Utility, security experts warn of mounting threat to grid
ALBANY—The methods that have been used to attack U.S. power grids have been as rudimentary as firing rifles at substations, and as sophisticated as a computer virus designed to shutter power plants across entire regions.
Those physical and cyber vulnerabilities are the Achilles heel of the nation’s security apparatus, energy security experts said Wednesday during the Independent Power Producers of New York’s spring conference.
“I would say it’s the most complex risk landscape since I began at the Department of Homeland Security,” said William Flynn, the department’s former principal deputy assistant secretary for infrastructure protection. “Not only from acts of terrorism overseas but acts of terrorism domestically.”
The panel of legal, utility and security experts was convened to advise the state’s power generation companies of potential threats and precautions they can take to guard against attacks. The panelists painted a grim picture.
They cited an April 2013 attack on the Metcalf substation near San Jose, California, to illustrate the grid’s vulnerabilities. Multiple snipers trained their weapons on the substation, targeting transformers and causing $15 million in damage.
Power was rerouted from Silicon Valley to avoid widespread outages but to this day no one seems certain who conducted the attack or why. What is known, they said, is that it was coordinated and professional.
“There were firing positions set up. There were avenues of approach. There were avenues of escape,” said panelist Matthew Dimmick, director of critical infrastructure at a firm called MSA Security.
The attackers knew the local police response times and had cut communication wires prior to the attack.
“They stopped firing about three minutes before the police arrived,” Dimmick said. “Upstate New York is going to have some of those areas.”
More pressing than physical attacks on key energy assets, though, are cyber attacks, the panelists said.
“This is going to be a huge threat,” said Aimee Ghosh, an attorney with the Washington law firm Pillsbury Winthrop Shaw Pittman.
Earlier Wednesday, State Senator Joseph Griffo, chair of the chamber’s energy committee, said cyber security should be at the forefront of the industry’s thinking.
“In this day and age it’s a crucial component of energy generation,” he told hundreds of energy executives gathered at Albany’s Desmond Hotel. “We need to be prepared to deal with any and all inevitabilities.”
Malware and worms can lie dormant in networks for weeks or months before they open, potentially shutting down power generation plants or handing control of energy facilities to outside actors. One of the most famous examples is the Stuxnet worm that disabled a portion Iran’s nuclear program and is widely believed to have been engineered by the United States.
But the U.S. and the energy industry are just as vulnerable to cyberattack as anyone else, panelists said.
“Is the technology to beat the malware robust enough? The short answer is no,” Ghosh said.
Edward Goldberg of Eversource Energy advised industry executives to constantly update their virus protection software and make sure the vendors they deal with are doing the same.
“How long would it take the Chinese to realize your firewall is compromised? About 100 milliseconds,” he said.
Dimmick, who specializes in physical security threats to plants, conceded the threat from malicious hackers was much harder to defend against.
“The bullet itself hasn’t changed in hundreds of years,” he said. “Malware changes every 10 seconds.”
Despite the concerns expressed in New York and elsewhere, there have been very few attacks, cyber or otherwise, on U.S. energy assets. But experts warned industry representatives not to grow complacent.
“It’s not if something is going to happen, it’s when something is going to happen,” Ghosh said.