The United States has increased efforts to insert malicious code into Russia's electric grid, a development the The New York Times warned "enshrines power grids as a legitimate target" in the nations' cold war of cyber one-upmanship.
With utilities in the cross-hairs of malicious actors, experts say there are health, safety and economic risks for those who rely on the grid, particularly if escalation continues.
Critical infrastructure in the U.S., including the electric grid, is "increasingly under attack by foreign adversaries," the head of the Federal Energy Regulatory Commission (FERC), Chairman Neil Chatterje, told lawmakers last week.
Russia and the U.S. have been probing one another's electric grids for years now, but The New York Times report indicates a serious escalation. One anonymous intelligence community source for the Times described U.S. actions as having become "far, far more aggressive over the past year."
Experts in the utility sector say this is likely the new norm, as power grids become more interconnected and growing numbers of devices are generating and consuming power. For customers, the impacts could be deadly.
Utilities "have been at the forefront of the new cyber battlefield for years," Jason Haward-Grau, chief information security officer at cybersecurity firm PAS Global, told Utility Dive in an email.
In 2015, Ukraine's electric grid was hit by a cyberattack, which led to a lengthy blackout for almost 250,000 people. After that, "nation states started awakening to the significant impact [that] loss of the grid can have at a country level," said Haward-Grau.
"The number of national security level cyber incidents is roughly doubling every year."
So far, hackers probing the U.S. grid have not caused power disruptions, but the threat landscape is changing and cybersecurity is a major focus for the industry.
"The number of national security level cyber incidents is roughly doubling every year," Haward-Grau said.
Edge computing, the internet of things and artificial intelligence will all make utility grids more efficient, Stewart Kantor, president and CFO of Ondas Networks, told Utility Dive. "But also more vulnerable to debilitating cyber threats," he warned. The company designs wireless networks for critical industrial applications.
Standards, public-private partnerships keep grid stable
Utilities and the federal government now coordinate on security issues, according to the Edison Electric Institute's Scott Aaronson, the group's vice president for security and preparedness. "The threat of cyberattacks targeting critical infrastructure is not new," he told Utility Dive.
The organization, which represents U.S. investor-owned utilities, partners with the government through the Electricity Subsector Coordinating Council to "share actionable intelligence, deploy state-of-the-art tools, and prepare to respond to incidents that could affect our systems," he said. "Protecting the energy grid is our industry’s top priority."
The largest state power organization in the country echoed those ideas. "Preempting cyberattacks and protecting our cybersecurity infrastructure is, and always has been, given the highest priority," Kenneth Carnes, vice president of critical secure services and chief information security officer for the New York Power Authority, told Utility Dive.
"We have multiple levels of cybersecurity defense and, together with our partner utilities, we continually research and invest in new technologies and solutions," Carnes said.
Chatterjee told a House subcommittee last week that the cyber threat to the grid is growing, but that mandatory reliability standards are making a difference.
"America's critical infrastructure is increasingly under attack by foreign adversaries," Chatterjee said. He also noted that the Department of Homeland Security and Federal Bureau of Investigation have each issued public reports describing cyber intrusion campaigns by foreign government actors.
Physical and cyber attacks "have the potential to create significant, widespread and potentially devastating effects that threaten the health, safety and economic prosperity of the American people whom we serve," Chatterjee told lawmakers.
Focus continues on control technology
All this comes as security firm Dragos announced last week that the Xenotime threat actor group expanded its efforts beyond oil and gas and into the electric utility sector. And the threat is unlikely to abate, as technology becomes more sophisticated.
"Industrial control system cyber threats are proliferating," the firm said in a June 14 blog post, and "more capable adversaries are investing heavily in the ability to disrupt critical infrastructure."
Dragos said that beginning late last year, Xenotime began probing electric utility networks in the U.S.
The firm said the high cost of coordinating an industrial attack has meant efforts were very focused. "But as more players see value and interest in targeting critical infrastructure — and those already invested see dividends from their behaviors — the threat landscape grows."
This is the new normal, according to Renaud Deraison, co-founder and CTO at Tenable.
"The latest reports that Xenotime is targeting electric utilities in the U.S. and Asia-Pacific region should come as no surprise, but certainly warrants concern," he said in a statement. "The ongoing threats to operational technology and critical infrastructure are no longer theoretical, they have become our new reality."