Richard B. Andres
Karl S. Pabst
As the energy industry rushes to become "smart," it has paid scant attention to the security implications of this move, particularly in the cyber realm. Touted as the next big thing by policymakers and industry executives alike, smart grid technology is projected to improve the efficiency and sustainability of the electric grid--for less money. Yet smart grids will also drastically increase the security risks of an already vulnerable energy infrastructure.
At a time when terrorists, criminal groups, and state agents have all significantly increased their cyber capabilities, the electric grid faces no shortage of external actors who would be eager to exploit any vulnerability. The key features of smart grids--networked two-way communications between suppliers and consumers and distributed energy generation--multiply the number of access points to SCADA systems that hackers can exploit. Moreover, these "secondary" access points have far fewer security protocols than the central systems. Once inside the network, malicious actors can cripple servers, manipulate power controls, and even irreparably damage electric generators.
Compounding the danger is the fact that the nature of the threat has changed. While 70% of SCADA attacks were conducted by disgruntled insiders during the 1990s, today external attackers perpetrate the vast majority of cyber incursions. Terrorist groups have historically had the greatest motives but lowest capabilities, but the gap is narrowing. Organized crime hacking groups are also on the rise, eschewing traditional attacks for cyber extortion plots, in which they hold energy providers hostage by threatening to shut off the power if their financial demands are not met.
As dangerous as non-state agents are, state actors are potentially even more so. The media has highlighted the Chinese military's cyber espionage division Unit 61398 (AKA APT1) as one of the most prominent threats by exposing their attack on the New York Times and later on critical US infrastructure targets, but China is only one of many countries exploiting energy companies' vulnerabilities. A worrying new development in state-sponsored cyber conflict is increased collusion with surrogate "cyber militias." As Russia's 2007 militia-based cyber-attacks against Estonia and 2008 militia attacks during its invasion of Georgia reveal, cyber militias can sidestep traditional deterrent threats by allowing states to act with plausible anonymity. As these actors' capabilities improve, the threat they represent to energy infrastructure grows.
Attacks by foreign governments also have the potential to wreak catastrophic damage on the U.S. energy infrastructure and economy. If a large-scale attack against the electric grid occurs, it could shut off power to large sections of the country for extended periods of time. It is not difficult to imagine a scenario similar to the 2003 Northeast Blackout or the power outages caused by Hurricanes Katrina and Sandy in which the culprit is a hostile cyber attacker rather than an accident or Mother Nature. The damage from a cyber-induced blackout could easily cost several hundred billion dollars; a worst case scenario would cost trillions and lead to massive loss of life.
Unfortunately, cyber conflict involving the United States is not as far-fetched as it may seem. In fact, it is already occurring: Iran's continuing attacks on American banks, Syria's ongoing cyber-attacks against U.S. energy companies, and North Korea's 2009 attacks against U.S. government websites are among numerous examples of the cyber conflict that is proceeding virtually unnoticed.
Despite the risks, however, the United States should not abandon smart grid technology. The energy industry is clearly committed to the potential benefits, and global spending on smart grid technology is set to exceed $45 billion by 2015. Nevertheless, a cyber-attack is an exigent threat requiring greater prioritization by energy suppliers moving forward.
There are three key steps the energy industry can take to address smart grid security concerns. First, security measures need to be built into hardware and software at the design and manufacturing levels. Security must not remain the last "check" on a list; it must be integrated at inception. Second, this threat requires increased government regulation, standards, and security protocols, including communication and cooperation between the government and energy industry organizations like the North American Electric Reliability Company (NERC). Industry reform on the scale needed to successfully secure smart grids is impossible without proper coordination between parties. Finally, the energy industry needs a nationwide system of certification for third party energy suppliers. This is crucial for smart grids in particular, as it will help maintain a high level of security at all system access points.
Yet before this process can start, the energy industry must begin taking the cyber threat seriously. Recognizing and acting on the vulnerabilities of the smart grids is crucial to avoid rushing headlong into a national security threat that energy utilities do not understand and cannot prevent.
Richard B. Andres is a Senior Fellow at the Institute for National Strategic Studies at National Defense University and a Professor of National Security Strategy at the National War College.
Karl Pabst is a researcher at the Institute for National Strategic Studies at National Defense University.
The opinions expressed in this article are those of the authors alone and do not necessarily represent those of National Defense University, the Department of Defense, or the U.S. Government.