Modern electric grid fighting cyber vulnerabilities

Recent incident involving hackers that gained access to U.S., European electric systems highlights cyber risks

July 22--The recent push to modernize the electric grid has increased communication between utilities and consumers, enhanced reliability and created more opportunities for green energy producers.

But it also has raised the risk of cyber attacks.

New technology, while largely beneficial for utility companies and their consumers, has created millions of new access points that make the grid vulnerable. Utility companies are spending millions annually in cyber security costs, and the trend will continue with investments in smart meters and other technology meant to bring the electric grid up to date.

Despite the enhanced risk, the effort to modernize the electric grid is largely a good thing, said Annabelle Lee, senior technical executive at the nonprofit Electric Power Research Institute, in Palo Alto, Calif.

New technology has opened the grid to a two-way flow of communication, as smart meters have promoted better communication among utility companies as well as between utilities and consumers. Such real-time information about usage will help to make the grid more efficient, she said.

Technology has allowed utilities to build more reliable power systems while lowering delivery costs, said Michael Assante, a board member for the Council on CyberSecurity in Washington, D.C. He is also the lead for training on industrial control systems and supervisory control and data acquisition security for the SANS Institute, a Bethesda, Md., computer security research and training center.

But, Mr. Assante said, "Technology is always a double-edged sword," and the growth in reliance on technology comes with growing risk.

Large-scale blackouts and brownouts, communication failures and data theft are potential damages of any cyber event.

The issue drew a lot of attention late last month when U.S. security company Symantec reported that a group of hackers, known as "Energetic Bear" and "Dragonfly" had gained access to electric systems in the U.S. and Europe. Those hackers had Russian ties, according to Bloomberg.

The modern grid also includes more access points that allow renewable energy generators to provide energy. These are big changes from the past, when the grid was open to only a few participants. Now, it is open to thousands.

Previously, the technology used to control the grid was proprietary, often created specifically for electric utilities. But the technological overhaul that electric utilities are currently undertaking -- often required by state governments -- requires them to rely on commercially available hardware and software.

With more access and more common hardware and software, there are more opportunities for hackers to access the system, Ms. Lee said.

Unlike most cyber security incidents, which are motivated by monetary interests, the manipulation of the power sector often has geopolitical motivations, Mr. Assante said. The electric grid is an infrastructure asset, and its compromise could give an organization power, for lack of a better word.

Since the electric grid is a national security interest, Mr. Assante said the federal government and utility companies share responsibilities to protect it.

In February, President Barack Obama signed an executive order to assess the grid's risk. In 2010, the National Institute of Standards and Technology released guidelines for smart grid cyber security, outlining precautions companies should take as they embrace a more modern system.

Last November, the Federal Energy Regulatory Commission approved a new series of critical infrastructure protection reliability standards, addressing the stability of electricity transmission. The new standards will take effect starting in 2016.

They require bulk electric system operators, which handle more than 100 kilovolts of electricity, to classify all assets as high, medium or low risk and to create security plans for each. The current standards require those operators to only identify critical assets.

This content continues onto the next page...