How Secure Is The United States Power Grid?

How Secure Is The United States Power Grid?

From transportation,
to telecommunications, health care and banking. The digitization of our
infrastructure has made our daily lives more
convenient, but it’s also opened us up to
the threat of cyberattacks. Yahoo’s hack of over
500 million accounts will make it the biggest
data breach ever. Equifax, which, as you know,
is a very large supplier of credit information,
has announced a cybersecurity incident that
they say potentially impacts about 143
million U.S. consumers. Marriott announcing that
up to 500 million guests with
reservations at Starwood Properties could have had
their data compromised. But it’s not just
companies under attack. Increasingly, power plants
and other critical infrastructures are also
becoming a target. Critical infrastructure is
really anything that makes up the
backbone of society. Everything from transportation
and airlines to banks. Cyberwarfare is the
new weapon of choice. You can run a cyberattack
remotely, shut down the critical infrastructure of
other countries, create massive destruction
of refineries and chemical plants without ever
shooting a gun. Electricity is so prevalent in
our lives that we often don’t even think about
it until it fails to work. All electricity starts
at a generator, which can be powered by
wind, water, coal or even nuclear fission. After it
is generated, the electricity travels from the
power plant to transmission substations, which convert
it to a very high voltage so that
it can travel long distances. From there,
the electricity travels along power lines to
another transformer, which again converts the power, this
time to a lower voltage, before it goes
into our homes and businesses. Often people think
of the power grid as “the grid.” It’s really not. It’s a quilt
made up of 3,000 or so power companies that
are owned by investor-owned utilities. But most of them
are rural electric associations, or maybe a few
owned by the government. But generally it’s
a mixture. This ownership disparity
also means that utilities are
regulated differently. The focus of the regulation
is to prevent the bulk electric system from
suffering a widespread outage. So it may
not affect the smaller companies that are serving
smaller cities or rural areas. On one
hand, smaller power companies in the United States may not
be as juicy of a target because they have
a small amount of customers, say 25,000. But on the other hand,
they may be more susceptible to cyberattacks
because they don’t have a big as security team
or a big as security budget to focus on
protecting their critical systems. That’s where
Sistrunk comes in. As a consultant for
cybersecurity firm, FireEye, part of Sistrunk’s job
involves teaching a digital forensics class for
people who want to learn how to defend
the control systems running our power plants. And to
learn how to defend against an attack, you first
have to learn to hack. This is a
small PLC, programmable logic controller. This particular device
is made by Phoenix Contact and it’s basically
easy to for an attacker to get into. There’s a lot of
vulnerabilities in it. Sistrunk demonstrated how a
hacker may alter the functions of “stop” and “go”
buttons that in a power facility may control
something like a motor or a pump. This is a
web page of this PLC and it’s been hacked. You can
see whenever I try to click on the red stop
button, the green start button comes on. So an attacker can go
download the software and change things if
they wanted to. And that’s what we
do in the class. In a conventional warfare
attack, the first thing that is hit is
the infrastructure, the refineries, the electrical
systems, the chemical plants, those things that
fuel the war machine. You can simply do the
same thing remotely with cyberweapons. It seems
like attackers have crossed the Rubicon or
they’ve crossed the red line in the sand. You know, that they
are going after control systems, whereas once
no one cared. Today, there are more than
9,700 power plants in the US. Many of them
were built decades ago when operating a plant required a
lot of manual labor and cybersecurity was
not a consideration. But that’s changing. Starting in
the mid ’80s and early 2000s, the
industry started connecting these control systems
through the enterprise networks to the internet,
for the benefit of remote access, information
sharing, etc.. Fantastic for productivity
improvement and business enhancements, but that
exposed us to cybersecurity threats. The heart of a power plant
is what is known as a SCADA system. SCADA
stands for supervisory control and
data acquisition. These systems are made up
of a combination of software and hardware that
allow operators to monitor and control plant
processes in one central location. Besides
power generation plants, SCADA systems are
ubiquitous in the manufacturing, telecommunications
and transportation sectors,
among others. Today, a typical SCADA system
is made up of thousands of components and
runs on several different kinds of
operating systems. Because of this wide
spread of operating systems, it creates a very
complex surface that security experts have to understand
before they can defend against the many different
types of exploits used against those specific
operating systems. Since 2010, the number
of attacks have increased exponentially. The reason for it
is that it’s a lucrative business for ransom
attackers as well as for nation states. A 2015 risk report put
out by the University of Cambridge and Lloyd’s, a
large insurance company, posed a hypothetical scenario
in which a cyberattack plunged
15 U.S. states into darkness, leaving
93 million people without power. The report
estimated that the loss to the U.S. economy
would range between $243 billion to $1 trillion. There is a belief that
every system could be compromised, especially these
control systems, since they were not
originally designed for cybersecurity, unlike computers that
we use at home and at work that
are regularly patched and protected from
cyberattacks. As reported in this “60
Minutes” episode on CNBC from December 2014, the
first cyberweapon to cause physical damage was used
in Iran in 2010. We begin with the story
of Stuxnet, a computer virus considered to be
the world’s first destructive cyberweapon. It was launched several
years ago against an Iranian nuclear facility,
almost certainly with some U.S. involvement. Stuxnet infected SCADA systems
that were running Windows and Siemens software
within the nuclear facility. It was used
to spin centrifuges too fast until they
basically destroyed themselves. This was the first time a
virus of this type was used to physically destroy
something within a power facility. In December
2015, hackers cut power to around 225,000
people in Ukraine. The incident became the
first successful hack on utilities. It was believed
to have been done through a tactic
called spearphishing, where hackers sent emails with
malicious attachments to I.T. staff and system
administrators that helped to steal the
recipients’ credentials. Almost exactly a year
later, hackers again shut off power to a large
part of the Ukrainian capital. Some have blamed
the attacks on Russia. While the attacks were short
lived, it showed the world that Russia had the
will and the ability to conduct cyberwarfare in
this way. Another attack shook the
cybersecurity world in 2017, this time in
the Middle East. In the past year, researchers
have spotted a new family of industrial
control malware. It’s called Triton. Triton
was a really alarming piece of malware. It
affected facilities in the Middle East. And what was
most alarming about it was that it disabled
what essentially was the kill switch for
a catastrophic disaster. The metaphor I use here
is relying on the police to come help you out
when your house is broken into. But the police is
asleep in his police car. That is a metaphor of
that safety system being bypassed. Though there’s not
been a cyberattack in the U.S. that has shut
off power to the grid, hackers have still gone
after utility companies. In 2016, an electric
power and water utility company paid $25,000 in
bitcoin ransom after hackers locked the utility
out of its computer systems. In 2018, the
Department of Homeland Security and the FBI
issued a joint alert, warning that Russian
cyberactors had been targeting U.S. government
entities and critical infrastructure sectors
since 2016. And in 2017, the Department
of Energy disclosed a hack at an electric utility
in the western U.S. Though the hack did not
cause outages, it did show that our power
grid was vulnerable. Most countries that the
United States has an adversarial relationship with
don’t actually want to go to war
with the United States. It makes more sense
for them to conduct reconnaissance missions against
our electrical grid. For that reason,
it’s more realistic that the types of attacks we see
are in the name of gathering information or opening
back doors, then some sort of catastrophic
attack or an attack similar to the one that
we saw in Ukraine. Protecting our energy grid
is essential to our national security. But there
are a few reasons why it is
difficult to do. For one, it’s hard to
even gauge how many cyber attacks there are. The reason
we don’t have good numbers around how many
cyber attacks there are against utilities is that
most of these companies simply don’t report them. There’s not much of an
incentive for utilities or the companies that provide
them with equipment to tell the public about
every cyberattack they’ve had. They would risk
panicking the public and they might also even
open themselves up to further attacks if attackers
know what’s working against them.
That’s changing. In early 2019, the
Federal Energy Regulatory Commission updated cybersecurity
standards for electric grids. The new standards require
electric companies to report any incidents that
either compromise or attempt to compromise
electronic security perimeters, electronic access
control or monitoring systems and
physical security perimeters associated with
cyber systems. The new reliability
standard also encompasses disruptions or attempts to
disrupt the operation of a bulk electric
system or cyber system. Like with Stuxnet, hackers
may try to subvert security measures by
targeting suppliers as opposed to going after
the big utility companies. Companies are becoming
very careful about checking the software that
comes from their suppliers. In fact, they
have a test environment whereby the updates for the
software is tested to make sure that the
software they’re getting from their automation vendor is
not infested with malware. Another best practice
is what is known as PEN or
penetration testing. PEN testing is a
process through which you intentionally attack your
own system, whether with your own people or
bring people from the outside to see how
well your defenses are. But finding someone to perform
this test is often difficult. There is a
shortage of over 1.5 to 2 million cybersecurity
experts in our industry, and that is
something that’s going to harm us if we don’t
address it more proactively. Despite these obstacles,
experts stress that there are steps we can
take to mitigate the risk of cyberthreats. Knowing what
you have is the very first thing you must
do, and that’s become more and more accepted as
the first thing you do, which is gain a
complete inventory of your control systems. The second thing that you
do is understand your vulnerabilities and
address them. Those are the holes
in your system. And the best way to do
that is do some PEN testing or
vulnerability assessment. And the third thing
that we advocate is understanding the configuration
of these systems, the brains, the genealogy of
the data in your environment and
controlling that. So when they are
changed, you know. And the last thing
that we advocate, very strongly, is assume
you’ve been attacked. What are you doing
for recovery purposes? Do you have the
latest version of that configuration of your system
to bring the system back up in the
unfortunate occurrence of losing the system? Adopting new
technology is part of competitive advantage. You have to
continue to automate. You have to continue to
take on new technologies to make your
business competitive. Otherwise you get
left behind. While the threat of
cyberattacks against the grid is a real threat, and
we have to be proactive about it, and we have
to prepare for it, it’s also important not to
panic and to not sensationalize. We
experience reconnaissance missions and attacks
against electrical companies every day. The majority
of them are not successful.

100 thoughts on “How Secure Is The United States Power Grid?

  • Wow. What a bunch of completely deluded, arrogant children on this thread. If you don't think this world could go dark, you're fooling yourself. You ancestor lived in the dark a mere 200 years ago. That wasn't so long ago in the scheme of things. Are you prepared? NO…… Are you prepared for ANY Natural disaster?…. NO. WHY? Because you live in world of making fun at everything you don't understand. Pity. You'll be the ones who won't be able to feed, shelter or secure themselves…and the first ones eliminated as liabilities.

  • In the early 1900's, Nikola Tesla intended to design and set up America's electrical power grid as a wireless system by implementing wireless longitudinal scalar waves to transmit wireless high voltage electricity across America without power-line wires.  

    Multi-billionaire John Pierpont Morgan had denied Thomas Edison the money he wanted to set up America's electrical power grid system with direct current electricity using electrical power-line wires; Nikola Tesla had explained to J.P. Morgan that it was not feasible or cost effective to use direct current electricity to send electrical power long distances unless it was transmitted as wireless direct current electricity using longitudinal scalar waves to transmit the electricity.  

    However, after Nikola Tesla explained to J.P. Morgan that it was not possible to attach electric utility meters to a wireless electrical power grid system, J.P. Morgan told Nikola Tesla he would finance the building of an alternating current electrical power grid system, only if Nikola Tesla and George Westinghouse discovered a way to attach electric utility meters at every property address that would be accessing (using) the alternating current electricity.  

    To Nikola Tesla's dismay and disappointment, J.P. Morgan would not agree to allow citizens to pay a flat rate monthly fee or tax to access electricity each month because without a way to attach electric utility meters to each property address of a wireless system, there was no way to measure or keep track of how much wireless electricity each property address would be using from one month to the next.  

    This is the reason that the world's electrical power grid system ended up with high voltage electrical power-lines covering the surface of the earth instead of being a wireless power grid system.  Scalar longitudinal wave transmission of electricity does not emit electro-magnetic field radiation.  

    Nikola Tesla had also designed all electric personal vehicles and public transportation that was designed to receive wireless electrical power by way of an antenna to receive longitudinal scalar wave transmission of electrical power through the air and / or through the earth without requiring a battery!  

    Unfortunately, the fossil fuel internal combustion engine all too soon, replaced the electric horseless carriages of that era of American history and, the atmosphere then began accumulating excess carbon dioxide from the unnecessary world wide combustion of fossil fuel within internal combustion engines of cars, trucks, buses, motorcycles boats, etc.  

    J.P. Morgan and Thomas Edison died very wealthy, but Nikola Tesla was cheated out of millions of dollars after designing, inventing alternating current and the machinery it requires to be produced; he lived the remainder of his life a poor, destitute man in America.  

    That excess carbon dioxide is now contributing to global warming and the melting of the polar ice, rising sea levels and, catastrophic weather around our planet.

    Note: This is actually a repost, unfortunately I misplaced the name of the original author.

  • I wonder if they factor in natural gas generators Bc I’m sure a lot of those 93 million people have a generator. Especially a bit corporate building or a big company in general.

  • 13:45 "to make your business competitive or you get left behind"

    Power companies are not "competitive". A power company is a natural monopoly. There is no competition.

  • Neither are our satellites, which are getting worse by the day! Damn sloooow, lags worse than turtles and America ranks on the lowest end of internet speed compared to the rest of the world, including trumps 3rd world shitholes!

  • I would worry a bit more about the to the Trump Mafia-donating climate change denials-funding right-wing American energy-monopolies as the one burning down and leaving "Liberal" anti-Trump California in the dark because they were cheap fascistic money-grabbing corrupt dickheads for the past 50 years!

    But hey you geniuses, always look in the farthest distance first never at the enemies nearest.
    So ironic your childish U.S. society so built on FEAR!

    Godless Best,
    Projectheureka LLC

  • As someone that works in this field..threats definitely get reported and shared with other agencies. Constant audits from NERC CIP. Federal regulatiom requires a network diode and airgap of critical control wan. Anything on BES High side. US is doing a better job at it at least at federal level.

  • Exactly why we homestead in the city! Never know when you should be prepared for anything. (I don’t understand the type of ppl who wait for government to help them 🤦🏼‍♀️)

  • Not until we all have nongridtied solar solutions….🔎🤷‍♂️

    Cant hack a hard wire from my panels to my battery.

  • I talked with a guy who said that super elite hacker make complex viruses for cyber warfare and sell them on the black market for millions! These viruses get complex. One to increase the electricity in the grid to melt all the power lines and everything goes dark. Won’t be able to fix all the power lines for months. Another interesting viruses they sell is one that heats up your computer till it explodes in your face possible to use for assassinations! There are hackers that legit buy Ferrari’s online for free then the company asked if they paid for it and all the hacker does is show a hacked receipt they stole saying they did buy it 😂 and they won’t know what happened till 20 years later. These hackers change there IP address ever 30 seconds so fbi can’t track them because it takes 1 minute and 30 seconds to track somebody! There are hackers that stole satellites 🛰 in space! Just to give you an idea on how crazy this cyber stuff is! These elite hackers spend 40,000$ for super computers they make themselves.

  • Our nation cant even secure the healthcare insurance hospital gap 🔎🤣 buy healthcare coverage from an insurance company that's not covered by the hospital 🙌🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️ logic

  • Putin just need to take his pager out of pocket and give the voice command ''Hey Blyat! Disable american electricity'' and boom whole U.S in dark

  • Oh from the title I thought this would be about how old and badly maintained the US power grid is. Maybe lack of investment is the biggest thread …

  • Why don’t they revert back to analog and closed circuit systems that’s not connected to the internet? Problem solved, this is why using all these “smart devices” in houses and other infrastructure is stupid as hell

  • There isn't a lot of misinformation in this story, but there is a huge lack of depth for the part where they talk about protecting these power companies. FERC has compliance regulations they mentioned for a few seconds called NERC CIP. These require a lot of security protections be in place. There are hefty fines for not complying with this security framework for energy producers. Some of the most cyber hardened companies in the US are the larger power companies. Smaller energy companies or those renewable energy companies, less so. The power generation/scada networks are typically super segregated from anyone on the internet who could hack them. The risk is a lot lower for this than other companies, for example, who have a lot of data/assets completely exposed to the internet via web servers, etc. Source: am security person who worked at two power companies previously.

  • That’s why I hate that we are using more and more technology in our lives and that we have to rely on technology so much.

  • Stutsnex or how ever it is spelled really worried people. It was never meant to leave Iran. Instead it was released into the world and was everywhere. No one knew what it was doing it just sat there. It didn't know what to do since it was designed for Iran's Nuclear Facilities and was on a cash register. It is a very interesting virus the NSA developed.

  • Cyber sercurity and IT personnel have been under valued and cast aside for so long that it should be time to require certain industries to met a federal mandated minimum requirement for cybersecurity.

    This is what happens when corporate overlord di(kholes go and lay off entire cyber sercurity divisions at their company because they don't see the long-term benefit and want to save a dime short term.

    As for the energy company that had to pay 25,000 in bitcoin……serves them right for not paying attention to modern trends and technology. Lots of people with cyber security degrees and backgrounds out there. STOP being cheap and go hire them!

  • Francly in the start of the vid you said that "We don't think on electricity". When you live in a coultry, my Panama, that the bill of energy is so high, compared to the salary because people doesn't want to pay it and the gov put high taxes to this private enterprices, you always think of electricity, and even kids too.

  • Power, water utilities control software of SCADA and other ladder code software for process control. Any junction box access and a few cables, laptop. Control can be achieved in minutes.

  • No.

    And neither is their other infrastructure.

    The current US infrastructure status stands at a D- and just to get it to a B- status they'll have to invest 17 trillion USD in the short term.

    That's just much needed maintenance, nothing new will be build for that cost, just an FYI.

    That has a name, technical bankruptcy.

  • oh my god. fear farming media. This is like telling America that we can get bombed or invaded at any given time from another country. When every outside country is too invested in being here in the first place and who would clean up after nuclear fallout. Country is taken, bombed… no one is managing the nuclear sites. Now the world is going to have to deal with all that fallout. Dead world… C'mon… jesus christ.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *