The Next Disaster Scenario Power Companies Are Preparing For
In the 10 years since sagging power lines in Ohio sparked a blackout across much of the Northeastern United States and Canada, utility engineers say they have implemented measures to prevent another such event in the country's electric grid.
But there is one disaster scenario for which the power companies are still unprepared: a massive attack on the computer networks that underlie the U.S. electric grid.
Energy industry leaders believe a cyberthreat could produce a blackout even bigger than the August 2003 outage, which left an estimated 50 million people in the dark.
"We have to treat the cyberthreat with the same respect that we give to forces of nature, [such as] hurricanes, floods, ice, storms," said Chris Peters, vice president for critical infrastructure at Entergy, a company that operates nuclear power plants. "We have to fund it, we have to staff it and we have to be ready to respond as necessary."
Peters was among several power executives who gathered in Washington recently to discuss the need to better protect the electric grid against cyberattacks. Their consensus judgment was that such attacks are probably inevitable.
"At some point in time, somebody is coming at me," said Scott Saunders, information security officer for the Municipal Utility District in Sacramento, Calif. "It's going to happen."
The New Grid
The concern that computer hackers could shut down the electric grid stems from technological changes in the power industry. Much of the equipment used in the grid, from the generators to the transformers, is now operated by computers. By disrupting computer network operations, hackers could shut down a key part of the grid.
They would still need access to the computers, but this obstacle could be overcome because many of those computers are now connected to the Internet.
"Now we can remotely manage devices via the Internet," notes Mark Weatherford, until recently a top cyberspecialist at the Department of Homeland Security. "So instead of putting someone in a truck and having them drive a hundred miles to a substation in the middle of the mountains somewhere, you remotely manage that."
Weatherford, now consulting on cyber issues at the Chertoff Group, says power companies saw that managing grid operations via the Internet brought efficiencies and cut costs, so they jumped at the chance. Perhaps a bit recklessly.
"To no one's fault at the time — we didn't realize it — [we] didn't think about the security and the insecurity [of Internet connections]," Weatherford said. When a computer is connected to the Internet, a skilled hacker can often find a way to break into it.
This is the new disaster scenario for power companies. Security experts in the industry are aware of the challenge and moving quickly to meet it, but the threats to their networks may be evolving even faster.
"Computers are tricky," says Michael Assante, chief executive of the National Board of Information Security Examiners and one of the country's top experts on the cyberthreat to the grid. "They just continue to become more complex, and the importance to how we operate the system continues to increase."
The 2003 blackout was not caused by a cyberattack, but even then computers were part of the system, and Assante says one reason the blackout spread far and wide was that many operators didn't understand their own computer connections.
"How do we teach power engineers and operators what they need to know about cyber and in particular about cybersecurity?" Assante asks. "These are tough questions. If you go to engineering school, you're not taught about cybersecurity as part of becoming a power engineer."
Hurdles To A Solution
The concern now is that a really sophisticated cyberattack could cause a blackout bigger than anything yet seen in North America. Congress has considered various bills that would require power companies to beef up their protection against cyberattack and impose mandatory security standards.
A survey of electric utilities earlier this year, directed by Reps. Edward Markey (now a U.S. senator) and Henry Waxman, found that most of the companies had failed to implement voluntary cybersecurity standards recommended by the North American Electric Reliability Corp., an industry organization.
Attempts to legislate mandatory cybersecurity standards have been rebuffed, however, in part because the power industry opposed them.
"Our companies are in the business of selling electricity. They are fully motivated to do what they need to do to protect their systems against cyberattack and other problems," says James Fama, vice president for energy delivery at the Edison Electric Institute, which represents power companies. "We don't need to be penalized in order to be motivated to provide continuity of service. That's the business we're in."
But computer hackers are becoming more sophisticated, and they increasingly see the power grid as a target. Redesigning the grid to make it less vulnerable to cyberattacks will be expensive. Some companies might calculate that the necessary investments to guarantee grid security might not be justified, given their assumptions that a major attack is still unlikely.
"It's really hard to make the business case for this," said former CIA Director Michael Hayden, speaking at the recent Washington conference on grid security, organized by the Bipartisan Policy Center.
Curt Hebert, the former chairman of the Federal Energy Regulatory Commission, asked power executives at the conference whether their industry was prepared to make the big investments necessary to secure the grid against a big cyberattack.
"When it comes to cost cutting," Hebert suggested, "this may be one of the areas, quite frankly, that gets the knife."
Consumers, after all, would eventually be stuck with the bill, paying for those investments through higher rates and being told it was necessary to secure the power grid against a threat they had not actually experienced. Yet.
DAVID GREENE, HOST:
And 10 years ago this week, the lights went out across much of the Northeastern United States and also parts of Canada. It was the biggest blackout in American history, all triggered by a sagging power line in Ohio. We've been looking back at that outage and exploring whether it could happen again. Experts say the electric grid is more reliable now, but also more vulnerable. Falling trees is just one problem. Now engineers worry that a cyber-attack could bring an even bigger blackout, one that's harder to prepare for, as NPR's Tom Gjelten explains.
TOM GJELTEN, BYLINE: The last thing that took down a big part of the power grid was Superstorm Sandy. Power companies brace for challenges like that. They put crews on standby and line up outside companies to come in and help. But when power executives gathered in Washington last week to discuss the reliability of the electric grid, something else dominated the discussion: the danger of a big computer attack. Chris Peters is a vice president at Entergy.
CHRIS PETERS: We have to treat the cyber threat with the same respect that we give to forces of nature - hurricanes, floods, ice, storms.
GJELTEN: The cyber threat. This is a new concern in the power industry, this idea that the electric grid could be shut down by hackers. Here's what's changed, two things. First, more of the equipment that makes up the electric grid - from the generators to the transformers - is now operated by computers. Mess with the computer, and you can turn the lights off.
Of course a hacker would still need to get access to that computer. But there's the other change: many of the computers running those power operations are connected to the Internet.
MARK WEATHERFORD: Now we can remotely manage devices via the Internet. So instead of putting somebody in a truck and having them drive a hundred miles to a substation in the middle of the mountains somewhere, you remotely manage that.
GJELTEN: Mark Weatherford was, until recently, the cyber expert at the Department of Homeland Security. Now he's consulting at the Chertoff Group. He says power companies saw that connecting their operations to the Internet brought efficiencies, so they jumped at the chance.
WEATHERFORD: And then, really to no one's fault at the time - we didn't realize it - but didn't think a lot about the security and the insecurity of doing that.
GJELTEN: When a computer is connected to the Internet, a good hacker can generally a find a way in. This is the new disaster scenario for power companies. Michael Assante, one of the country's top experts on the cyber threat to the grid, says companies are trying to keep up, but the threat to their computer networks may be evolving too fast for them to deal with it.
MICHAEL ASSANTE: Computers are tricky because they just continue to become more complex, and their importance to how we operate the system continue to increase.
GJELTEN: The two thousand three blackout was not caused by a cyber attack but computers were already part of the system back then. And Assante says one reason the blackout spread was that many operators didn't understand their own computer connections.
ASSANTE: How do we teach power engineers and operators what they need to know about cyber and, in particular, about cyber security? And these are tough questions. If you go to engineering school, you're not taught about cyber security as part of becoming a power engineer.
GJELTEN: The concern now is that a really sophisticated cyber attack could cause a blackout bigger than anything we've ever seen. The U.S. Congress has considered various bills that would require power companies to beef up their protection against cyber attacks. So far, they've all been rejected, in part because the power industry opposed them.
Jim Fama is vice president for Energy Delivery at the Edison Electric Institute, which represents power companies.
JIM FAMA: Our companies are in the business of selling electricity. They are fully motivated to do what they need to do to protect their systems against cyber attack and other problems, et cetera. So we don't need to be penalized in order to be motivated to provide continuity of service. That's the business we're in.
GJELTEN: But computer hackers are becoming more sophisticated, and they see the power grid as a target. Redesigning the grid to make it less vulnerable to cyber attacks will be expensive. Some companies might be tempted to take the risk of an attack, figuring that it's still an unlikely event. That point came up at last week's conference on the electric grid, sponsored by the Bipartisan Policy Center.
Curt Hebert, the former chairman of the Federal Energy Regulatory Commission, raised this question: Will power companies on their own make the big investments to secure their systems against a big cyber attack?
CURT HEBERT: When it comes to cost cutting, this may be some of the areas, quite frankly, that get the knife.
GJELTEN: Consumers, after all, would eventually be stuck with the bill paying, through higher rates, to secure the power grid against a threat that we haven't actually experienced yet.
Tom Gjelten, NPR News, Washington. Transcript provided by NPR, Copyright NPR.