Girding the Grid
December 2022: Rifle fire damages two electrical substations in Moore County, North Carolina, cutting power to more than 40,000 customers. Neither the attackers nor their motive is identified.
February 2023: A man and a woman—one an avowed neo-Nazi—are charged with conspiracy to take down Baltimore’s power grid through attacks on electrical substations, in an attempt to cause chaos in that Maryland city.
April 2023: Scandinavian authorities warn that Russia is using “ghost ships” disguised as fishing trawlers to map wind turbines and other infrastructure in the North Sea. The goal? Sabotage in the event of a war with the West.
May 2023: A coordinated cyberattack against the Danish energy infrastructure targets 22 separate companies, thereby compromising industrial control systems. Attackers, which may have included a nation state, exploited a critical vulnerability in a firewall.
June 2023: An attacker fires a rifle at two hydroelectric power stations in Idaho, which interrupts the regional power supply and damages both facilities. Two months later, the suspect is arrested and charged with two counts of destruction of an energy facility.
July 2023: A senior vice president of the North American Electric Reliability Corp. (NERC) testifies before the U.S. House Energy and Commerce Subcommittee on Oversight and Investigations, warning of the “alarming” cybersecurity threat posed by China. Manny Cancel said, “China continues to demonstrate increasing sophistication, including new and adaptive techniques to gain access to networks.”
The U.S. Department of Energy identified 95 human-caused incidents targeting the electricity sector in the first half of 2023.
October 2023: A fire, cause unknown, takes down a 22-story wind turbine in eastern Iowa, which sends giant blades crashing to the ground. Firefighters are unable to reach the top of the structure to battle the blaze.
Fire and natural disasters. Nation-state-sponsored cyberattacks. Critical vulnerabilities in industrial control systems. Infrastructure mapping by adversaries. Physical attacks by extremists and common criminals. These constitute just a few of the attacks on, threats to, and security issues pertaining to protecting the energy grid in the United States and beyond.
There’s a lot to protect—7,300 power plants, at least 300,000 transmission and distribution stations, 160,000 miles of high-voltage transmission lines, and 5.5 million miles of local distribution lines that serve 145 million households and businesses.
In fact, the U.S. Department of Energy identified 95 human-caused incidents targeting the electricity sector in the first half of 2023—more than any previous half-year since it started tracking attacks in 2020.
The electric power infrastructure faces a greater diversity and sophistication of threats than ever. This article will identify adversaries and their tactics as well as protection efforts and initiatives.
Who, What, and Why
As indicated in the introduction to this article, a wide range of bad actors seeks to disrupt the power supply. They include nation states, domestic violent extremists (DVEs), and insiders.
Nation states. Russia and China each have the motives and capability to devastate the Western power infrastructure. Recently, China has been engaged in a campaign of cyberattacks targeting U.S. critical infrastructure sectors that are associated with the actor or group known as Volt Typhoon.
In analysis from the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), experts found that a primary tactic, technique, and procedure (TTP) of Volt Typhoon is “living off the land, which uses built-in network administration tools to perform their objectives.
“This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid end-point detection and response products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” the CISA analysts write.
Brandon Wales, CISA executive director, recently told The Washington Post that Volt Typhoon was designed “ to disrupt or destroy … critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos in the United States.”
Among Volt Typhoon’s targets, according to the Post report, were the Public Utility Commission of Texas and the Electric Reliability Council of Texas, the operator of the U.S. state of Texas’s power grid. Those attacks proved unsuccessful, though the Post reported successful intrusions into a Hawaiian water utility, a major West Coast port, and at least one oil and gas pipeline.
Far-right extremists, whose choice of weapon is firearms, have been firing weapons at substations and other electrical infrastructure.
Russia also looms large over the power infrastructure. Russians have been trawling the waters of the North Atlantic, mapping wind farms and other infrastructure. Cyber and physical attacks on Ukraine’s power supply have been ongoing before and during Russia’s siege of that country. In 2023, Politico reported that Russia got “dangerously close” to knocking out a significant part of the U.S. electric supply through PIPEDREAM, a malware that can be used to gain access to Operational Technology networks to scan, compromise, or control devices connected to those networks.
Malicious Russian cyberactivity is not new. In 2018, DHS acknowledged that Russian hackers compromised several electrical utilities in the prior year and breached air-gapped security networks. The culprits could have disrupted the power supply and caused blackouts.
Domestic Violent Extremists. Many of the recent extremist attacks on the power supply are attributed to the far right—white supremacists, neo-Nazis, accelerationists, and the like.
Far-right extremists, whose choice of weapon is firearms, have been firing weapons at substations and other electrical infrastructure, in some cases avowedly to cause blackouts and plunge cities into chaos and citizens into conflict. In turn, this would help these actors achieve their accelerationist goals to expedite the downfall of society.
“Accelerationists believe that lone actors can engage in acts of mass violence to catalyze a broader conflict within society,” according to a recent report from the Combating Terrorism Center at West Point. “In that worldview, targeting critical infrastructure is viewed as an important means of destroying society and a catalytic predecessor to the ensuing chaos and anarchy desired.”
Additionally, the center found that many of these same actors have been inspired by the work of the Unabomber—Ted Kaczynski—and become “neo-Luddites” or “technophobes” that have “developed an obsession with 5G wireless networks and towers.” This has led to attacks by individuals, or small groups, on cell phone towers in Canada, the Netherlands, the United Kingdom, and the United States.
From power companies’ monitoring of the Dark Web, it’s been determined that these attackers are getting more sophisticated: they are leaving their cell phones at home so authorities can’t place them at the scene of an attack, learning from successful attacks on how to escape detection, and figuring out which substations are particularly vulnerable and how to inflict the most damage to them.
On the far left, ecoterrorists favor pipe bombs to attack targets that they believe are damaging the earth or its wildlife, such as wind turbines. Despite conflicting evidence, many people believe that wind turbines threaten the bird population, kill whales, and are dangerous to other marine life.
Insiders. In all aspects of business, government, and academia, insiders are still the overlooked threat. Employees, contractors, partners, interns, and guests may have broad access to facilities and networks and can destroy, degrade, and delete physical and information assets alike. A March 2021 report from the U.S. National Counterintelligence and Security Center (Insider Threat Mitigation for U.S. Critical Infrastructure Agencies: Guidelines from an Intelligence Perspective) lays out the range of potential insiders:
Insider threats can cause harm through economic espionage, sabotage, workplace violence, fraud, and other misuse of corporate resources. Insider threat activities can involve deliberate actions by insiders working with Foreign Intelligence Entities, or other actions by insiders with malicious or criminal motives. Finally, insiders can also cause harm through simple negligence or carelessness. The current tense ideational-ideological landscape in the U.S. exacerbates these risks, giving some people more motivations and making others more vulnerable to high levels of stress.
Still, distressingly few power companies, utilities, or even businesses have an insider-risk program with dedicated staff members. These responsibilities are typically balkanized by department. Finance or Audit deals with internal fraud. HR handles policy violations such as drinking or drug use on the job. Security or HR deals with workplace violence. IT or the CISO may handle cyberattacks. It’s critical to put these puzzle pieces together in an insider-risk program, which can monitor everything from clean-desk policies and data exfiltration to staff disgruntlement and visitor-escort protocols.
As the NCSC document notes, insiders might not have malicious intent. While the numbers vary by study, more than 50 percent of damaging insider activity can be attributed to carelessness or negligence. Training is critical but, for time and resource reasons, it is often neglected or conducted in a pro forma manner.
Third parties. Third parties represent a particular type of insider. They are vendors, contractors, or partners with certain physical and cyber-access privileges. They can be intentional actors, or, more often, those who negligently expose the power company to threats and attacks.
Third parties are especially attractive targets for intrusion because many utilities have invested in stout security, removing the low-hanging fruit, so to speak. Electric companies, at minimum, should require certain mitigations in their contract and procurement language. That language may transfer liability to the vendor or contractor in case of a breach, but it still leaves the company with the reputational hit and additional scrutiny from regulators.
Also worrisome is the depth and complexity of the supply chain from which utilities receive their equipment and parts. Especially in the renewable energy space, critical components such as solar panels often come from China—potentially creating more risks for the security department to address.
Protection Efforts and Initiatives
The power grid isn’t called a “critical” infrastructure for nothing. Taking down even parts of the grid could cause widespread blackouts. Cascading effects could impair the supply of water and gas and eventually wreak havoc on the entire supply chain—including food, medicine, and telecommunications.
That’s why it’s incumbent on power companies to stay ahead of their adversaries. Below are some promising developments and initiatives.
Convergence. Studies by the ASIS Foundation in 2019 and 2022 have shown that cybersecurity and physical security are converged in about one-quarter of businesses. What does this mean in practice? Organizations are integrating logical security, information security, operational security, physical security, and business continuity.
It’s important that physical and security methods, procedures, and safeguards are not designed in isolation. Whatever you may call it—IT/OT/physical convergence, a holistic security approach, or the integration of all security disciplines—the benefits far outweigh the negatives.
The trend is accelerating in the U.S. power industry, where threats are truly multifaceted and require a cross-silo approach. Utilities are bringing threat schemes into one landscape as they cross-train staff, create redundancies, and uncover gaps in protection.
Considering the various security threats that utilities face—such as terrorism, data breaches, insider threats, and identity theft—one side of the security spectrum simply cannot protect an organization to its greatest potential. Electric utilities in North America remain effective at addressing traditional threats such as severe weather, vegetation management, and routine transmission disruptions. But at the same time, the evolving nature of physical, cyber, and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations.
Unfortunately, an interconnected grid that incorporates computing, communications, markets, and physical assets presents potential attackers with previously unknown opportunities that require us to maintain a holistic approach to security.
Security as adviser. Security departments in large power companies are starting to take a more prominent seat at the table with senior executives and the board. Like many companies, utilities often look for the lowest-cost supplier, but they often fail to calculate the true cost of acquisitions.
For example, a renewable energy company might invest $20 million in solar panels made in China instead of $23 million for similar panels made in Mexico. But the $20 million invested in the Chinese panels might require $5 million in mitigations by security and other departments—in due diligence checks, quality inspections, transit security, and so on—making those more expensive than the Mexican panels. Security executives must step up proactively and insert themselves into these conversations, or at least have a C-suite advocate who can make the case.
Regulatory efforts/government initiatives. Together, NERC and the Federal Energy Regulation Commission (FERC) oversee the U.S. power grid and have been fairly active recently.
In April 2023, NERC announced that it would initiate a standards development project to clarify risk assessment expectations for bulk power system transmission stations, substations, and primary control centers. An NERC report published in August called for standards related to cyber risk from adoption of cloud and AI technologies by the power sector. In November 2023, NERC conducted a two-day simulation, GridEx VII, with power companies and vendors among its 250 organizations. An after-action report is expected in April 2024. GridEx VI, held in 2021, delivered many insights, including revealing many interdependencies between the electric, natural gas, and telecommunications sectors.
FERC, for its part, is going beyond regulation to encourage voluntary tightening of cybersecurity. In May 2023, it issued a final rule enabling utilities that increase cybersecurity to recover their expenses, which may include network monitoring, labor costs, and some software as a service (SaaS) expenses, among others. In March 2023, FERC approved a new cybersecurity standard for “low-impact” assets in the U.S. bulk electric system.
Under the FERC definition, low-impact assets are “generation or transmission facilities that pose a lower risk to the bulk electric system if they are compromised.” The decision to approve this new standard matters because it recognizes that hackers may try to access medium- and high-impact assets through low-impact assets, which traditionally have had lesser protection.
With such a broad and diverse attack surface, utilities must invest security dollars wisely.
FERC isn’t the only agency subsidizing cybersecurity advancements. On 12 September 2023, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response announced $39 million in funding for U.S. national laboratories to improve cybersecurity for distributed energy resources, particularly for clean technologies.
Other new regulations apply to the industry. On 15 December 2023, new rules imposed by the U.S. Securities and Exchange Commission went into effect, requiring public U.S. companies to report material cyber breaches within four days of discovery. Publicly listed utilities also may require third-party software and supply chain partners to adhere to the regulation.
Physical security. With such a broad and diverse attack surface, utilities must invest security dollars wisely. Power companies focus efforts on critical substations, using traditional gates, guns, and guards, but also video surveillance with advanced analytics, motion detection, gunshot detection, counter-drone technologies, and other tools. Remote facilities may be protected by fences, cameras, and drones. Many utilities ask local police to add key facilities to their routine patrols.
Unstaffed aerial systems—commonly known as drones—are a double-edged sword. They can be extremely beneficial in quickly getting eyes on a potential incident miles away from where any staff person is stationed. They can track fleeing vandals and saboteurs. They can check hard-to-reach areas—such as high-power lines or the tops of wind turbines—for damage and wear and tear. They can deter criminal activity.
However, they can also be used by adversaries for vandalism, sabotage, espionage, or terrorism. Drones from unknown operators have flown over substations and other critical infrastructure. Although there have been no incidents involving explosive payloads, it’s just a matter of time before that happens.
In addition, the vast majority of drones in use by utilities—and by businesses, law enforcement, and recreational flyers as well—are Chinese made. Drones manufactured in China are much less expensive than their American or Western counterparts because they are subsidized by the Chinese government.
Both authors have written extensively about the close connection of Chinese drone companies to Beijing and its military, for example, the risk that these drones are mapping U.S. infrastructure and sending details back to China, the various software vulnerabilities that have been documented, and the banning of Chinese drones by several U.S. federal agencies and state governments. In fact, one of the authors has personally witnessed a Chinese drone surreptitiously communicating with operators in Beijing.
Power companies deploying drones should evaluate them carefully, including where they are constructed, potential software vulnerabilities and backdoors, and for nonsecurity factors including type of drone, payload capability, flight times, and types of operator controls. Other issues include pilot training and licensing, use restrictions, and laws, regulations, and ordinances in your jurisdictions.
“With great power comes great responsibility.” Although that quote originates from the fictional superhero, Spider Man, it resonates with the operators and protectors of the electric grid. Power is among the most critical of the infrastructures, making it all the more critical that we protect it adequately.
Michael Gips, CPP, is chief strategy officer at Emergence Technology Group and the former chief global knowledge and learning officer at ASIS International. Brian Harrell is the former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security.
