Cyber attacks have continued to grow into one of the largest threats that we face as a society and globally. Attackers have become much more clever and adept at penetrating heavy defenses and wreaking havoc with their malicious threats. Coupled with the amount of cyber technology that we have now implemented into various realms, the threat of cyber attacks has grown even larger. We now use cyber technology within our critical business operations, infrastructure, homes, devices, and much more, which offers up numerous attacks vectors for criminals to target with their threats. One area in which we implement cyber technology is within our electrical grids, and it would obviously be catastrophic if these were hit by a significant cyber attack.
Unfortunately, the standard of cyber security that is maintained within our electrical grids is nowhere near what it should be. The electrical grid is commonly automated through the use of industrial control systems, which could be heavily targeted by cyber attacks. Grids and utilities have increasingly implemented various cyber technologies to better meet the demand and use of electricity, but as mentioned above, this offers up more vectors of attack for hackers. There are a couple different hands at play within the processes of electricity being generated and eventually making its way to consumers. One of these hands is the public utilities, which are the entities that are in charge of the final stage of distributing power to customers. The powers that be over these utilities are public utilities commissions (PUC’s), and unfortunately, many of them have not implemented any requirements or policies in regard to cyber security improvements. This simply leaves the customer electricity part of the chain at great risk.
The Need for Mandatory Cyber Security Standards
At this moment, the only area that has actual mandatory cyber security standards is at the bulk power part of the grid, but there are no standards in place for distribution. The mandatory standards for the bulk grid are of course vital, but the rest of the chain of power distribution cannot be neglected. A well placed cyber attack could still disrupt power for customers all over the nation, as the distribution portion includes providing power to vital installations like telecommunications, medical facilities, and pipelines. Realistically looking at it, the distribution portion encompasses the power connected to virtually every type of organization. Meaning, it is quite asinine to have no type of mandatory cyber security standards in place to protect this gigantic operation. When looking at a potential chain of events, if cyber attackers were to target this area, it could allow them to bring down security within organizations, and then in turn directly target those organizations. Plus, there is the matter of needing to protect distribution to safeguard bulk power as well.
There are far too many threats out there to lack security in this area. Not only do we have solo hackers and groups targeting organizations and installations for various reasons, but we also have malicious nation states looking to disrupt countrywide operations and gain intelligence. If an enemy nation were able to compromise our power grids, it would be disastrous to our operations, as well as minimize our retaliation to an attack. A successful cyber attack on the distribution of the grid would also create havoc and consequences upon our economy.
A large part of the issue is that PUC’s are hesitant to increase security for a few reasons. There is the matter of expenses, which is basically negated as a concern because it is an investment in the security of our infrastructure. Plus, the Department of Energy and Department of Homeland Security do award grants that fund efforts in cyber security, though they are limited. Then, there is the matter of having to evaluate potential weaknesses in utilities. This is of concern for PUC’s because if sensitive data were to be leaked, they could be held responsible. A good method of addressing the matter as a whole would be offering incentives for increasing cyber security. The change will take quite a bit of effort and time simply because utilities are not centralized. Meaning, it will take some time to locate the potential vulnerabilities within all separate utilities, as well as address said vulnerabilities. But, this is a move which needs to happen for our power grids to be safe.