The Fix: Critical Insights on US Grid Cybersecurity

Published as a series January through May 2015 and then as a special report for sale by Smart Grid Today.

By Karen Haywood Queen

Security risks, including and maybe especially cybersecurity vulnerabilities, abound inside utilities in the US. Digital SCADA systems are thought to be air-gapped but are not. Internet service provider systems used for SCADA systems are thought to be private but are not. Utility staff members have been wrongly presuming using a SCADA protocol across the internet was obscure enough to avoid hacking.

And risks are posed by software bugs, SCADA-system programming errors, substation maintenance mishaps, payment kiosks in shopping malls, utility employees checking email and surfing the internet at work and online systems that let consumers track energy use and savings.

The vulnerabilities expose the nation to risks that might not be obvious. Experts we interviewed noted that countries like Iran and North Korea can cause damage to critical infrastructures – and a hostile country could first cripple the US power grid and then launch nuclear weapons.

All kinds of malicious cyber-attacks on the grid are growing, including attacks that exploit what the industry calls “zero-day” vulnerabilities – ones without a patch or fix. At the same time, increased smart grid automation and internet connectivity create vulnerabilities linked to mistakes, negligence, misguided intentions and other mundane actions.

Renewables are also a major cybersecurity vulnerability for utilities and their smart grid tech providers.There is a bit of hope for those concerned about cybersecurity – but in the form of tough love, we were told.

Many utilities in the last 18 months have moved to insure themselves against problems caused by cyber attacks, but one out of 10 initially are turned down because their systems are not sufficiently protected, an expert told us.

In this 41-page report, (which I wrote) you will get critical insight on the state of US grid cybersecurity from the experts listed below, plus a list of 14 actions that utilities and other stakeholders should take now to minimize risk.

14-point Action Plan Recommended by Top Cybersecurity Experts in Smart Grid Today’s “The 2015 Fix”

No single fix will eliminate cybersecurity vulnerabilities in the grid, cybersecurity experts told us. No single set of stakeholders can solve the problem, and all the parties involved can take steps to lessen the risk. Those parties include utilities, insurance firms, IT and security experts, RTOs, control system experts, control system vendors, proponents of renewables and federal regulators. This report offers a 14-point action plan that cybersecurity experts believe will yield big results.

A peek at the action plan for 2015:

  1. Consider one-way OT (operational technology) connectivity to the outside world;
  2. Take an active, preventive approach to security and reliability;
  3. Set rules for access, and
  4. Inventory devices and software

(Please note: this piece is copyrighted by the owner of Smart Grid Today and is posted here only for purposes of showing what I can do. It is not intended for distribution beyond this site. To purchase a copy, please contact Smart Grid Today).