A report on grid cybersecurity released last week by US Representatives Ed Markey and Henry Waxman makes for fascinating reading.
Background
The U.S. bulk power system is relied on by 300 million people and is comprised of 200,000 miles of transmission lines and about a thousand gigawatts (GW) of generating capacity. It is valued at over $1 trillion. Most of the bulk power grid is owned and operated by private companies, municipally- and coop-owned utiltiies.
The components of the grid are highly interdependent. An outage in one area can lead to cascading outages in other areas. The classic example occurred in 2003 when four high voltage power lines in northern Ohio brushed trees and shut down. A computer system error caused a cascade of failures that left 50 million people without power for two days across the United States and Canada. The largest blackout in North American history cost the economy an estimated $6 billion.
Vulnerabilities
This report makes the case that grid vulnerabilities pose substantial risks to U.S. national security. It cites a 2008 report by theTask Force on Department of Defense (DOD) Energy Strategy that said that “critical missions . . . are almost entirely dependent on the national transmission grid." About 85% of the energy infrastructure upon which DOD depends is commercially owned, and 99% of the electricity DOD consumes originates outside of DOD. In most cases, neither the grid nor on-base backup power provides sufficient reliability to ensure continuity of critical national priority functions and oversight of strategic missions in the face of a long term (several months) outage. An October 2009 report by the Government Accountability Office said that 31 of DOD’s 34 most critical global assets rely on commercially operated electricity grids for their primary source of electricity.
I remember a startling statistic in an Energy Information Adminstration (EIA) publication that the failure of 4% of U.S. substations would result in 60% of the U.S. losing power. The Markey and Waxman report also cites a declassified National Academy of Sciences report declassified that found that physical damage to large transformers could disrupt power to large regions of the country and take months to repair.
Very recently, the Department of Homeland Security testified that it had processed 68% more cyber-incidents in 2012, involving Federal agencies, critical infrastructure, and other select industrial entities, than in 2011.
Measures to protect the U.S. electric grid from cyber-attack include mandatory reliability standards developed by the North American Electric Reliability Corporation (NERC) plus voluntary actions recommended by NERC.
In 2010, bipartisan cyber-security legislation called the GRID Act passed the House of Representatives. This legislation would have provided the Federal Energy Regulatory Commission (FERC) with the authority to require necessary actions to protect the grid. However, this legislation did not pass the Senate.
Cybersecurity survey of U.S. utiltiies
In January of this year, Representatives Markey and Waxman requested information from more than 150 investor-owned utilities (IOUs), municipally-owned utilities, rural electric cooperatives, and federal entities. More than 60% of the entities have responded including
- 54 investor-owned utilities
- 47 municipally-owned utilities and rural electric cooperatives
- 12 federal entities
The Markey and Waxman report is based upon those responses.
Findings
The electric grid is the target of numerous and daily cyber-attacks.
More than a dozen utilities reported “daily,” “constant,” or “frequent” attempted cyber-attacks ranging from phishing to malware infection to unfriendly probes.
One utility reported that it was the target of approximately 10,000 attempted cyber-attacks each month. More than one public power provider reported being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems." A Northeastern power provider said that it was “under constant cyber attack from cyber criminals including malware and the general threat from the Internet...” A Midwestern power provider said that it was “subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of this activity is automated and dynamic in nature – able to adapt to what is discovered during its probing process.”
Most utilities only comply with mandatory cyber-security standards, and have not implemented voluntary NERC recommendations.
Almost all utilities cited compliance with mandatory NERC standards. Of those that responded to a question of how many voluntary cyber-security measures recommended by NERC had been implemented, most indicated that they had not implemented any of these measures.
For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs, 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.
Most utilities have not taken concrete steps to reduce the vulnerability of the grid to geomagnetic storms and it is unclear whether the number of available spare transformers is adequate.
Only 12 of 36 (33%) responding IOUs, 5 of 25 (20%) responding municipally- or cooperatively-owned utilities, and 2 of 8 (25%) responding federal entities stated that they have taken specific mitigation measures to protect against or respond to geomagnetic storms.
Most utilities do not own spare transformers. Only twenty IOUs, six municipally- or coop-owned utilities, and eight federal entities reported owning spare transformers. While other utilities reported participation in various mutual assistance agreements or industry equipment sharing programs, none knew how many other utilities would claim contractual access to the same equipment in the event of a large-scale outage.