In 2016, utility managers in Westchester County, New York caught a lucky break when they shut down a water dam’s digital control systems for routine maintenance. Around the time of that shutdown, foreign hackers had infiltrated that system, giving them the ability to control the dam’s sluice gates and to unleash ruinous flooding on communities near the dam. The dam’s shutdown allowed authorities to discover and fend off the attack and to apprehend those hackers, but this episode is a stark reminder of the damage that hackers can cause when they put public utility systems in their crosshairs.
A cyberattack aimed at the national electrical power grid has an even greater potential to cause widespread damage and devastation. Some cybersecurity experts paint a scenario in which a cyberattack that is designed to shut down only a regional portion of the power grid could quickly cascade into neighboring regions, leading to power outages that last for weeks. The electrical power infrastructure problems that Puerto Rico is facing from the damage caused by 2017’s Hurricane Maria will pale in comparison to the damages that would flow from a successful cyberattack on the United States’ mainland power infrastructure.
By law, public utility companies are virtually entitled to earn a certain profit according to the “regulatory compact” under which they operate. That profit would almost certainly be wiped out if a utility were to experience a cyberattack that shut down operations for any extended period of time. Utility companies can protect their profitability with a cyber insurance policy that covers the risks of cyberattacks. The added advantage of cyber insurance is that insurance carriers that offer those policies often have the knowledge and expertise to identify and reduce the cyber risks in their clients’ operations.
Utility companies can take some basic steps to reduce those risks:
– As was revealed in a cyberattack on a Ukrainian electrical utility in 2016, a prolonged cyberattack on a utility company will likely be preceded by several intrusion attempts. Utilities should install robust firewalls and monitors that track all data that flows into and out of their systems. Those monitors can flag any unusual activity that reflects variations from normal data flow patterns, which can give administrators an early warning of a pending cyberattack.
– A coordinated cyberattack on a utility will likely occur in waves. Technical defenses that are able to disrupt those waves will have a better chance of stopping the attack before much damage is done.
– Utility cyberattacks will likely target multiple systems at the same time. Utilities should segregate systems that facilitate communications and administrative operations from those systems that control the utility’s substantive operations. If one system fails in a cyberattack, the continuing operability of other systems will promote the utility’s ability to coordinate recovery efforts.
– Different utilities should share their efforts and experiences in establishing cyberdefenses, and the best practices should be adopted across all utilities.
These basic steps are separate from and in addition to the standard cyberdefense practices that all companies should adopt. Those standard defenses include installing regular updates in software systems to patch known flaws and security holes, adopting requirements for strong passwords for network logins, and training employees to recognize phishing scams, ransomware, and other common forms of network incursions.
A recent attempted intrusion spotted by the cyberdefense company, FireEye, involved phishing emails that were sent to executives at an energy company. The attacker’s forays were unsuccessful, but they are yet another example of the very real risks that utility companies are facing from cyberattackers. Robust cyberdefenses and sound post-breach strategies that include cyber defense insurance and strategies to recover utility operations are the best guarantees to keep the utility grid from going dark.