In December 2015, the lights went out in Ukraine and about 225,000 residents lost power for several hours.
Ukrainian government officials claimed the outages were caused by a cyberattack perpetrated by Russian security services, according to a report on the outage released by the Atlanta-based North American Electric Reliability Corporation.
Amid news coverage of cyberattacks on high-profile U.S. targets — such as the federal Office of Personnel Management — the question is this: Could a cyberattack like the one in Ukraine succeed in disabling the U.S. power grid?
So far, the answer has been no.
“There has not been a successful cyberattack that has impacted the ability to deliver electricity in the United States,” said Scott Aaronson, executive director for security and business continuity at Edison Electric Institute in Washington. EEI is an association whose members include all U.S. investor-owned electric companies. Collectively, they provide electricity for 220 million Americans.
When it comes to fending off cyberattacks, the complex nature of the U.S. electric grid works in its favor, Aaronson said. The grid is actually a complex network of lots of different kinds of technology, “so even if you have similar equipment, the way it’s deployed is actually very tailored to a particular application. There isn’t a single piece of malware that you could put into the grid and take it down.”
In addition, while state actors such as Russia and China have the ability to do harm to critical U.S. infrastructure, the U.S. has the same capabilities, leading to a scenario of “mutually assured destruction,” Aaronson said.
Of course, individual utilities still face attacks and need to prepare to meet them. In Maryland, BGE, for example, conducts regular drills and shares information related to any cyber threats it encounters with both industry and government partners, spokesperson Justin Mulcahy wrote in an emailed statement.
“At BGE, safety is a top priority, which includes monitoring situations that could potentially compromise the safety of our infrastructure, or impact our customers or employees. … We recognize that cyber threats are real, and we take those threats seriously,” he said.
Another major utility, Charlotte, N.C.-based Duke Energy, has a corporate incident response team and security professionals devoted solely to cybersecurity 24 hours a day, said Hafid Elabdellaoui, managing director of cybersecurity at Duke.
“We also work closely with emergency management and law enforcement agencies on the local, state and national levels following cybersecurity incidents,” Elabdellaoui said.
Both utilities declined to provide details on specific cybersecurity incidents they have encountered.
One of the most important arrows in the industry’s quiver: The Electricity Subsector Coordinating Council, which is made up of 30 CEOs and trade association heads from across the electric sector, according to Aaronson, who also serves as a member of the ESCC’s secretariat. The ESCC is the industry’s primary coordinating body with senior government officials.
Its effectiveness in coordinating prevention and response to cyber threats hinges on its CEO membership, Aaronson said.
“CEOs create accountability, they provide resources and they are a draw to other senior executives. … We’re really making sure the right people are getting the right information at the right time. The CEOs need to know about the kinds of threats that are out there so they can make strategic investment decisions about their networks,” he said.
So, what lessons has the industry drawn from the successful cyberattack on the electric grid in Ukraine?
“The perpetrators had been in the system for more than 250 days,” Aaronson said. “One of the companies (being attacked) saw some anomalous behavior and began to take protective actions. They didn’t share that intelligence with their counterparts — that wouldn’t happen in the United States.”
That said, he isn’t dismissing the risk of cyberattacks.
“What we have to do is constantly improve and stay ahead of the capabilities of our adversaries,” Aaronson said. “We need to work together. I do think the more the sector does to protect its systems, (the less) attractive a target it is for adversaries of any stripe.”