What’s lacking in grid cybersecurity

As aging power grids are connected to the Internet, more systems will be transformed by the addition of information and communications technologies. But security experts worry about the potential threats that transition will pose to an already fragile electrical network. If hackers launch a major cyberattack, there are concerns about the ability of the North American electrical system to hold up.

Indeed, the implications of an attack against poorly protected critical electric-grid sites are profound. The nonprofit organization that acts as a watchdog and standards-bearer for North America’s power grid told Congress that a worst-case scenario due to a cyberattack on the electric grid could trigger an outage that would last one to two weeks. Considering the increasing reliance on electricity in the United States - the EIA expects energy consumption to continue to increase at a steady clip over the next couple of decades - an outage of that magnitude would qualify as a crisis.

Lloyds Bank published a study of worst-case scenarios involving cyberattacks against the U.S. power grid. The good news is that Lloyds believes the scenarios it considered were still “improbable.” The bad news is that the attacks remained “technologically possible” and had the potential to inflict up to $1 trillion in total damage on the economy.

The challenge of upgrading an aging communications and network infrastructure to meet heightened cybersecurity standards is further compounded by the fact that there’s not just one grid with central authority. Rather, there exists a “system of systems” that are owned, or used by, more than 3,000 utilities.

Lack of urgency

At the same time, there are new security requirements that will surface as more smart systems and appliances get connected to the grid. Between 2007 and 2014, for example, the number of smart meters in the U.S. has soared from 10 million to more than 50 million as part of the rapid deployment of smart devices belonging to the Internet of Things, which also includes so-called smart houses, smart cars and other IoT-enabled devices.

The concern is that attackers hacking into any of these IoT implementations could then tunnel their way upstream into the electric grid. The worry is compounded by a seeming lack of urgency to prepare against potential threats.

The Department of Homeland Security has published a set of cybersecurity guidelines that grid operators and other industrial control systems can follow to reduce their attack surface. It includes the usual reminders about patch management and other best practices for building defensible environments.

But the biggest challenge may be philosophical. Only 29 percent of U.S. companies are starting to implement a cyberphysical strategy, 36 percent are still developing a strategy, and 18 percent have no plans to even develop a strategy, according to the SANS Institute.

The lesson should be clear: If grid operators can modify their thinking about security to fit with changing times, they can avoid a lot of needless stress. Otherwise, they are fated to live in interesting times.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2016 IDG Communications, Inc.