DOE Secretary Jennifer Granholm in June told CNN that enemies of the United States have the capability to shut down the U.S. power grid, and "there are very malign actors trying, even as we speak."
Granholm was discussing President Joe Biden's push to better secure the utility sector, which faces a growing threat from ransomware and attacks on operational technology. There are mandatory security requirements and high levels of redundancy built into the U.S. bulk power system, but when asked if a sophisticated hacker has the capability to crash the grid she replied soberly, "Yeah, they do."
That may bring to mind worst-case doomsday scenarios, but security experts say there is little imminent risk that hackers will cause a widespread blackout, despite a near-constant barrage of attacks on utilities and grid assets.
"I don't think the threat to reliability is imminent" even as more operational technology (OT) is internet accessible, said Lila Kee, general manager for GlobalSign's North and South American operations. "Attackers are getting smarter and as we move OT online the threat surface will be wider, but what these hackers are doing is espionage. They're going after data, they're going after [intellectual property]."
"Most cyberattacks today are financially motivated."
Former director of critical infrastructure protection, Southwest Power Pool
"If they wanted to go after the OT networks, from a sabotage standpoint, that's an act of war," Kee said. "And I don't think even some of the biggest state actors are going to poke that bear."
There are a variety of hackers and groups, "and their goals are similarly varied," Kevin Perry, formerly the director of critical infrastructure protection at Southwest Power Pool, said in an email. Perry retired in 2018.
"Most cyberattacks today are financially motivated," Perry said, with hackers attempting to steal credentials, company or customer financial information, or intellectual property. "Basically, information that can be used for financial gain."
But "there are attackers whose aim is to disrupt the business, either with ransomware or by attacking and manipulating the business-critical systems," Perry said.
An act of war
Crashing the grid would require a sophisticated attack and knowledge of electricity systems. Like Kee, Perry also sees little appetite for the most dramatic attacks.
"OT systems are very complex and the attacker will need a certain level of knowledge and sophistication. That [would] most likely be a nation-state backed hacking group," he said. "An activity of a nation-state actor that intentionally causes a blackout will likely be viewed as an act of war and will likely result in a kinetic or electronic response, or both, once the actor has been positively identified."
"Sophistication can ultimately be bought."
VP for security and preparedness, Edison Electric Institute
Right now, hacking groups in Russia, China, Iran and North Korea, are all known to have high levels of sophistication. The electric industry, however, says it is prepared for a future where more hackers have those capabilities.
"Sophistication can ultimately be bought," Edison Electric Institute (EEI) Vice President for Security and Preparedness Scott Aaronson said. EEI represents investor-owned utilities, which provide electricity for about 220 million people in the U.S.
Taking down the grid would require a very complex attack but "we are preparing for that possibility today," Aaronson said.
Less sophisticated attacks are frequent, say experts, and often have little or no impact on operations.
"We've responded to intrusions at generation plants and within control centers," said Ben Miller, vice president of professional services and research and development for Dragos, a security firm focused on operational technology (OT) environments. "But did those cause a blackout or outage? No."
The attacks were opportunistic and in many cases hackers may not have even known what OT environment they were in, Miller said.
"Gaining access into a grid facility is certainly in the realm of possible, even accidentally," Miller said. But between gaining access and having a particular impact "is a lot more sophistication than ransomware or a malicious piece of malware, and it does rise into that state-aligned category."
The U.S. grid is designed with such redundancy in mind. Even if a hacker were able to take down the largest generating asset on the grid — the 6.8 GW Grand Coulee Dam in Washington — it would not cause a blackout, said security consultant Tom Alrich.
"Plants being down should never be the cause of an outage," Alrich said. "That's the whole idea of a reliability coordinator. They make sure there's always enough backup to cover any contingency."
All that said, experts agree it is possible for hackers to cause a blackout.
"Now, if you start to have a bunch of plants go down at the same time, that's another story," Alrich said. "But plants are not the problem. ... When you're talking about really serious attacks, you're talking about attacks on control centers or attacks on substations."
A brief history of energy cyberattacks
For the most part, the United States has avoided grid impacts from cybersecurity threats. A 2018 attack interrupted communications on the Midcontinent Independent System Operator, grid but customers ultimately felt no reliability impacts. But there is history.
The most well known grid cyberattack in the world occurred in 2015 when hackers knocked out power to almost a quarter million people in Ukraine. The attack, widely attributed to Russia-backed hackers, was possible because "there was not proper isolation between the IT and OT systems," said Perry.
Hackers compromised IT systems via a successful phishing email attack, he said, and were then able to move throughout the network to attack the utility's energy management system. They downloaded malicious firmware that impacted grid operators' ability to communicate with substations while also controlling key equipment.
"When there's a ransomware attack in the IT network, it will inevitably result in an outage on the OT network."
Experts say the Ukraine outage remains largely consistent with how hackers could attack the U.S. grid today.
Other vulnerabilities have been studied. In 2007, Idaho National Laboratory's Aurora Generator Test proved a cyberattack could physically destroy a generator by connecting it to the grid out of phase, which leads to extreme torque and the machine breaking down.
Most recently, the North American Electric Reliability Corp. (NERC) said the 2020 SolarWinds attack, in which sophisticated malware was inserted into the software supply chain, exposed a quarter of the electric utilities it regulates to the vulnerability. The electric sector could take years to determine the full impacts of that attack, say experts.
The attack on Colonial Pipeline, which transports refined oil products, had no electric grid impacts but is an example of unintended consequences. Hackers attacked Colonial's IT system and the company defensively shut down the pipeline.
"When there's a ransomware attack in the IT network, it will inevitably result in an outage on the OT network," Alrich said. Utilities aren't going to turn off the power to mitigate a cyberattack, he said, but the MISO attack is an example where a control center was taken offline to avoid impact.
SolarWinds and Colonial are good examples of the threats facing the energy sector, said NERC Senior Vice President Manny Cancel, who is also CEO of NERC's Electricity Information Sharing and Analysis Center (E-ISAC).
SolarWinds illustrates the threat to supply chains, "and in that case, the adversaries solved the 1-to-many problem," said Cancel, compromising a single platform and subsequently infecting thousands of users. The Colonial shutdown shows hackers "don't necessarily have to target control systems" to have societal impacts.
The threat shows no sign of abating, he said. The number of software vulnerabilities announced for control systems in 2021 "substantially eclipses" prior year warnings.
E-ISAC is preparing to facilitate GridEx VI, a biennial security exercise, Nov. 16-17. The event allows electric utilities to test their cyber and physical security plans in response to mock attacks, and the 2019 iteration drew more than 6,500 participants. The 2021 exercise will include a simulated software compromise, said Cancel.
How a successful attack might happen
If an adversary did pull off a successful grid attack, it might look similar to the Ukraine incident, say experts.
According to Perry, an attacker would need to gain access to the OT systems and interfere with their operations, including Supervisory Control and Data Acquisition (SCADA) and Energy Management System (EMS) systems in the grid's control center.
Hackers would "either cause it to improperly control the equipment in the substation or generating plant, or leverage its connections with the substations and generating plants to compromise the cyber assets in the field," Perry said.
That's essentially how the Ukraine attack occurred, and it remains a potential method today, experts warn. "They were then able to move throughout the network to find and attack the SCADA/EMS," said Perry. The attack worked, he said, "because there was not proper isolation between the IT and OT systems."
Once hackers were in the SCADA system, they installed malware into devices used to communicate with the substations, and also to remotely operate the SCADA/EMS to open breakers in the substations.
Likely attack surfaces
To disrupt the power grid, a hacker would need to compromise systems at one or more of three types of assets: control centers, substations or generating plants.
Generation is actually the least likely to be attacked, say security experts, in part due to the redundancy of the grid. And plants with multiple units also tend to have systems that are segregated from one another, limiting the potential impact of an attack.
There are "very few common systems in the plant able to impact multiple units," Perry said, with separate units tending to have separate operator control and process control networks.
"Certainly a nefarious electrical engineer could do a system analysis view of how they would destabilize the grid and that would give the attackers their objective."
VP of professional services and research and development, Dragos
Control centers are a likely attack surface, said Miller, with their large geographic view across a territory. If hackers can disable communications at a center, cutting a grid operator's visibility into their system, then utility officials could be blocked from re-energizing a line if a substation protective relay is disabled.
"That was essentially the 2015 [Ukraine] attack, basically using the system as it's designed against itself in order to de-energize those lines," Miller said.
"There are a couple of attacks" that are possible on today's grid, said Miller, though he declined to walk through how they may happen. "Certainly a nefarious electrical engineer could do a system analysis view of how they would destabilize the grid and that would give the attackers their objective."
A control center SCADA device can receive data from and issue control commands to multiple substations or generators. "If an attacker can compromise the SCADA/EMS, then the attacker can conceivably impact any or all of the substations and generating plants the SCADA/EMS communicates with," Perry said.
Substations are the next most-likely attack surface, he said. Opening the right breakers in the right substations "will de-energize transmission lines and could result in transmission line and generator trips due to line overloading or the voltage and frequency excursions that resulted from the initial line de-energization."
While NERC's critical infrastructure protection standards set baseline security for the bulk power system, federal regulators have been considering whether stricter standards for distributed resources on the grid are needed. There is some support in the vendor community for lowering megawatt thresholds to require stricter rules, but the utility sector says new and updated standards are expected to address any security gaps.
Cascading failures: Lessons from 2003
For a widespread blackout to take place, an equipment failure essentially has to be significant enough to unleash a chain of events.
"There has to be enough failure to cause a significant frequency or voltage excursion, which results in breakers being opened specifically to protect the equipment from damage," Perry said.
The 2003 blackout in the Northeast is an example — and has a cyber component, despite there being no hacker involved.
"The blackout occurred when a [transmission] line overloaded and was not dealt with in a timely manner, causing more lines to overload and trip, generation to trip off in response, more lines to trip, and so forth, until the grid became sufficiently unstable to cascade into a large geographic area outage," said Perry.
The problem was enabled by the failure of two safety features, he said: a FirstEnergy alarm subsystem and the State Estimator at the Midcontinent ISO. But grid officials say lessons from the 2003 event have since been incorporated.
There have been "various controls and safeguards built into the grid to prevent a cascading effect similar to what you saw in 2003," said Cancel.
How the grid recovers
Once utilities have regained control of their systems, recovery looks like it does for any widespread event, say experts. Grid operators have plans that rely on generation with black start capabilities, used to help get large fossil plants back up and running.
These are sometimes hydro, solar or wind units, said Perry, but are more often diesel and gas combustion turbines that can be started with batteries. It can take up to 24 hours for some larger steam-driven plants to get back up and running, he said.
"Look at our response to storms. The industry has a history of being able to respond to disasters."
Senior Vice President, North American Electric Reliability Corp., & CEO, NERC's Electricity Information Sharing and Analysis Center
"As the fossil plant is brought up, load is added to keep the unit stable," said Perry. "If things become unbalanced, the newly energized grid can collapse and the process starts all over again."
Recovery from a grid attack will depend on how widespread the impacts are and "the level of damage that has occurred," said Cancel. If hackers have "just found a way to shut down systems, maybe you can recover in short order."
"That being said, the industry has plans and we demonstrate this every day," said Cancel. "Look at our response to storms. The industry has a history of being able to respond to disasters."
Mutual assistance is "the superpower of the industry," said EEI's Aaronson, though it is more frequently considered in terms of storm recovery. The utility sector's Hurricane Ida response, for instance, brought more than 27,000 workers into Mississippi and Louisiana this summer to help restore power.
The Electricity Subsector Coordinating Council (ESCC) runs a cyber mutual assistance program, which helps utilities procure services, personnel and equipment, including replacement of high voltage transformers, in the event of an attack.
The cyber assistance program has more than 170 participants, including electric and and gas utilities and grid operators. According to the ESCC, participants in the program cover approximately 80% of U.S. electricity customers, three-quarters of U.S. gas customers, and another 1.25 million electricity customers in Canada.
"This is an industry that has a culture of mutual assistance. That was a construct that we wanted to leverage for cyberthreats," Aaronson said.