US Power Grid Vulnerable to Cyber Attack… FUD or Real Risk? Part One

Last week the offices of two US Senators released a report on the security of the US electrical power grid.  This report was released in advance of an upcoming Congressional hearing on Cyber security in the US.  The report outlines three findings of fact:

  1. The electrical grid is the target of numerous and daily Cyber attacks
  2. Most electrical utilities only comply with the mandatory Cyber security standards and have not implemented voluntary National Electrical Reliability Corporation (NERC) recommendations
  3. Most electrical utilities have not taken concrete steps to reduce the vulnerability of
    the grid to geomagnetic storms and it is unclear whether the number of available
    spare transformers is adequate

We wanted to look into these claims a bit closer and first feel that it is necessary to explain the US power grid in some detail.  If you are a grid expert you can probably skip this part.

What is “the grid”?  almost all Americans only know the grid as the last mile of service:  the glass dome with weird numbered dials where the power enters into their home or business or maybe the big transformer lot down the way.  The grid is composed of two parts, however, the one you are familiar with that distributes power to users, and one that moves generated power in between different distribution areas, which is known as the Bulk Electric System (BES).  Anytime you see the really big power lines on towers or large poles, you are most likely seeing a portion of the BES.

The grid in the US is mostly owned by private companies but also a few government controlled entities.  All of these entities form the organization NERC and in working together the entities have created the security and operations standards to make sure the reliability of the grid. Oversight is provided by the Federal Energy Regulatory Commission (FERC) but any change in the process to secure the grid have historically taken years to occur   When your adversary is able to adapt tactics in days this represents a problem.

Going back to the make up of the grid.  The grid is an interconnected and interdependent patchwork of thousands of private and public utilities that collectively can generate over 1 million megawatts of electricity at any given moment and collectively operate over 200,000 miles of power lines.  That is enough power line to wrap the earth 8 times!

What about the interconnected and interdependent part?  Going back to the patchwork analogy, the different parts of the grid each make, sell, and buy power.  They do this to meet demand economically.  When one of the patchwork areas has power usage that exceeds generation capacity they buy electricity from another patchwork somewhere in the grid.  This helps keep the cost of operation down.

The problem with an interconnected and interdependent grid was made clear during the California brown outs in the 2000’s. The electrical utilities in California were not able to generate or buy enough power to meet demand and it resulted in lowering or brownout of portions of the grid.  Another example of the problems of the interdependent interconnected nature of the grid is the 2003 East Coast Black Out.  In that event, the interconnected power grid suffered a cascading surge that tripped breaker after breaker in the system and backed out millions of end users for 2 days.  Both of these events were operational failures and not Cyber related, however, illustrate weaknesses that could be exploited or what the effects of a Cyber attack on the grid may be like.
Coming Soon:  Part 2 – What are the real threats to critical infrastructure?


Post by Protocol 46