Why Complacency Is Leaving the U.S. Electrical Grid at Risk
On a list of the critical necessities for our country’s modern way of life, at the very top has to be electricity. Not only does it provide light, keep our food from spoiling and maintain a comfortable temperature in our living spaces, it powers the many screens with which we do our jobs, communicate with loved ones and access entertainment. You wouldn’t be reading these words without electricity.
So, suffice it to say that keeping our electrical grid secure should be the highest priority for federal government agencies overseeing the energy sector. But alarmingly, the security around U.S. power grids is far less fortified than many assume — a vulnerability of which our geopolitical enemies are surely aware.
As 60 Minutes recently reported in an eye-opening piece, a little-known 2013 incident near San Jose, California, demonstrated how easily our power grid can be attacked. A group of unidentified gunmen shot repeatedly at the high-voltage transformers at a power substation, causing them to stop working and taking the substation down for weeks — though fortunately, the power company that operated it was able to reroute power without any major outages. Had things gone differently, the attack would have likely taken out power to all of Silicon Valley.
The attack appeared to be well-planned and sophisticated, raising questions whether it was a precursor to a larger attack. While that hasn’t happened yet, since 2013 there have been a slew of other physical attacks on the U.S. electric grid — over 700, by one estimate.
But the U.S. energy grid has an even more glaring weakness than its physical barriers, since our enemies don’t need to mount a physical attack to cause a major disruption. They can do it from across the world through organized cyberattacks — and have been doing it for years, successfully targeting federal agencies including the treasury and commerce departments, the Department of Energy and the Department of Homeland Security.
With more than 3,000 companies, public and private, making up sections of the U.S. electric grid, there’s no shortage of potential targets to attack. And because each of those targets has some level of connection to the internet, each has countless potential access points for hackers to exploit. Cybersecurity professionals call this the “attack surface.”
The energy grid in Florida, where I grew up, is a great illustration of the gradual expansion of the attack surface. Florida’s energy company, Florida Power and Light (FPL), dates back to the 1920s, long before the internet came along. In those early decades, the attack surface was small — disrupting it without a physical attack was practically impossible. But when FPL achieved internet capability, its attack surface grew exponentially.
More recently, FPL has made an app available for customers, allowing them to pay bills online and monitor the energy usage in their homes. The drawback to this modern convenience, however, is that it exponentially expands FPL’s attack surface by giving anyone who downloads the app an easy entry point to FPL’s system.
Practically every other utility company offers a similar mobile experience for customers — each with its own set of security vulnerabilities. In our rush to make everything in our lives easily accessible on our devices, we’ve opened the door for our enemies to attack the very core of our critical infrastructure.
We’re deluding ourselves if we go on believing that this level of complacency won’t eventually have repercussions, possibly very serious ones. And these dangers extend beyond our energy grid. What if a hacker gets access to your investment or bank accounts and changes the balance by a couple of decimal points, lowering the value to pennies? What if they gained access to our nuclear power generation or emergency response communications systems?
The most important thing we can do is to recognize the gravity of this threat, then take decisive action. Public and private energy providers need to be proactively assessing cybersecurity threats that affect them or other entities elsewhere on the grid, then be vigilant in addressing those problems — not just doing the bare minimum required by law.
While the cost of true cyber resilience is not cheap, it’s small compared to the potential cost of inaction. For all of us, the choice should be obvious.