After Alert On Russian Hacks, Bigger Push To Protect Power Grid

Originally published on April 20, 2018 11:52 am

The joint alert from the FBI and Department of Homeland Security last month warning that Russia was hacking into critical U.S. energy infrastructure may have shaken some Americans. But it came as no surprise to the country's largest grid operator, PJM Interconnection.

"You will never stop people from trying to get into your systems," says PJM Chief Information Officer Tom O'Brien. "The question is, what controls do you have to not allow them to penetrate? And how do you respond in the event they actually do get into your system?"

PJM is the grid operator for 65 million people across the Midwest and mid-Atlantic. At its headquarters outside Philadelphia, there are multiple levels of security to get into the control center. There, on a rainy day in early April, about 10 people were closely monitoring floor-to-ceiling digital displays showing real-time information from the region.

"This is a very large, orchestrated effort that goes unnoticed most of the time," says Donnie Bielak, a reliability engineering manager. "That's a good thing."

The industry certainly did take note in late 2015 and early 2016, when hackers managed to shut down power to about 225,000 people in Ukraine. The outages only lasted a few hours. But it was the first publicly known case of a cyberattack causing major disruptions to a power grid. It was widely blamed on Russia.

One of the many lessons of the Ukraine attacks was a reminder to people who work on critical infrastructure to keep an eye out for odd communications.

"A very large percentage of entry points to attacks are coming through emails," says O'Brien. "That's why PJM, as well as many others, have aggressive phishing campaigns. We're training our employees."

O'Brien doesn't want to get into specifics about how PJM deals with cyberthreats. But one common way to limit exposure is by having separate systems: industrial controls in a power plant, for example, are not connected to corporate business networks.

Training to respond to an "act of war"

Since 2011, North American grid operators and government agencies have also carried out large scale war games every two years. Thousands of people practice how they would respond to a coordinated physical or cyber event.

So far, nothing like that has happened in the U.S. It's possible, though not likely, says Robert M. Lee, a former military intelligence analyst who runs the industrial cybersecurity firm Dragos.

"The more complex the system, the harder it is to have a scalable attack," says Lee, who co-authored a report analyzing the Ukraine attacks.

He says knocking out power to the entire East Coast for a week or more would be extremely difficult. But briefly disrupting a major city is certainly easier. That's the sort of thing that keeps him up at night.

"I worry about an adversary getting into, maybe, Washington, D.C.'s portion of the grid, taking down power for 30 minutes," he says.

The Department of Energy is looking to create a new office focused on cybersecurity and emergency response. Congress has also asked for a thorough threat assessment and several bills aim to boost security on the grid.

So far, deterrence may be one reason why there has not yet been a major attack on the U.S. grid, says John MacWilliams. He's a former senior DOE official who's now a fellow at Columbia University's Center on Global Energy Policy.

"That's obviously an act of war," says MacWilliams. "We have the capability of responding either through cyber mechanisms or kinetic military."

In the meantime, small-scale incidents keep happening.

This spring another cyberattack targeted natural gas pipelines. Four companies shut down their computer systems, just in case, but they say no service was disrupted.

Copyright 2018 WITF. To see more, visit WITF.

RACHEL MARTIN, HOST:

U.S. energy companies are on alert for cyberattacks. Earlier this week, American and British officials warned that Russian hackers are targeting global Internet equipment. Russian hackers have also been blamed for a series of hacks against American power plants. StateImpact Pennsylvania's Marie Cusick looks at how the industry is trying to make sure your power does not get shut off.

MARIE CUSICK, BYLINE: At the nation's largest grid operator, the report on the Russian attacks was no surprise.

TOM O'BRIEN: You will never stop people from trying to get into your systems.

CUSICK: Tom O'Brien works for PJM Interconnection. It serves 65 million people in the mid-Atlantic and Midwest.

O'BRIEN: The question is what controls do you have to not allow them to penetrate and how do you respond in the event that they actually do get into your system?

CUSICK: The constant threats are one reason why PJM has so many layers of security around its control center.

UNIDENTIFIED PERSON #1: You are going to use your red badge against that and card in. Excellent, come on in.

CUSICK: Recording equipment is banned. So the microphone is zipped into a bag and left at the security desk. Inside the control room, about 10 people are monitoring floor-to-ceiling displays showing real-time information from power plants. As one manager puts it, this is a highly orchestrated, 24/7 effort that goes unnoticed by most people. And that's the way they like it. But the industry definitely did take note two years ago when this happened.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED PERSON #2: The first known hacker-caused power outage has occurred. So thousands of people in the Ukraine left in the dark, literally.

CUSICK: Those attacks were widely blamed on Russia. O'Brien doesn't want to get into specifics about how PJM deals with cyberthreats, but one of the many lessons of the Ukraine attacks was a reminder to keep an eye out for odd communications.

O'BRIEN: A very large percentage of entry points to attacks are coming through email. And that's why PJM as well as many others have aggressive phishing campaigns, we're training our employees.

CUSICK: One way to limit exposure is by having separate systems. For example, industrial controls in a power plant aren't connected to corporate business networks. And since 2011, North American grid operators and government agencies have done large security exercises every two years with thousands of people practicing how they'd respond to a coordinated physical or cyber event. So far, nothing like that has happened. And it's not very likely, says Robert M. Lee. He's a former military intelligence analyst who runs his own cybersecurity firm called Dragos.

ROBERT M. LEE: The more complex the system, the harder it is to have a scalable attack.

CUSICK: Knocking out power to the entire East Coast for a week or a month would be very hard, he says. But briefly disrupting a major city is easier. That's what keeps him up at night.

LEE: I worry about an adversary getting into maybe Washington, D.C.'s, portion of the grid, taking down power for maybe 30 minutes.

CUSICK: The Department of Energy is trying to create a new office focused on cybersecurity and emergency response. But deterrence may be one reason why there has not yet been a major attack on the U.S. grid, says John MacWilliams. He's with Columbia University's Center on Global Energy Policy.

JOHN MACWILLIAMS: That's obviously an act of war, and we have the capability of responding either through cyber mechanisms or kinetic military.

CUSICK: In the meantime, small-scale incidents keep happening. This spring, another cyberattack targeted natural gas pipelines. Four companies shut down their computer systems just in case, but they say no service was disrupted. For NPR News, I'm Marie Cusick. Transcript provided by NPR, Copyright NPR.