About 3:30 in the afternoon last December 23, operators at three electric utilities halfway around the world in western Ukraine found themselves not solely in control of their computer terminals. Someone from outside the utilities had taken over the controls and started opening circuit breakers at more than 27 substations, cutting power to more than 200,000 customers. Thousands of fake calls clogged utility switchboards, preventing people from phoning in to get information about the outage. Utility workers switched to manual operations, and it took three hours to restore power.
That’s not a movie plot. And if you missed or forgot about that news report from last year, people who run electric utilities have not. Attention to cyber security at electric utilities has grown fast in the past few years, and the Ukraine attack pushed that trend into overdrive.
“It’s garnered a lot of attention from the federal government and throughout the industry,” says Barry Lawson, associate director of power delivery and reliability for the National Rural Electric Cooperative Association.
A big part of Lawson’s job is helping the nearly 1,000 electric co-ops in the country understand digital-age dangers and ensuring that they know how to protect and secure the power supply, electric grid and co-op members and employees from internet mischief.
Electric co-ops show they do understand the importance of cyber security, says Cynthia Hsu, cyber security program manager for business and technology strategies at NRECA.
“Electric co-ops were the first utilities to test and use the U.S. Department of Energy’s cyber security self-assessment tool,” Hsu says. “They are often on the cutting edge of implementing best practices to improve their cyber security capabilities.”
While the Ukraine cyber attack has been studied in-depth by U.S. utilities and the federal Department of Homeland Security, most analysts see a large-scale attack by hackers as unlikely to succeed in this country. The reports characterize the Ukraine attack as extremely well planned and coordinated, but not technically sophisticated.
The Ukraine incident actually started as early as March of last year when utility workers received emails with Microsoft Office documents, such as an Excel spreadsheet, from the Ukrainian parliament. But the emails were not from the Ukrainian parliament. When workers followed the email instructions asking them to click on a link to “enable macros,” malicious malware embedded in the documents, called BlackEnergy 3, secretly infected the system. Among other capabilities, BlackEnergy 3 can enable an adversary to observe and copy all the keystrokes made on the infected computers, giving hackers passwords and other login information needed to access the utility’s operations control systems.
Defenses against that kind of attack are pretty basic, and you probably even heard the warnings yourself: Don’t click on any links or attachments unless you were expecting the message to be sent to you. Utilities are increasing their efforts to enhance and formalize their security plans, processes and controls. New cyber security standards require upgraded levels of training for utility operators, multiple layers of security to shield operational and control systems from the internet and even stricter procedures for visitor access — physical and electronic — to control rooms. These utilities are regularly audited for cyber security compliance, and regulators, such as the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, can levy strict penalties for not following standards.
NRECA’s Lawson describes an example of one type of security technology: a security token — a physical device operator’s would carry with them that changes their password every 30 seconds.
NRECA also worked with the U.S. Department of Energy to develop software called Essence, which constantly monitors a utility’s system for even a microsecond of irregularity that might indicate some kind of hacking attempt or malware is interfering with the system.
With all that attention on keeping the electricity flowing, there’s also another major cyber threat receiving high-priority attention from electric co-ops: protecting data and critical utility information to avoid identity theft of members’ information. Lawson says some co-ops hire firms to periodically try to hack into their computer systems so the co-op can identify and fix the holes in its security.
Lawson describes a scary world of cyber terrorists, organized crime, issue-oriented groups or just kids in their basements seeing what kind of trouble they can cause on the internet. At the same time he compares those high-tech threats to risks posed by hurricanes or the everyday need to pay attention to safety at the electric cooperative. Co-ops regularly use risk assessment and management practices to balance a wide range of threats to their systems.
“Physical security and cyber security are becoming just another cost of doing business,” Lawson says. “You’ll never be 100 percent secure, and all you can do is try your best to keep up with the bad guys. It’s a fact of life in these days and times we’re living in.”
Paul Wesslund writes on cooperative issues for the National Rural Electric Cooperative Association.