The joint alert from the FBI and Department of Homeland Security last month warning that Russia was hacking into critical U.S. energy infrastructure may have shaken some Americans. But it came as no surprise to the country’s largest grid operator, PJM Interconnection.
“You will never stop people from trying to get into your systems,” says PJM Chief Information Officer Tom O’Brien. “The question is, what controls do you have to not allow them to penetrate? And how do you respond in the event they actually do get into your system?”
PJM is the grid operator for 65 million people across the Midwest and mid-Atlantic. At its headquarters outside Philadelphia, there are multiple levels of security to get into the control center. There, on a rainy day in early April, about 10 people were closely monitoring floor-to-ceiling digital displays showing real-time information from the region.
“This is a very large, orchestrated effort that goes unnoticed most of the time,” says Donnie Bielak, a reliability engineering manager. “That’s a good thing.”
The industry certainly did take note in late 2015 and early 2016, when hackers managed to shut down power to about 225,000 people in Ukraine. The outages only lasted a few hours. But it was the first publicly known case of a cyberattack causing major disruptions to a power grid. It was widely blamed on Russia.
One of the many lessons of the Ukraine attacks was a reminder to people who work on critical infrastructure to keep an eye out for odd communications.
“A very large percentage of entry points to attacks are coming through emails,” says O’Brien. “That’s why PJM, as well as many others, have aggressive phishing campaigns. We’re training our employees.”
O’Brien doesn’t want to get into specifics about how PJM deals with cyberthreats. But one common way to limit exposure is by having separate systems: industrial controls in a power plant, for example, are not connected to corporate business networks.
Training to respond to an “act of war”
Since 2011, North American grid operators and government agencies have also carried out large scale war games every two years. Thousands of people practice how they would respond to a coordinated physical or cyber event.
So far, nothing like that has happened in the U.S. It’s possible, though not likely, says Robert M. Lee, a former military intelligence analyst who runs the industrial cybersecurity firm Dragos.
“The more complex the system, the harder it is to have a scalable attack,” says Lee, who co-authored a report analyzing the Ukraine attacks.
He says knocking out power to the entire East Coast for a week or more would be extremely difficult. But briefly disrupting a major city is certainly easier. That’s the sort of thing that keeps him up at night.
“I worry about an adversary getting into, maybe, Washington, D.C.’s portion of the grid, taking down power for 30 minutes,” he says.
The Department of Energy is looking to create a new office focused on cybersecurity and emergency response. Congress has also asked for a thorough threat assessment and several bills aim to boost security on the grid.
So far, deterrence may be one reason why there has not yet been a major attack on the U.S. grid, says John MacWilliams. He’s a former senior DOE official who’s now a fellow at Columbia University’s Center on Global Energy Policy.
“That’s obviously an act of war,” says MacWilliams. “We have the capability of responding either through cyber mechanisms or kinetic military.”
In the meantime, small-scale incidents keep happening.
This spring another cyberattack targeted natural gas pipelines. Four companies shut down their computer systems, just in case, but they say no service was disrupted.