Chris Sistrunk, a grid security expert with cybersecurity company FireEye.
More than 6,500 government officials and big players in the energy sector came together this week to conduct a simulated cyberattack on the electrical grid.
The event is called GridEx, and takes place every two years. It imagines the U.S. under attack from a foreign country, through the power grid.
It’s a scenario that planners say is unlikely, a black swan event, but one that could have devastating impacts if it came to fruition. Those ripple effects could go far beyond leaving homes without heat or citizens without smartphones, bringing down big portions of the telecommunications, media and finance sectors. This is why, organizers said, they aimed to gather as many stakeholders as they could to run through how they would respond.
Based in reality
Gridex organizers based the potential attack scenario on real events and intelligence, said Karen Evans, a cybersecurity specialist at the Department of Energy, on Thursday. Countries like Russia, China and Iran have either attacked foreign grids or conducted reconnaissance on the U.S. grid, according to U.S. intelligence agencies.
In 2015 and 2017, intelligence experts have said Russia was responsibile for sporadic outages in Ukraine, particularly around the Christmas holiday season. China and Iran have proven they can gain a foothold on various parts of the U.S. grid. Last year, a saboteur of unknown origin was found to have been tampering with the safety systems of large industrial systems in the Middle East.
The power landscape in the United States operates more like a “quilt” than a grid, said Chris Sistrunk, an electrical engineer who serves on FireEye’s Mandiant industrial controls system consulting team.
That quilt is joined together by a handful of regional hubs, Although it’s dominated by some very large companies, it’s also populated by thousands of regional power co-ops, which often receive far less oversight than the bigger, more critical players.
In all, there are more than 8,000 power plants with various owners and operators in the U.S., according to the Department of Energy. Those include traditional electric utilities, but also hydroelectric plants, oil, rewnewable source plants, natural gas, coal and nuclear facilities.
The U.S. grid also interconnects with Canada’s grid, Sistrunk said, creating an even more complex oversight task across borders.
Plants have operational equipment that is often run on a series of industrial control systems known as Supervisory Control and Data Acquisition systems, or SCADA. These systems are essentially computers that run substations or power controls, and run a huge variety of operating system software. Some power plants use systems that are decades old. Many of them must be retrofitted to connect to the latest internet-enabled devices.
This fragmentation and complexity is why power grid cybersecurity is often focused on minimizing the damage and spread from any single attack to the wider grid.
The GridEx event focused on resiliency. In the imagined scenario, the attack on the Northeast corridor of the U.S. rippled beyond the energy sector to the biggest telecommunications companies and the financial sector, acccording to Tom Fanning, CEO of Southern Company, a gas and electric utility holding company.
Fanning said he has worked with CEOs including Jamie Dimon of JPMorgan Chase, Brian Moynihan of Bank of America and Randall Stephenson of AT&T on understanding the “interconnectedness” of these sectors in the event of a cyberattack on the energy industry.
This type of information sharing that has traditionally proven hardest for the industry, said Eddie Habibi, founder and CEO at PAS Global, a Houston-based industrial control systems security company.
“That’s not something you advertise — that you’ve been compromised — unless it’s noticed by your customers or unless it is required by the government to be reported. One of the things that we have in the industrial sector that has worked really well is self-reporting on safety incidents. We don’t have that yet for cybersecurity, and for good reasons. People don’t want to advertise that they have been compromised. So it is really difficult to know how often people are compromised,” he said.