The December 2015 Ukraine cyber-attack that took control of the Prykarpattyaoblenergo Control Center (PCC) in the Ivano-Frankivsk region serves as study-case for all cyber-security researchers concerned with possible similar incidents in the US. The said APT attack was performed via a malware application – Black Energy. It took 230 thousand locations off the grid for 6 hours and marked officially the first time a cyber-weapon hit a national power grid premeditated.
Cyber-attacks on SCADA systems also took place in other countries, such as UK or Italy – and these are only the known incidents. Power grid cyber-attacks are hard to identify as such, since the proof is hard to find. This is why many of them go unreported or under-reported, especially when the effects are minor. Nevertheless, each attempt or minor incident that materializes malicious intent into cutting the power for entire areas has an equally worrying value and re-iterates the same thing: the power grid is in fact insufficiently protected, making it a potential target and a vulnerable spot in developed countries, as well as in less developed ones.
The current situation in protecting the power grid
The Energy.gov website has a dedicated cyber-security section, where one can clearly see how responsibilities belong to various stakeholders: market segmentation in the field separated the generation, transmission, and delivery factors, while customers and vendors each hold various re-distribution roles. A strategic, efficient approach has to first overcome this segmentation and establish a common, unified strategy.
Funding the preliminary actions, as well as the materialization stage would be yet another issues. Research and development need to come up with innovative solutions in protecting and backing up the power grid against any possible type of cyber-attack.
The image of a vast and segmented sector setting itself in motion to ward off potential targeted and dangerous attacks might appease the more relaxed, yet the more preoccupied and concerned parties cannot see it as a sufficiently deterring factor when it comes to cyber-attackers. Other measures should contribute in improving grid security and accelerating the necessary steps as well – perhaps partnerships with tech giants, or public-private joint actions that would produce clever ideas and actions in view of all possible scenarios.
With a nationwide awareness program on power grid cyber-attacks carried on in early 2016 by FBI and DHS, the amplitude of the threats starts to reveal itself to the public. Government entities can indeed centralize all available information and research results, in order to provide a realistic image of what the nation would be confronted with, in the eventuality of a successful attack. Finding out solutions may reside in the same institutions or might come from independent sources – but whomever is searching for the best fix has to use time to the citizens’ advantage, instead of letting it go by, to the advantage of unknown malicious factors. Or, in other words, has to hurry up the process.
Meanwhile the presidential candidates tiptoed around this hot topic; at least they did so until February 2016, when Forbes tackled the issue in a short feature.
The thinking inside the box issue
The causes that may generate a power outage are, besides a cyber-attack, natural phenomena, a solar Geo-magnetic storm, unintended technological incidents or physical attacks that would damage parts of the grid.
What about the methods of defense?
Preventing cyber-attacks is difficult and it is in fact an endless cat and mouse game (as the previously quoted Huffington Post article mentions), where the cyber-security professionals can only hope to be one-step ahead the intruders.
The specialists can strive to build the most secure system possible, to have backup solutions that would perform the job of the infected software following its strategic isolation, and to develop an extremely responsive strategy that would intervene once the cyber-attack is ongoing.
Preventing incidents by improving and backing up the system would be one way to go.
However, the recovery means are in the same “box”, they still depend on cyber-systems. What if older technology could run a minimum version of the power infrastructure, and this solution would be perfected as the ultimate response in the eventuality of a major cyber-attack? Back to the vintage levers and buttons, in a completely mechanical control system – is that so unthinkable? Or is it so futile?
This is an example of a different way to go, although it is clear that thinking outside the modern tech framework is extremely difficult. It seems like going backwards at first glance, but it would be a way of going sideways and ensuring an extra defense layer instead of stubbornly putting all the money on the digital card.
What can individuals do to stay prepared?
There are plenty of instructional online articles on how to prepare for a power outage – maybe even the people who do not live in areas where storms, tornadoes or other natural phenomena usually cause such outages should consider them. In the event of such incidents, being prepared helps yourself, as well as the community.
The basics would be:
- Try and have an alternative power source (a generator, a car that has enough fuel to produce battery-like energy, a motion fueled (kinetic) device perhaps);
- Procure the necessary connective elements between the alternative source and the devices you might need to relay power to: a source of light, computers, phones, other appliances that you absolutely need;
- Have a couple of self-powered items you might use, such as radios or flashlights;
- Consider whether other vital things depend on electric power, such as your water supply, your cooker, your gates, and other massive mechanisms. In the event of power outage, would you be able to replace the electricity-powered systems with something else? If the answer is no, install alternative systems that do not work on electricity, to have them in need;
- Find out what type of phone or landline will be working even when the power is off and buy yourself one, if you estimate connectivity is of major importance during a power outage; cell towers may lose functionality as well and you might not have mobile network coverage.
Check the basic safety tips listed on the ready.gov website here.
Do not underestimate the importance of self-preparedness; if still unconvinced, check this article on how much it takes to restart a power grid one hit by an attack. Helping yourself and perhaps others to benefit from the basics and remain calm is important and it takes a bit of preventive preparations. Each factor, from individuals to government agencies and cyber-security specialists can play its own helping role in a power outage scenario.
