How Secure Is The United States Power Grid?

Posted by


From transportation,
to telecommunications, health care and banking. The digitization of our
infrastructure has made our daily lives more
convenient, but it’s also opened us up to
the threat of cyberattacks. Yahoo’s hack of over
500 million accounts will make it the biggest
data breach ever. Equifax, which, as you know,
is a very large supplier of credit information,
has announced a cybersecurity incident that
they say potentially impacts about 143
million U.S. consumers. Marriott announcing that
up to 500 million guests with
reservations at Starwood Properties could have had
their data compromised. But it’s not just
companies under attack. Increasingly, power plants
and other critical infrastructures are also
becoming a target. Critical infrastructure is
really anything that makes up the
backbone of society. Everything from transportation
and airlines to banks. Cyberwarfare is the
new weapon of choice. You can run a cyberattack
remotely, shut down the critical infrastructure of
other countries, create massive destruction
of refineries and chemical plants without ever
shooting a gun. Electricity is so prevalent in
our lives that we often don’t even think about
it until it fails to work. All electricity starts
at a generator, which can be powered by
wind, water, coal or even nuclear fission. After it
is generated, the electricity travels from the
power plant to transmission substations, which convert
it to a very high voltage so that
it can travel long distances. From there,
the electricity travels along power lines to
another transformer, which again converts the power, this
time to a lower voltage, before it goes
into our homes and businesses. Often people think
of the power grid as “the grid.” It’s really not. It’s a quilt
made up of 3,000 or so power companies that
are owned by investor-owned utilities. But most of them
are rural electric associations, or maybe a few
owned by the government. But generally it’s
a mixture. This ownership disparity
also means that utilities are
regulated differently. The focus of the regulation
is to prevent the bulk electric system from
suffering a widespread outage. So it may
not affect the smaller companies that are serving
smaller cities or rural areas. On one
hand, smaller power companies in the United States may not
be as juicy of a target because they have
a small amount of customers, say 25,000. But on the other hand,
they may be more susceptible to cyberattacks
because they don’t have a big as security team
or a big as security budget to focus on
protecting their critical systems. That’s where
Sistrunk comes in. As a consultant for
cybersecurity firm, FireEye, part of Sistrunk’s job
involves teaching a digital forensics class for
people who want to learn how to defend
the control systems running our power plants. And to
learn how to defend against an attack, you first
have to learn to hack. This is a
small PLC, programmable logic controller. This particular device
is made by Phoenix Contact and it’s basically
easy to for an attacker to get into. There’s a lot of
vulnerabilities in it. Sistrunk demonstrated how a
hacker may alter the functions of “stop” and “go”
buttons that in a power facility may control
something like a motor or a pump. This is a
web page of this PLC and it’s been hacked. You can
see whenever I try to click on the red stop
button, the green start button comes on. So an attacker can go
download the software and change things if
they wanted to. And that’s what we
do in the class. In a conventional warfare
attack, the first thing that is hit is
the infrastructure, the refineries, the electrical
systems, the chemical plants, those things that
fuel the war machine. You can simply do the
same thing remotely with cyberweapons. It seems
like attackers have crossed the Rubicon or
they’ve crossed the red line in the sand. You know, that they
are going after control systems, whereas once
no one cared. Today, there are more than
9,700 power plants in the US. Many of them
were built decades ago when operating a plant required a
lot of manual labor and cybersecurity was
not a consideration. But that’s changing. Starting in
the mid ’80s and early 2000s, the
industry started connecting these control systems
through the enterprise networks to the internet,
for the benefit of remote access, information
sharing, etc.. Fantastic for productivity
improvement and business enhancements, but that
exposed us to cybersecurity threats. The heart of a power plant
is what is known as a SCADA system. SCADA
stands for supervisory control and
data acquisition. These systems are made up
of a combination of software and hardware that
allow operators to monitor and control plant
processes in one central location. Besides
power generation plants, SCADA systems are
ubiquitous in the manufacturing, telecommunications
and transportation sectors,
among others. Today, a typical SCADA system
is made up of thousands of components and
runs on several different kinds of
operating systems. Because of this wide
spread of operating systems, it creates a very
complex surface that security experts have to understand
before they can defend against the many different
types of exploits used against those specific
operating systems. Since 2010, the number
of attacks have increased exponentially. The reason for it
is that it’s a lucrative business for ransom
attackers as well as for nation states. A 2015 risk report put
out by the University of Cambridge and Lloyd’s, a
large insurance company, posed a hypothetical scenario
in which a cyberattack plunged
15 U.S. states into darkness, leaving
93 million people without power. The report
estimated that the loss to the U.S. economy
would range between $243 billion to $1 trillion. There is a belief that
every system could be compromised, especially these
control systems, since they were not
originally designed for cybersecurity, unlike computers that
we use at home and at work that
are regularly patched and protected from
cyberattacks. As reported in this “60
Minutes” episode on CNBC from December 2014, the
first cyberweapon to cause physical damage was used
in Iran in 2010. We begin with the story
of Stuxnet, a computer virus considered to be
the world’s first destructive cyberweapon. It was launched several
years ago against an Iranian nuclear facility,
almost certainly with some U.S. involvement. Stuxnet infected SCADA systems
that were running Windows and Siemens software
within the nuclear facility. It was used
to spin centrifuges too fast until they
basically destroyed themselves. This was the first time a
virus of this type was used to physically destroy
something within a power facility. In December
2015, hackers cut power to around 225,000
people in Ukraine. The incident became the
first successful hack on utilities. It was believed
to have been done through a tactic
called spearphishing, where hackers sent emails with
malicious attachments to I.T. staff and system
administrators that helped to steal the
recipients’ credentials. Almost exactly a year
later, hackers again shut off power to a large
part of the Ukrainian capital. Some have blamed
the attacks on Russia. While the attacks were short
lived, it showed the world that Russia had the
will and the ability to conduct cyberwarfare in
this way. Another attack shook the
cybersecurity world in 2017, this time in
the Middle East. In the past year, researchers
have spotted a new family of industrial
control malware. It’s called Triton. Triton
was a really alarming piece of malware. It
affected facilities in the Middle East. And what was
most alarming about it was that it disabled
what essentially was the kill switch for
a catastrophic disaster. The metaphor I use here
is relying on the police to come help you out
when your house is broken into. But the police is
asleep in his police car. That is a metaphor of
that safety system being bypassed. Though there’s not
been a cyberattack in the U.S. that has shut
off power to the grid, hackers have still gone
after utility companies. In 2016, an electric
power and water utility company paid $25,000 in
bitcoin ransom after hackers locked the utility
out of its computer systems. In 2018, the
Department of Homeland Security and the FBI
issued a joint alert, warning that Russian
cyberactors had been targeting U.S. government
entities and critical infrastructure sectors
since 2016. And in 2017, the Department
of Energy disclosed a hack at an electric utility
in the western U.S. Though the hack did not
cause outages, it did show that our power
grid was vulnerable. Most countries that the
United States has an adversarial relationship with
don’t actually want to go to war
with the United States. It makes more sense
for them to conduct reconnaissance missions against
our electrical grid. For that reason,
it’s more realistic that the types of attacks we see
are in the name of gathering information or opening
back doors, then some sort of catastrophic
attack or an attack similar to the one that
we saw in Ukraine. Protecting our energy grid
is essential to our national security. But there
are a few reasons why it is
difficult to do. For one, it’s hard to
even gauge how many cyber attacks there are. The reason
we don’t have good numbers around how many
cyber attacks there are against utilities is that
most of these companies simply don’t report them. There’s not much of an
incentive for utilities or the companies that provide
them with equipment to tell the public about
every cyberattack they’ve had. They would risk
panicking the public and they might also even
open themselves up to further attacks if attackers
know what’s working against them.
That’s changing. In early 2019, the
Federal Energy Regulatory Commission updated cybersecurity
standards for electric grids. The new standards require
electric companies to report any incidents that
either compromise or attempt to compromise
electronic security perimeters, electronic access
control or monitoring systems and
physical security perimeters associated with
cyber systems. The new reliability
standard also encompasses disruptions or attempts to
disrupt the operation of a bulk electric
system or cyber system. Like with Stuxnet, hackers
may try to subvert security measures by
targeting suppliers as opposed to going after
the big utility companies. Companies are becoming
very careful about checking the software that
comes from their suppliers. In fact, they
have a test environment whereby the updates for the
software is tested to make sure that the
software they’re getting from their automation vendor is
not infested with malware. Another best practice
is what is known as PEN or
penetration testing. PEN testing is a
process through which you intentionally attack your
own system, whether with your own people or
bring people from the outside to see how
well your defenses are. But finding someone to perform
this test is often difficult. There is a
shortage of over 1.5 to 2 million cybersecurity
experts in our industry, and that is
something that’s going to harm us if we don’t
address it more proactively. Despite these obstacles,
experts stress that there are steps we can
take to mitigate the risk of cyberthreats. Knowing what
you have is the very first thing you must
do, and that’s become more and more accepted as
the first thing you do, which is gain a
complete inventory of your control systems. The second thing that you
do is understand your vulnerabilities and
address them. Those are the holes
in your system. And the best way to do
that is do some PEN testing or
vulnerability assessment. And the third thing
that we advocate is understanding the configuration
of these systems, the brains, the genealogy of
the data in your environment and
controlling that. So when they are
changed, you know. And the last thing
that we advocate, very strongly, is assume
you’ve been attacked. What are you doing
for recovery purposes? Do you have the
latest version of that configuration of your system
to bring the system back up in the
unfortunate occurrence of losing the system? Adopting new
technology is part of competitive advantage. You have to
continue to automate. You have to continue to
take on new technologies to make your
business competitive. Otherwise you get
left behind. While the threat of
cyberattacks against the grid is a real threat, and
we have to be proactive about it, and we have
to prepare for it, it’s also important not to
panic and to not sensationalize. We
experience reconnaissance missions and attacks
against electrical companies every day. The majority
of them are not successful.

100 comments

  1. Good old Bailey air control didn’t worry about a cyber attack! I miss the plants I used to run from the late 40’s to early 50’s.

  2. Isn't the sole reason people actually hack is that they are totally anonymous ?
    So why are you guy's throwing all the blame at Russia ? Not only Russia would be interested in damaging the US.

  3. I think it'd be nice if they would shut off Facebook Instagram Twitter Snapchat and every other social media for a week…… that way we could see how chaos is going to look like when they actually shut down the hole power grid ?????

  4. I cant wait till I'm finally able to move into my solar powered cave in the woods and grow my own food. Sayin goodbye to the new wave of crazy coming our way.

  5. ugh. many empty words… Make a corporate VPN only connection for isolation from outside world 99.9999% of attacks solved

  6. Whenever a supposedly "reputable" news outlet steals a name that belongs to every country in both North and South America for their own, I dislike the video. How does editorial allow you to use the name "America" to refer to a singular country when your own CIA's World Factbook disagrees? If, say, South Africa were the US of Africa, would it not insult every other African to solely attribute the name "Africa" to their country? smh

  7. Utilities (in the US) are largely disconnected from the world and have their own networks in house exactly to prevent any type of cyber attack.

  8. In California you have a utitlity company called PG&E that causef over 95% of thebfires last year. They are litteraly killing people.

  9. Why the USA scared all of a sudden about power grid being hacked??????I don't know but ask Venezuela about power grid being hacked??????

  10. Like 5 years ago all CEOs of major American power companies were called before Congress and advised they had one year to create a comprehensive plan to protect their grids. They appeared a year later and basically said "sorry just haven't gotten around to it". Congress: "ok we're good" ?

  11. Can't happen soon enough. The sooner the big cities burn, the sooner we can get started on a conservative recovery. Let the libs die by the millions in their multi-cult utopia's.

  12. What would be curel is to steal the new software that should be delivered to the power plant and instal a hiden folder unto it, that will not activate while testing, but on a spezific time or in otherwise. That way you could infest multiple computers and shut them down without any backup software (if you infested them to).

  13. why not EMP china when we invade
    We should focus on electric hardening to help with EMPs in the US
    The military could give out to power companies with clearances and there would be laws passed to help with inspeactions

  14. It's not hacking the U.S. needs to worry about, it's have power lines on top of 20 foot poles in a future of climate change. It is this reason that the U.S.has the most properties with power cuts of all western nations, because you just need some wind or ice and the wires stop carrying electricity! Most of the rest of the world have power cables underground. Even in out of the way areas, but of course, America doesn't want to spend the money…!

  15. This happen recently in Indonesia. Power grid get cut out not by terrorist by the way and West Java (biggest population up to 48 million people) goes black out for one full day.
    It's not that bad really (except for industry and business) people get out of their house and talk to each other because there's no electricity and some internet went down because of that.
    Technology really change how people interact.

  16. Forget about cyber threats. Is it RELIABLE ??? Blackouts and Brownouts are going to be the fate of energy infrastructure in the USA.

  17. Of course America power grid isn't secure, and they don't want it to be secure. They probably going to use the power grid going down as a false flag to implement martial law. And of course martial law is easier if most Americans are unarmed.
    The young is easier to fool, and with all these school shooting no wonder kids are leaving class in protest. I heard a person once say " It's easier to fool someone than it is to convince them that they have already been fooled". It's not just the young, old folks are beening fool too, by the powers that be. The young are also the focal point of everything. It's what they do that shapes the world.

  18. Disliked because you did a Cyber Warfare based vid and didn't mention China once, but continued to make Russia the biggest bogeyman, most likely for political anti-Trump reasons.

  19. No this President and his administration have done nothing to fix this issue and have made this country even weaker than it was during the Bush Administration.

  20. O wow, fear-mongering warfare at times of trade war (initiated by USA) and the US Federal Bank as been trying to maintain market control of the USD with the US media spread the words of market confidence.

  21. People call me a crazy person when they learn how my off grid homestead is set up. We'll see who survives when shtf ?

  22. I work on the protection and control systems on bulk power transmission (69-500kV), CIP regulations from the government have made the communications with the devices extremely fortified under tons of layers and complex passwords, and the station control rooms are electronically monitored, even the door position itself into the place is monitored, and violating guidelines leads to heavy penalties

  23. This threat & inevitable eventual major successful attack will usher in blockchain totality (the new internet). If value is high enough, the security of 'blockchain' will be so redundant it will be impossible to breach.

  24. The Atlantic post something about the fall of the US. NBC is talking about our weaknesses. I see someone just going like." WOW neat. I should try that "

  25. Psh. Hackers? We in the Midwest/Northeast know how bad our grid is. A tree combined with a software bug at First Energy took out electricity from Ohio to NYC, even to Canada for at least two days back in 2003.

  26. The likelihood of blackouts is more then 10 higher then in europe we don't have to worrie about this because we are windmill power plants and solar power to strengh the grid but trump stops to strengthen america.

  27. How to become a hacker and avoid being caught: Conduct your operations in spacious, well lit rooms.
    Nobody will suspect a thing

  28. It’s so funny that we’re being informed of attacks that could possibly happen to us, but if anyone watched the whole video it’s ironic to learn the US was the first to launch a cyber attack, which was against the Iranian government. Funny how breaking international law has consequence, who knew??????

  29. All these people think transportation or banks or water treatment plants are what a malicious hacker will go for to overturn society. Wrong, take down the electrical grid and you take down everything. It's not even the same type of criminal. People who go after money are seeking to gain from their crime. People who go after the grid are seeking to destroy for destruction's sake and could care less about money.

  30. Just f-ing airgap the control systems! There is no need for control of systems from remote locations if you have skilled staff on site.

  31. The next Bitcoin is here. Get in early! Launch is December 3rd!

    https://hex.win/?r=0x8F9bE2C6C2a44833bEFA2f1e7f142E4631c5dDB7

    Game Theory is what makes cryptocurrencies valuable. The best coins should not only have good game theory. They should maximize it too. It's programmable money. No excuses for the best of them to not have the best of game theory. Of all the crypto coins that have sustained value into the future, There will probably be more than one, but not that many.

    There's a new coin launching in 2 weeks! The coin is Hex and launching on December 3rd. Regardless of the speculations of valued, valuable, or the value-less, people are speculating and money and value is finding it's place in the crypto world. The coins with the best ideas that can't be stopped because of the trustlessness of the blockchain is where the glory is going to be long into the future. And with Hex's game theory, it will be the fastest appreciating cryptocurrency of all time.

    If you missed out on the rise of Bitcoin, you have another chance! Don't miss out twice!

    Check it out at 

    https://hex.win/?r=0x8F9bE2C6C2a44833bEFA2f1e7f142E4631c5dDB7

  32. Y’all be complaining In the us if our power grid is save when in Lebanon they can’t even get electricity for a full day

  33. If California decides to unilaterally abrogate the Constitution, all it takes is a massive earthquake to cut off all the cities from power and water. The coasties will starve and riot in the post-national utopia they created.

  34. Funny how CNBC underplays US cyber attacks on other countries including the worst one in history (Stuxnet) while going all out against Russia based on theories. Please try to be subtle with your propaganda.

  35. Powerlineman here.if they would keep it simple,and leave out the computers and remote controlled switching it would be fine.they do this to have something to do.it works great the simple way and is much safer for me.for example,if you need to close a airbrake switch,you send a lineman there,he checks things out and makes sure nobody is working on the line..if you do this remote control ,it's anyone's guess.kiss

Leave a Reply

Your email address will not be published. Required fields are marked *