n Dec. 23, 2015, Ukraine's electrical grid was attacked by a malware, known as BlackEnergy, which created significant power outages plunging hundreds of thousand people without power. This deliberate cyber attack shutdown hundreds of computers owned by the energy companies that control Ukraine's electrical grid infrastructure. Though the origin of this malware is not yet known, many speculate that Russian state sponsored technologists may be behind this attack and that it was initiated to send a message to the Ukrainian government, which is fighting a pro-Russian eastern province that wants to separate from Ukraine and join the Russian Federation. This event received little notice in the western press, because it took place on December 23rd, during the Christmas holidays, and in Ukraine, a country of not great significance. Nonetheless, this was an important event because it revealed the face of modern economic warfare and cyber terrorism.

Over the years, many entities, including state and non-state sponsored technologists, have become proficient in the art of cyberwar and are capable of unleashing an attack on various critical facilities around the world and threaten to create havoc in the lives of millions of people.

One such critical infrastructure facility is the US electrical grid which is smart, Internet-enabled and one of the most advanced electrical grids in the world. Is it vulnerable to cyber attacks? Is it secure? After the Ukraine attack many in the national security apparatus, including many government agencies, private companies and other stakeholders asked: Can this happen to us? And if so, how can we prevent it?

When a catastrophic event takes place anywhere in the world, initial technical analysis is based on the "scope" of the event. For example, one person or a few people killed in a remote third world country does not garner much attention, but hundreds of people killed in a terrorist attack in the US or Western Europe attracts wall-to-wall news coverage and a call to action.

The cyber attack on the Ukrainian power grid caused loss of power to approximately 225,000 customers and the power was restored after few hours. It was apparently designed to send a message to that country, but not to cause permanent damage. In essence, experts concluded that the scope of the event was "small" and hence there was no big reaction. What if there was a similar deliberate cyberattack on the US electrical grid lasting several hours or more?

The United Stateshas more than 300 million electrical customers and over 200,000 miles of electrical transmission lines. It has one of the most advanced electricity-run infrastructure that includes government, businesses and private homes dependent on available electric energy. And an increasing number of new automobiles are dependent on electricity to recharge their batteries. A shutdown of the US electrical grid for any length of time is unimaginable and would have global implications. The scope of this event would be so large, that many would say it is unthinkable that anybody could attack the US electrical grid. Such optimists should think about 9/11 event and contemplate their positive posturing.

The US government is taking the threat of "cyber attack on the electrical grid" seriously and has created task force to counter the threat. It has commissioned many studies related to this complex issue and debates and discussions are ongoing. But in the end, some entities─agencies, companies or labs─have to continuously develop anti-cyberattack hardware designs and software codes to counter this threat. But who is ultimately responsible for countering this threat?

There are at least a dozen studies written about this topic by various experts with good insights and deep knowledge. After reading any one of them, one can conclude that the problem is complex and the complexity is enhanced due to the nature of the electrical grid and the involvement of multiple agencies.

The nature of electric grid and its operators: Protecting the electrical grid is the responsibility of the grid/utility operators and many agencies. There are more than 200 electric grid operators in the United States. Some are private, some are semi-private and some, like the Tennessee Valley Authority (TVA), are government owned. Some operators are involved in power generation, transmission and distribution while others are just buyers and sellers of electricity. For example, in Sonoma County (where I live), PG&E (Pacific Gas & Electricity) is a large utility operator that provides the total package of power generation, transmission and distribution. Sonoma Clean Power (SCP) is a small local operator that buys electricity only from renewable sources and sells it only to customers in Sonoma County. SCP has no role in the development of electricity generation, transmission or distribution, but does have a large customer base. In case of a power outage due to cyber attack, its customers are likely to contact SCP for the solution but it most likely not be able to solve the issue and will refer its customers to PG&E. In short, there are multiple utilities within a single community and customers will be confused as to find who is responsible to address the crisis and restore power.

Impact of multiple agencies: Even though a grid operator is responsible for the protection of that grid, it has to operate within a regulatory framework imposed by the Federal Energy Regulatory Commission (FERC). There is wide variation in this framework due to perceived threats and various biases related to regulation. Many argue that continuously evolving threats of cyber crimes make it impossible to regulate a system which usually looks at past threats and anticipating future threats is very difficult.

The most important agency responsible for the protection of grid is the Department of Homeland Security (DHS) whose charter is to protect the homeland, and the disruption of massive electrical grid is a threat to the homeland. But the electrical grid, by nature is the responsibility of the Department of Energy (DOE), so that agency is also involved in protecting the grid. The DHS and the DOE are working together, developing various strategies, to counter cyber threats.

Though the DHS and the DOE are lead agencies involved in the cybersecurity of the grid in general sense, there are many other agencies with specific tasks and responsibilities for the safety and protection of the electrical grid from cyber threats. The DHS runs the United States Computer Emergency Readiness Team (US-CERT) and the National Cybersecurity and Communication Integration Center (NCCIC). The DHS and the DOE are pursuing programs like TAXII (Trusted Automated eXchange of Indicator Information) and CRISP (Cybersecurity Risk Information Sharing Program) that allow for automated, real-time information about cybersecurity threats. The National Institute of Standards and Technology (NIST) is also involved in the protection of the grid from cyber threats, because it is the agency that has developed cybersecurity standards. NIST is a part of the Department of Commerce (DOC).

In addition to the above-mentioned agencies there are many other agencies involved due to their charter and responsibilities. Some of these agencies are:

• FSGTF: Federal Smart Grid Task Force whose mission is to ensure awareness, coordination and integration of the diverse activities of the Federal Government related to smart grid technologies, practices, and services
• FERC: Federal Energy Regulatory Commission, which regulates, monitors and investigates various electricity generating systems
• NERC: North American Electric Reliability Corporation
• EPA: Environmental Protection Agency
• DOD: Department of Defense
• DOA: Department of Agriculture
• FCC: Federal Communications Commission
• Department of State
• NETL: National Energy Technology Laboratory
• NTA: National Trade Administration.

Then there are various intelligence agencies, including the FBI and the CIA. And, many private companies, national labs, private labs and universities who have true expertise in designing anti-malware code may be involved as well.

In conclusion, protecting the US electrical grid is a mammoth task requiring complex coordination between many diverse agencies and in the end, beyond the pie-charts and block diagrams, some entities need to develop hardware and software to fend off these cyber threats.

The current state of grid security is not known, because threats are continuously evolving, but according to “Lights Out”, a book written by Ted Koppel, he feels the US is not completely prepared. Or maybe, it is impossible to prepare completely to protect an open, Internet-enabled smart grid and society?

The importance of preventing cyber attack on our infrastructure is gaining momentum in our social discourse with a new movie "Zero Days" (story of Stuxnet) and two books written by prominent journalists, “Lights Out” by Ted Koppel and “Dark Territory” by Fred Kaplan, a Pulitzer Prize winning journalist, which describes issues related to cyber attack. Conclusion of these narratives suggests that the US electrical grid in its current state is vulnerable to cyber terrorism.

Cybersecurity of the US electrical grid is an important, complex and timely topic. This issue was addressed in part when EPRI (Electric Power Research Institute) and PSMA organized a workshop on the Smart Grid, titled: "Are You Smart Enough for the Smart Grid?" on March 16, 2013. Jonathan Pollet of Red Tag Security gave a presentation "Hacking SCADA - Are you ready for Stuxnet 2.0?"

For us, the power industry professionals, this is an important topic and may be worth revisiting. This Smart Grid workshop was attended by a relatively small number of people, but maybe this topic needs a large prime time audience. APEC's Plenary Session may be the appropriate forum to involve more engineers to consider the threats.

Provided by Mohan Mankikar, President, Micro-Tech Consultants

If you or anyone in your company is interested in getting on the distribution list for future issues of PSMA UPDATE, please send e-mail to: power@psma.com. Be sure to include your name and the name of your company.