NRECA).
A big part of Lawson’s job is helping the nearly 1,000 electric co-ops in the country understand digital-age dangers – and ensuring that they know how to protect and secure the power supply, electric grid and co-op member-owners and employees from Internet mischief.
Electric co-ops are showing they do understand the importance of cybersecurity, says Cynthia Hsu, cybersecurity program manager for business and technology strategies at NRECA.
“Electric co-ops were the first utilities to test and use the U.S. Department of Energy’s cybersecurity self-assessment tool,” says Hsu. “They are often on the cutting edge of implementing best practices to improve their cybersecurity capabilities.”
While the Ukraine cyber attack has been studied in-depth by U.S. utilities and the Federal Department of Homeland Security, most analysts see a large-scale attack by hackers as unlikely to succeed in this country. The reports characterize the Ukraine attack as extremely well planned and coordinated, but not technically sophisticated.
The Ukraine incident actually started as early as March of last year, when utility workers received e-mails with Microsoft Office documents, such as an Excel spreadsheet, from the Ukrainian parliament. But the e-mails were not from the Ukrainian parliament. When workers followed the e-mail instructions asking them to click on a link to “enable macros,” malicious malware embedded in the documents – called BlackEnergy 3 – secretly infected the system. Among other capabilities, BlackEnergy 3 can enable an adversary to observe and copy all the keystrokes made on the infected computers, giving hackers passwords and other login information needed to access the utility’s operations control systems.
Defenses against that kind of attack are pretty basic, and you’ve probably even heard the warnings yourself – don’t click on any links or attachments unless you were expecting the message to be sent to you. Utilities are increasing their efforts to enhance and formalize their security plans, processes and controls. New cybersecurity standards require upgraded levels of training for utility operators, multiple layers of security to shield operational and control systems from the Internet and even stricter procedures for visitor access (physical and electronic) to control rooms. These utilities are regularly audited for cybersecurity compliance, and regulators, such as the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, can levy strict penalties for not following standards.
NRECA’s Lawson describes an example of one type of security technology, a security token – a physical device operators would carry with them that changes their passwords every 30 seconds. NRECA has also worked with the Department of Energy to develop software called Essence, which constantly monitors a utility’s system for even a microsecond of irregularity that might indicate some kind of hacking attempt or malware is interfering with the system.
With all that attention to keeping the electricity flowing, Lawson says there’s another major cyberthreat receiving high-priority attention from electric co-ops: protecting data and critical utility information to avoid identity theft of members’ information. He says some co-ops hire firms to periodically try to hack into their computer systems, so the co-ops can identify and fix the holes in their security.
Lawson describes a scary world of cyberterrorists, organized crime, issue-oriented groups or just kids in their basements seeing what kind of trouble they can cause on the Internet. At the same time, he compares those high-tech threats to risks posed by hurricanes or the everyday need for paying attention to safety at the electric cooperative. Co-ops regularly use risk assessment and management practices to balance a wide range of threats to their systems.
“Physical security and cybersecurity are becoming just another cost of doing business,” says Lawson. “You’ll never be 100 percent secure, and all you can do is try your best to keep up with the bad guys. It’s a fact of life in these days and times we’re living in.”
Paul Wesslund writes on cooperative issues for the National Rural Electric Cooperative Association, the Arlington, Va.-based service arm of the nation’s 900-plus consumer-owned, not-for-profit electric cooperatives.