The energy sector's cybervulnerabilities have become more challenging with the rise of smart technologies, but government and industry have not taken the necessary steps to address these exposures and secure America's energy infrastructure. (Online Exclusive)
No one can say we weren’t warned about energy insecurities.
In 1998, President Clinton signed a Presidential Directive
that established a national program for critical infrastructure protection. This directive stated that the energy sector of the United States was potentially vulnerable to cyberattack and that the United States would take all necessary measures to swiftly eliminate any significant cyber vulnerabilities within this sector. Five years later President Bush’s administration published the “National Strategy to Secure Cyberspace
.” This document again called for the government to secure computerized systems within the electric grid from possible cyberattack. In May 2009, President Obama stated in a speech on securing our nation’s cyber infrastructure
: "It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation," Obama said, adding, "We're not as prepared as we should be, as a government or as a country." His remarks also make clear that the United States is highly dependent on computerized systems to provide energy, but he said, “Cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.”
It has been over a decade since President Clinton stated that cyberthreats against our energy infrastructure were a national security threat. In the preceding period the cyberthreats against our energy infrastructure have only increased. The reason for these increases is because of technological advances within the energy sector that has exposed the industry to unforeseen cybervulnerabilities. The alarming thing is that more unforeseen vulnerabilities are being unintentionally engineered into the energy sector as newer technology is being introduced in an effort to improve efficiency and increase resiliency within the industry.
A Host of Insecurities
These alarming reports nonetheless fail to describe the extent to which a complex system such as the national electric grid could be vulnerable to cyberattacks, a growing concern among experts in national security. Demonstrations of cyberattacks—such as a remote attack launched against control systems that regulate an electric generator in Idaho—further justify this concern. In this demonstration, under the code name “Aurora,”
the Department of Energy Idaho National Laboratory manipulated the generator’s controls to exploit system weaknesses that caused the generator to fail. In particular, the attack caused extreme vibrations, which in turn physically destroyed internal components and ultimately caused the generator to catch fire.
This kind of cyberattack—which the demonstration showed to be feasible—is likely to be even more effective in much larger generators, such as those in big dams and many coal-fired power plants. Potentially catastrophic consequences could occur if a significant number of critical generators were simultaneously damaged by a cyberattack. Research conducted by the U.S. Cyber Consequences Unit has shown that shutting down all electric power over a sizable region will cause at least 70 percent of all economic activity, as measured by GDP, to shut down after 8 to 10 days. This means that if a cyberattacker could shut down electrical power generation across a third of the United States for four months, the dead loss would exceed 1.6 trillion dollars.
Smarter meters. Furthermore, the potential for cyber attacks against electrical power generation systems is a major national security threat that will only get worse. Electric utilities are in the process of deploying new technologies that promise to increase efficiency, reduce load growth, and improve overall grid resiliency. Yet these technologies will introduce new security vulnerabilities as well. For example, electric utilities are increasingly turning to Advanced Metering Infrastructure (AMI) technology to improve the efficiency of the grid. AMI technology, or “smart meters,” allow utilities to monitor their customers’ energy consumption in real-time and potentially time-shift the energy usage of individual devices connected to a meter. This time-shifting capability could potentially help shift load from peak hours, when the cost of electricity generation is highest, to hours of the day when the cost of electricity generation is lower. Utilities have another, more immediate incentive to promote and deploy smart meters, because they may help to increase profits, by reducing business expenditures. For example, smart meter deployments will allow utilities to reduce those costs normally associated with the dispatching of workers to read meters, or establishing or terminating service for customers.
While reducing such business costs is important, increasing overall grid security is important as well. Many manufacturers have designed smart meters with few or no security features. The meters currently being installed use standard protocols, such as the Trivial File Transport protocol (TFTP) or Domain Name System (DNS) that have proven vulnerable to cyberattacks in other contexts. Smart meters further involve two-way communication channels between the utilities and their customers. The channels may be provided through a number of ways, including wired Ethernet, such as Digital Subscriber Line (DSL) or Broadband over power line (BPL) technology, or through wireless technology, such as cellular.
An unsophisticated hacker can easily disrupt these channels through a distributed denial-of-service (DDoS) attack targeting the smart meters. If the meters were thrown offline by such an attack, then the utility company could not transmit reboot instructions to the meters remotely. The utility company would need to dispatch workers to each physical location to reboot the meters manually, which will increase operating costs to fix the problems.
More sophisticated attacks could involve even greater costs for utility companies. For example, an attacker could obtain complete administrative control over individual meters and systematically turn off electricity to residential, business, and industrial customers. The attacker, furthermore, could time such attacks for maximum effect, shutting off electricity during a heat wave or a cold snap. By manipulating the controls during events when service is likely to be interrupted anyway, such as during an ice storm, the attacker may sow confusion to increase damage from the attack. In such an event, as thinly stretched repair crews first try to fix what usually goes wrong, the restoration of power is delayed, and the costs of the attack can snowball. By disrupting the supply of electricity at critical times, the attacker could make bad regional conditions (e.g. ice storm in Charlotte, North Carolina) worse, possibly creating a crisis requiring the response of regional and federal authorities, such as the Federal Emergency Management Agency (FEMA).
The widespread deployment of smart meter architecture increases the likelihood of mischief against the devices by opportunistic hackers. We witnessed similar mischief against technologies such as modems and wireless access points when they were widely deployed. In the 1983 film WarGames
, the character played by Matthew Broderick popularized a hacker technique known as wardialing
, which attempts to find and access modems using automatic dialing methods. In the early part of this decade, hackers shifted their focus from finding insecure modems to locating insecure wireless access points. This technique is called wardriving
, which is the art of searching for wireless networks from a motorized vehicle using a computer loaded with some specialized software designed specifically for the task. Hackers in the coming decade will likely shift their attention to smart meters by writing and developing techniques to conduct “warmetering," which is the art of locating and accessing metering architecture.
One potential mischievous activity that could be performed by warmetering hackers is the falsification of customer usage information being stored on the meters. If this information was altered to show a decrease in electricity consumption for individual customers, relative to the amount of electricity actually consumed, the customers’ bills would be lower than they otherwise would have been. Utility revenues would go down, along with company profits. This data could also be modified to show an increase in power consumption for individual customers, such as the one’s living in more affluent sections of a city. Sharp spikes in usage could increase bills for these customers and increase revenues for the utility, leading customers to complain about billing discrepancies. Utility companies would be forced to investigate these claims, especially if the consumption spikes were egregious. The mischievous attacker could further increase the business cost of determining the cause of the spikes by continually shifting the attacks to target different geographical areas within a single utility’s market. Such mischievous activities could eventually lead to more disruptive (or destructive) ones. One of the possible scenarios is the reprogramming of software on the meters that would severe communications between the device and the utility. To resolve the problem, a utility would have to dispatch workers to each residence affected by the incident and would bear the cost of repairing or replacing each meter. If such an attack was widespread, the affected utility might have to sign reciprocity agreements with other utilities to assist with the restoration activities. Depending on the severity of the incident, the utility could also require emergency financial assistance from the federal government.
Smarter appliances. Smart meters are only one point of vulnerability in the smart grid. Smart appliances are another. To realize the potential cost savings from smart grid technology, households will need appliances that are able to receive remote instructions using embedded technology, which allows them to operate during off-peak hours without human interaction. Current intelligent electronic devices (IEDs) are designed to be connected to a home area network (HAN) featuring a home automation technology, such as Insteon or Zigbee, that regulates network communications. Through the HAN, the IEDs may be controlled remotely by homeowners, by utilities, or, possibly, by hackers.
Many of these smart appliances are still on the drawing board, but their designers need to take into account the potential cyberrisks posed by engineering embedded intelligence into the devices. One of the possible attack scenarios in the future against these devices would be for an attacker to rapidly cycle on and off these appliances remotely. This type of attack would potentially produce cascading outages across entire regions. The size of the affected region would depend partly on the quantity and the power consumptions of the appliances commandeered for the attack.
Some futuristic attack scenarios against smart washers and dryers could result in physical damage to the appliance or to the dwelling where it is installed. For example, a cyberattack against a smart washing machine could target the electronic control modules, which regulate the agitation and spin cycles. A devious attacker could instruct the electronic control module to continuously spin the basket at the highest rate of rotation until the lid is physical opened or the power is disconnected from the device. If these revolutions could be maintained for a considerable period, then it is possible that the attack could physical damage internal components or even destroy the appliance. Another attractive target for hackers is IED-enabled dryers. An attacker could instruct the internal control module that the thermostat is not functioning properly and then display an error code on the electronic visual display that service is required. Unless IEDs are designed with specific cybersecurity protection controls, smart appliances could become tempting targets for cyberattacks in the future.
Legal Issues. Security protection for smart appliances could involve a number of different legal aspects. There may be a role for government regulation, such as minimum standards for cybersecurity controls within the appliances. Additionally, contracts between utilities and their customers will need to address the rights associated with information collected from smart meters and smart appliances. Laws and regulations normally lag behind the deployment of technology, so privacy issues will likely increase in importance in the future. For example, a utility that is able to control a customer’s smart appliances through established agreements may have access to personal usage information (PUI), which it could collect, use, and retain. For instance, a smart washer connected to a smart meter could provide the utility with the frequency that laundry is being done in the household. A usage report may show that on average that this household does eight loads of laundry per week and that three of those loads use the most energy, because they use the sanitization cycle of the machine. If you combined this information with data collected from other smart devices—such as the dishwasher, oven, microwave, water heater, and thermostat—the utility could construct a lifestyle profile for an individual household. Customers’ agreements need to outline how this PUI will be protected and used by the utility.
Consumer privacy will also be vulnerable to the services used by consumers to monitor their energy consumption and control their smart appliances. Some companies, most notably the Internet search behemoth Google, are already entering the market to provide real-time information to consumers. In 2009 Google released PowerMeter
, an application that is designed to query smart meters connected to a consumer’s HAN for real-time information on energy use by appliances connected to the smart meters. Technology, such as Google’s PowerMeter, will eventually allow consumers to monitor their residential energy consumption via the internet, such as from a mobile phone that runs Google’s Android operating system, or from a personal computer or Apple’s iPad. With the ability to control their appliances remotely, utility customers will be able to take actions to reduce their energy bills from anywhere in the world, in response to real-time price information.
Information collected by energy management providers can and probably will be used for a variety of business purposes. Will customers of these services be targeted for advertising related to purchasing new smart appliances or other services that could further reduce their energy usage? Will they be targeted for product marketing campaigns related to their usage patterns? For example, will customers that use their washing machines more intensively receive coupons for Tide detergent? Companies that provide control services will also be able to track information about how their customers use their services, including the frequency with which they check their energy usage, their sensitivity to price changes, and even their physical location at the time they use the services. Could this information round out the service’s profile of its customers and further be used to target them in unforeseen ways?
Portability and interoperability are also potentially important in a competitive market for personal smart meter monitoring technology. Will historical energy consumption maintained by one service provider be portable to another? Additionally, how will this technology shape interoperability standards for IED-enabled appliances? Furthermore, as a first mover in the market for energy management, is Google likely to have a disproportionate influence on interoperability and other issues?
While questions about privacy, portability, and interoperability loom large in Google’s PowerMeter architecture, so do the cybersecurity concerns. For example, could hackers compromise PowerMeter user accounts using the "drive-by-download" techniques commonly used by cybercriminals to conduct illicit activities? Would a mischievous attacker use this access to randomly cycle on or off devices being controlled by alternative architecture?
Green power insecurities. The deployment of smart meters, intelligence appliances, and consumer-level energy management services are only pieces of the energy sector’s resiliency plans. One of the other key pieces is the development and deployment of power generations systems to reduce America’s reliance on finite resources, such as coal and oil. The manufacturers engineering these alternative power generations systems need to take into consideration the potential cybervulnerabilities within the underlying architecture. For example, renewable energy projects involve components, such as wind turbines, that are controlled by computerization. This computerization potentially makes these turbines vulnerable to the same kind of attack that was demonstrated in the Department of Energy’s Aurora project, in which a cyberattack was launched against a generator analogous to components within the national electric grid.
Attackers who wish to maximize damage or disruption may in fact prefer to launch attacks against renewable generation capacity, which may be more geographically concentrated—and centrally controlled—because of the availability of wind or sunlight. Many large-scale renewable projects are being planned. For example, a single wind farm that has been proposed in Oregon, Shepherd’s Flat, will have more than 300 computer-controlled turbines
. In another example, the state of California has plans for massive photovoltaic projects with computer-controlled components. These components help to improve the effectiveness of solar electricity generation, by adjusting the elevation and orientation of the photovoltaic arrays in relationship to the sun. But they also increase the vulnerability of these systems to a disrupted cyberattack. For example, what if a mischievous attacker instructed random photovoltaic arrays to orient themselves in polar opposite directions than what were instructed? What if the attacker reprogrammed the arrays not to except elevation corrections for the operator?
The security challenges of smart grid implementation are daunting, in part because many projects are already under way across the United States. These projects, many of which have been funded by the 2009 stimulus package
(.pdf) are likely to deploy millions of smart meters. The federal government therefore lost an incredible opportunity to integrate federally-required security controls into these initial implementations. Before expanding the deployment of smart grid or smart utility technology, the federal government should re-evaluate their investments in this technology in light of growing concerns about cyber security.
Securing America’s energy sector from cyberattacks requires an aggressive and holistic approach, which demands considerable commitments by the energy industry and the government to protect this vital infrastructure. It has been over a decade since an American President declared the electric grid a national security concern; let’s hope it doesn’t take another decade to mitigate the consequences of cyberattacks against this critical industry.
John Bumgarner is the chief technology officer for the U.S. Cyber Consequences Unit (US-CCU) and a senior research fellow in International Security Studies at the Fletcher School of Law and Diplomacy of Tufts University. He has been a member of ASIS for over a decade. The terms "warmetering" and "personal usage information" used above were coined in this article.