Page 41 - Cyber Defense eMagazine for September 2020
P. 41
In such a situation, the needed components that make up the power grid, such as transformers and
substation equipment, are not readily available. The largest transformers that make up the biggest
substations in every state are built on demand; these take 12 months or more to build. Power companies
can redirect electricity around a single substation, but if hackers gain access into command and control
stations, they can adjust voltage and frequency of the power grid causing multiple failures in a region.
For years, industry leaders have known about the power grid’s vulnerabilities, especially an aging
infrastructure that’s extremely expensive to replace. Most leaders are praying that the unthinkable will
never happen, or that these hackers will just magically “go away.”
U.S. Senator Angus King (I-Maine), co-chair of the bipartisan Cyberspace Solarium Commission (CSC),
has been advocating for the inclusion of vital cybersecurity amendments in the 2021 National Defense
Authorization Act (NDAA). In a speech on the U.S. Senate floor on June 30, 2020, Sen. King stated: “Just
as the pandemic was unthinkable, nobody could think of an attack that could bring down the electric
system, or the transport system, or the internet, but it can happen. The technology is there… I believe,
Mr. President, the next Pearl Harbor will be cyber. That's going to be the attack that attempts to bring this
country to its knees, and as we've learned in the pandemic, we have vulnerability, and we have to prepare
for it.”
Progress has been made in detecting hacks and threats when they are occurring. However, we need
encryption systems that will prevent hacks from ever occurring in the first place.
Power Providers’ Out-of-Date Software Systems are Difficult to Protect.
Among its many directives, the North American Electric Reliability Corporation (NERC) issues critical
infrastructure protocols (CIPs) that mandate all owners, operators and users of the U.S. bulk power
system comply with Federal regulations (FERC) from the U.S. Department of Energy.
Among NERC’s CIP requirements are monthly or quarterly virus updates on HMIs. Despite Windows 10
being the latest upgrade, many power control systems are still operating on legacy technology platforms,
such as Windows XP, Windows NT and Windows 2000 platforms, which were not designed with
advanced security in mind. They are extremely vulnerable and expensive to upgrade. An internal
employee tasked with running NERC’s CIP updates on a legacy platform could inject a virus simply by
using a thumb drive or USB stick.
NERC requires energy providers to perform daily tests and report their levels of protection; fines for
violating these regulations can be up to $1 million per day, per offense. These entities spend hundreds
of thousands or millions to stay up to date on NERC guidelines. The average power plant producing
greater than 10 megawatts spends typically $250,000 per year minimum to maintain NERC and FERC
regulations.
Most large utilities and independent power producers (IPP’s) use a remote central location to monitor
and collect data from their plants. These remote connections are only being guarded by fancy firewalls
and routers. Because of the high speed of the data required by command and control systems, none of
Cyber Defense eMagazine – September 2020 Edition 41
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
