Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

U.S. Needs to Strengthen and Secure Its Power Grid ASAP

After tensions escalated between Iran and the U.S., government officials warned of potential cyberattacks, including against our vulnerable electric grid. “It is not a matter of if, but when, an attack will happen.”

(TNS) — In the wake of escalating military confrontation between the U.S. and Iran, U.S. defense and intelligence officials have warned of a potential onslaught of cyberattacks from Iranian hackers, and the Department of Homeland Security cited Iran's history in cybercrime and ability to target critical infrastructure, including energy grids.

We have reason to worry.

The U.S. electric power system is vulnerable to cyber-attacks due to its two-part infrastructure and the mismatched standards of protection imposed on those parts. The U.S. system of electric delivery includes both transmission for long distance, very large-scale power delivery; and distribution for local delivery within cities and towns. (The transmission system feeds power to distribution, and the distribution system feeds it to all of us.) The transmission system is required to meet robust, audited, enforced federal cyber protection standards—but the distribution system is not. Instead, the distribution system is regulated by state bodies with little to no cyber protection standards, leaving it vulnerable.

Legislation was recently passed to protect the nation's electric grid against cyberattacks, but the new law doesn't go far enough and doesn't move fast enough to protect us from imminent attacks. Threats from Iran illustrate that more urgent action is needed.

The Securing Energy Infrastructure Act, which was included in the National Defense Authorization Act (signed by President Trump in December), establishes a two-year program "to develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities to secure the grid against cyberattacks."

Hackers are already taking advantage of the system's vulnerabilities. A recent news report described a targeted campaign aimed at distribution system utilities serving key facilities in 18 U.S. states. While these hackers' phishing attempts were not successful, the campaign serves as a clear example that cyber vulnerability is real.

This is not the first time attackers have targeted critical electric distribution infrastructure. In 2015, 225,000 Ukrainian customers lost power for several hours when three regional distribution companies were attacked, presumably by Russia. Incident response teams subsequently reported that the attackers intended to disable the grid for a much longer period of time.

To gain an appreciation of just how dire the threat is, here's what the National Infrastructure Advisory Council (NIAC) said in their recent draft report: "Escalating cyber risks to America's critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security. U.S. companies find themselves on the front lines of a cyber war they are ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure."

The NIAC, made up of experts involved in critical infrastructure from industry as well as state and local governments, sounded the alarm loud and clear. "Bold action is needed to prevent the dire consequences of a catastrophic cyberattack on energy, communication, and financial infrastructures. The nation is not sufficiently organized to counter the aggressive tactics used by our adversaries to infiltrate, map, deny, disrupt, and destroy sensitive cyber systems in the private sector."

The report adds: "It is not a matter of if, but when, an attack will happen. Our window of opportunity to thwart a cyber 9-11 attack before it happens is closing quickly."

Threats from Iran underscore the validity of this report. In other words, waiting two years or longer for the proposed pilot program is not an option. We need to act immediately to extend federal cybersecurity standards to protect the entire power grid through each state, from the largest power generation and transmission facilities to the smallest municipal electric company.

—Michael Ahern is director of Power Systems in the Academic and Corporate Engagement Department at Worcester Polytechnic Institute (WPI), and an instructor in WPI's Foisie Business School (FBS).

©2020 Telegram & Gazette, Worcester, Mass. Distributed by Tribune Content Agency, LLC.

Governing's opinion columns reflect the views of their authors and not necessarily those of Governing editors or management.

Special Projects