Smart Grids: Greener & Easier to Hack
The dog days of summer began with a sobering warning about “cyber-jihadists” in a new analysis from the Institute for Critical Infrastructure Technology. Policymakers should anticipate sophisticated anti-American groups developing world-class hacking capabilities. Doubtless old news at the Pentagon’s Cyber Command.
Meanwhile, in a parallel universe, energy policymakers are accelerating green initiatives that will make America’s electrical grids more vulnerable to cyber-attacks.
The problem? “Smarter” and “greener” requires that the grid be more fully connected with the Internet. “Smart” grids depend on Internet “smarts.” And solar and wind energy both require Internet-centric mechanisms to meet the challenge of using episodic supplies to fuel society’s always-on power demand.
Thus, policies from California to New York as well as the EPA’s Clean Power Plan, envision adding millions of Internet-connected devices to electric grids, hospitals, and cities. For hackers, this is called vastly expanding the attack surface. In that ‘smarter’ future, the cyber-hacking skills bad actors have honed to break into private and financial data can be directed at breaking into and controlling critical physical infrastructures.
Experts have demonstrated hacks into the entire panoply of devices associated with smart and green power, from smart lights and power meters to the power electronics on solar panels. Cybersecurity has simply not been the priority in green policy domains — even though technical and engineering message boards and publications are filled with examples of cyber-vulnerabilities or weak or non-existent cybersecurity features. With the full flowering of smarter infrastructures, just what are we likely to face?
Imagine it’s a scorching-hot summer day in Los Angeles sometime in the near future and the power in one wing of a hospital goes down, taking with it the air conditioning and all the critical hospital equipment from MRIs to life-support. The CEO gets a text from her facilities manager a few minutes before another wing in a different, larger hospital in the network goes black, too, as the back-up generator fails to start. This is followed by an email from the hacker stating that the power at all the hospitals will be shut down within an hour. The ransom is, say, $10 million in Bitcoins.
Now imagine a different scenario, this time a hot Manhattan evening when several blocks go dark. It’s not a ransom this time but a threat: more is coming. The mayor gets an image on his smartphone of the July 25th 1977 cover of Time Magazine with its headline “Night of Terror.” That 1977 New York City blackout lasted 25 hours, involved thousands of ransacked stores and fires, 4,000 arrests and $300 million in damages. This time, the mayor also worries that the attacker could be coordinating an array of Orlando-type physical assaults to fuel the chaos.
In the first case, the ransom gets paid and power comes back. In the second scenario, no physical attacks happen, but it takes two days and heroic efforts from ConEd’s crews to restore power by reverting to older manual systems that bypass the ‘smart’ stuff. But the terrorists made their point. And in both cases forensic teams from the Department of Homeland Security, the FBI, and DOD’s Cyber Command descend.
They learn that a sophisticated phishing scam inserted a computer worm, combined with malware loaded earlier in a backdoor hack into a power monitoring device, enabling the remote seizure of local power network controls. The NSA traces the cyber breadcrumbs to anonymous servers in Georgia (the country not the state) or Iran, or China, and … a dead end.
Sound far-fetched? Consider where we are today: ransomware attacks are already a scourge. The American Hospital Association reported that several health care companies and hospitals were hit earlier this year with ransomware (most paid). But, so far, hackers can only shut down a target organization’s access to its own computer system or e-commerce Web site. As for the future, consider that for hackers, today’s Internet-connected cars look just like tomorrow’s connected grids. Researchers have hacked the Ford Escape, Toyota Prius, Nissan Leaf, and — to great fanfare — a Jeep Grand Cherokee.
Last year’s “cyber-jacking” of a Jeep took full control from ten miles away by exploiting vulnerabilities in the Internet-connected infotainment system to backdoor into the car’s microcomputers that operate the steering and brakes. In the wake of that stunt, Chrysler recalled over a million cars and corrected those particular vulnerabilities. Earlier this year, the FBI and NHTSA issued a general alert regarding vehicle cyber vulnerabilities. Everyone on both sides knows it’s only the tip of the cyber-berg.
In fact, there have already been cases of grid-like cyber-jacking. In 2008, a Polish teenager hacked a city’s light-rail controls and caused a derailment. In 2010 the world learned of a clandestine hack — ostensibly U.S.-Israeli — that inserted the Stuxnet computer virus to damage the electrical infrastructure of Iran’s nuclear facilities. In 2015, hackers breached the operating system of a German steel mill, causing enormous physical damage. And this past December, hackers blacked out Ukraine’s electric grid.
So far there have been no such hacks on U.S. power grids that we know about. And experts testifying before Congress about the Ukraine event credibly asserted that America’s long-haul grids are better protected — at least for now. But that’s not the issue.
Exposure is a problem not so much with long-haul grids but with local grids in cities and communities where all the Internet ‘smarts’ are planned. As green connectivity is accelerated onto those grids, the attack surface expands. Today’s grids are, by Silicon Valley standards, dumb — even if deliberately so. But we already know what adding more Internet connectivity enables.
The Department of Homeland Security asserts that America’s manufacturing and energy sectors are the top two targets for attacks on cyber-physical systems. And Cisco reports that 70 percent of utility IT security professionals discovered a breach last year, compared with 55 percent in other industries.
Here’s the rub: green grid advocates are pushing policies that will create more Internet-exposure precisely when bad actors and hostile nation states are rapidly escalating their hacking skills.
Policymakers genuflect to the importance of electric security and reliability. But actions speak louder than words. Over the past eight years, federal and state green and smart tech funding totaled $175 billion; one thousand times more money than DOE reports spending on cyber-physical security research.
Does this mean we should avoid bringing Internet-class controls to grids and infrastructures? Hardly. Engineers and entrepreneurs — not bureaucrats— will, ultimately, develop smart and secure systems. But security must be the priority. In every infrastructure throughout our history — from power and water to hospitals, cars and aircraft — policy has, rightly, put safety and security first. With society more dependent on electricity than ever, it’s no time to reverse priorities.
The cyber-jihad report concludes: “Thankfully, even successful [cyber] attacks on the United States Energy sector would not have the same impact as those against Ukraine in 2015, because the grid is much larger and minutely segmented.” That’s true — for now. But in a world where terrorist attacks are all too common, prematurely pushing “green” or “smart” tech onto the grid — leaving cybersecurity on the back burner — will set the conditions for a perfect cyber-storm.
Mark P. Mills is Senior Fellow at the Manhattan Institute and author of Exposed: How America’s Electric Grids Are Becoming Greener, Smarter—and More Vulnerable.