![Sample our Environment & Sustainability journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5935/TOC-Subject-Sample-2021-Environment-Sustainability.jpg"})
Abstract
Industries and governments across the world are confronting an ever-growing wave of cyber attacks. Few industries are as vulnerable to these attacks, while simultaneously being indispensible to modern life, as public utilities. Among public utilities the electric grid ranks supreme in its importance to everyday activities, and yet it is under daily siege by actors aiming to cripple it. Should a grid attack of significant magnitude come to fruition, the effects could be devastating and vast. Accordingly, this issue demands immediate attention. This article highlights the urgent nature of this challenge and makes recommendations that should go into effect immediately as a means to mitigate large-scale disruption of the electric grid.
Notes
1 David Roberts, ‘California's Deliberate Blackouts Were Outrageous and Harmful. They’re Going to Happen Again’ (Vox, 24 October 2019) www.vox.com/energy-and-environment/2019/10/16/20910947/climate-change-wildfires-california-2019-blackouts accessed 14 March 2020.
2 Although this article focuses on the possibility of grid failure in the United States, it is imperative to note that what is possible in the United States is possible in virtually any other country reliant on electric power rooted in industrial control systems, which includes nearly every country on the planet. Also, an honest examination of this topic is an attempt at thoroughness; security of the grid is simply too complex for an exhaustive treatment in one article. The author accepts, therefore, that many critical topics may go unnoticed in this article, but this should not be interpreted as implying anything about the significance or insignificance of those other issues.
3 See Lily Hay Newman, ‘Why It's So Hard to Restart Venezuela's Power Grid’ (Wired Magazine, 12 March 2019) www.wired.com/story/venezuela-power-outage-black-start accessed 14 March 2020; see also Lily Hay Newman, ‘The Hail Mary Plan to Restart a Hacked US Electric Grid’ (Wired Magazine, 14 November 2018) www.wired.com/story/black-start-power-grid-darpa-plum-island accessed 14 March 2020.
4 United States Environmental Protection Agency, ‘US Electricity Grid and Markets’ www.epa.gov/greenpower/us-electricity-grid-markets accessed 14 March 2020.
5 Manimaran Govindarasu and Adam Hahn, ‘Cybersecurity of the Power Grid: A Growing Concern’ (GCN, 24 February 2017) https://gcn.com/articles/2017/02/24/power-grid-cybersecurity.aspx accessed 14 March 2020.
6 Ibid.
7 See generally Matthew Lave, ‘Complex Systems and the Electric Grid’ (Sandia National Laboratories) www.osti.gov/servlets/purl/1366842 accessed 14 March 2020.
8 Newman, ‘Hail Mary Plan’ (n 3).
9 Katie Bo Williams and Cory Bennett, ‘Why A Power Grid Attack Is a Nightmare Scenario’ (The Hill, 30 May 2016) https://thehill.com/policy/cybersecurity/281494-why-a-power-grid-attack-is-a-nightmare-scenario accessed 14 March 2020; see also Richard Gray, ‘What Would Happen in an Apocalyptic Blackout?’ (BBC Future, 24 October 2019) www.bbc.com/future/article/20191023-what-would-happen-in-an-apocalyptic-blackout accessed 14 March 2020.
10 See generally Jeffrey Carr, Inside Cyber Warfare (2nd edn, O’Reilly Media 2011); Council on Foreign Relations, ‘CFR Survey: Disruptive Cyber Attack a Top Concern in 2020’ (18 December 2019) www.cfr.org/news-releases/cfr-survey-disruptive-cyberattack-top-concern-2020 accessed 14 March 2020.
11 Rebecca Kern, ‘Duke Energy Hit by 650M Cyber Attempts to Breach Systems in 2017’ (Bloomberg Environment, 13 July 2018) https://news.bloombergenvironment.com/environment-and-energy/duke-energy-hit-by-650m-cyber-attempts-to-breach-systems-in-2017 accessed 14 March 2020.
12 Ibid.
13 Ibid.
14 Carlos Anchondo, ‘Report: 1 in 10 Utilities Hit by Malware’ (Energy & Environment News, 3 July 2019) https://news.bloombergenvironment.com/environment-and-energy/duke-energy-hit-by-650m-cyber-attempts-to-breach-systems-in-2017 accessed 14 March 2020.
15 Andy Greenberg, ‘Hackers Gain Direct Access to US Power Grid Controls’ (Wired Magazine, 6 September 2017) www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems accessed 14 March 2020.
16 David Sanger, ‘US Escalates Online Attacks on Russia's Power Grid’ The New York Times (15 June 2019) www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html accessed 14 March 2020.
17 Ibid; United States Department of Energy, Office of Electricity Delivery & Energy Reliability Multiyear Plan for Energy Sector Cybersecurity (March 2018) www.energy.gov/sites/prod/files/2018/05/f51/DOE%20Multiyear%20Plan%20for%20Energy%20Sector%20Cybersecurity%20_0.pdf accessed 14 March 2020.
18 Sanger (n 16).
19 Govindarasu and Hahn (n 5); United States Department of Energy, Office of Electricity Delivery & Energy Reliability (n 17).
20 Govindarasu and Hahn (n 5).
21 Blake Sobczak, ‘Hacking Threat Puts Oil Firms at “High Risk”’ (Energy & Environment News, 1 August 2019) www.eenews.net/energywire/stories/1060819861 accessed 14 March 2020; Alex Endress, ‘Deloitte's Hacking Report Underscores Cybersecurity Threat to Oil and Gas Companies’ (World Oil Magazine, 12 July 2017) www.worldoil.com/blog/2017/07/deloitte-s-hacking-report-underscores-cybersecurity-threat-to-oil-and-gas-companies accessed 14 March 2020.
22 Endress (n 21).
23 Kate O’Flaherty, ‘Iranian Hackers Are Going After a Disturbing New Physical Target’ (Forbes 21 November 2019) www.forbes.com/sites/kateoflahertyuk/2019/11/21/iranian-hackers-could-be-going-after-a-disturbing-new-physical-target/#4536d8ba7d2a accessed 14 March 2020.
24 Andrew Charles Wills, ‘A Background on NERC’ (American Security Project, 30 January 2014) www.americansecurityproject.org/nerc accessed 14 March 2020; see also United States Environmental Protection Agency (US EPA), ‘US Electricity Grid and Markets’ www.epa.gov/greenpower/us-electricity-grid-markets accessed 14 March 2020.
25 Wills (n 24).
26 US EPA (n 24).
27 Ibid.
28 US EPA (n 24).
29 Ibid.
30 Ibid.
31 Ibid.
32 Alaska and Hawaii have their own interconnections. Hawaii Energy Office https://energy.hawaii.gov/wp-content/uploads/2014/11/HSEO_FF_Nov2014.pdf accessed 14 March 2020; US Energy Information Administration www.eia.gov/state/analysis.php?sid=AK accessed 14 March 2020.
33 Manimaran Govindarasu, ‘As Russians Hack the US Grid, a Look at What's Needed to Protect It’ (The Conversation, 7 August 2018) http://theconversation.com/as-russians-hack-the-us-grid-a-look-at-whats-needed-to-protect-it-100489 accessed 14 March 2020.
34 Ibid.
35 Ibid.
36 Ibid.
37 Ibid.
38 Ibid.
39 Ibid.
40 Ibid.
41 Ibid.
42 Ibid.
43 Ibid.
44 Ibid.
45 Annie I. Antón and Justin Hemmings, ‘Recognizing Vendor Risks to National Security in the CFIUS Process’ (LawFare Blog, 4 January 2019) www.lawfareblog.com/recognizing-vendor-risks-national-security-cfius-process accessed 14 March 2020.
46 See generally Jerome Farguharson, Donald Williams and Courtney Buser, ‘Securing the Supply Chain’ (Burns McDonnell, 2017) www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=2ahUKEwjAyJyqnpvoAhWKrp4KHZUjD4QQFjADegQIAxAB&url=https://www.burnsmcd.com%2F~%2Fmedia%2Ffiles%2Finsightsnews%2Finsights%2Ftech-paper%2Fsecuring-the-supply-chain%2Fsecuringthesupplychainwhitepaperburnsmcdonnell12750.pdf&usg=AOvVaw2oZfHHYJyc-n0_mqFHQIhg accessed 14 March 2020.
47 Antón and Hemmings (n 45).
48 Foreign Investment Risk Review Modernization Act (FIRRMA), Title XVII, PL 115–232 (2018); Antón and Hemmings (n 45).
49 FIRRMA.
50 Ibid.
51 David Fickling, ‘Cyber Attacks Make Smart Grids Look Dumb’ (Bloomberg, 17 June 2019) www.bloomberg.com/opinion/articles/2019-06-17/argentina-blaming-hackers-for-outage-makes-smart-grids-look-dumb accessed 14 March 2020.
52 Dan O'Shea, ‘LG Introduces Smart Refrigerator with Amazon Alexa-Enabled Grocery Ordering’ (RetailDive.com, 4 January 2017) www.retaildive.com/news/lg-introduces-smart-refrigerator-with-amazon-alexa-enabled-grocery-ordering/433366 accessed 14 March 2020.
53 Fickling (n 51).
54 Pennsylvania Public Utilities Commission, ‘Smart Meter Q&A’ www.puc.state.pa.us/General/consumer_ed/pdf/13_Smart%20Meters.pdf accessed 14 March 2020.
55 Ibid.
56 Ibid.
57 Ibid.
58 Ibid.
59 Christopher Bosch, ‘Securing the Smart Grid: Protecting National Security and Privacy Through Mandatory, Enforceable Interoperability Standards’ (March 2016) 41(4) Fordham Urban Law Journal 1352.
60 United States Department of Energy, Office of Electricity Delivery & Energy Reliability (n 17).
61 Ibid.
62 Ibid.
63 Ibid. Much of the cost incurred during a cybercrime can be financially difficult to measure because the vast majority of it is unquantifiable reputation damage (assuming the attack is even publicly disclosed at all). The cost reflected here falls into one of four categories: business disruption, information loss, revenue loss and equipment damages. If companies faced stronger liability for negligent data breaches, then this figure would be much higher. However, when we are talking about data theft the measurable cost to the company is relatively minor because they aren't really losing anything; they still have a record of the data that is stolen and the cyber attacker gets a copy of it. For example, if a credit card company is attacked and the attack results in the theft of 400 million credit card accounts, the credit card company will still have those accounts, but they may have to issue press statements, reverse charges, etc. Now, the broader economic losses to costumers, corporate goodwill, etc, would be very high, but difficult to measure.
64 Kelly Bissell and Larry Ponemon, ‘The Cost of Cybercrime, Ninth Annual Cost of Cybercrime Study: Unlocking the Value of Improved Cybersecurity Protection’ (Accenture Security) www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf accessed 14 March 2020.
65 See generally United States Cyberspace Solarium Commission Report (March 2020) https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view accessed 14 March 2020.
66 See also Williams and Bennett (n 9); Gray (n 9).
67 Ibid.
68 Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Crown Publishers 2014).
69 Cyber attack definition www.merriam-webster.com/dictionary/cyberattack accessed 14 March 2020.
70 Carr (n 10).
71 Ibid. Hacktivism is the act of computer hacking to express political or sociological beliefs. See www.itpro.co.uk/hacking/30203/what-is-hacktivism accessed 14 March 2020.
72 Linda McGlasson, ‘Heartland Hacker Sentenced to 20 Years’ (BankInfo Security, 26 March 2010) www.bankinfosecurity.com/heartland-hacker-sentenced-to-20-years-a-2344 accessed 14 March 2020.
73 Dorothy Denning, ‘Cyberwar: How Chinese Hackers Became a Major Threat to the US’ (Newsweek, 5 October 2017) www.newsweek.com/chinese-hackers-cyberwar-us-cybersecurity-threat-678378; Richard Norton-Taylor, ‘Titan Rain – How Chinese Hackers Targeted Whitehall’ (The Guardian, 4 September 2007) www.theguardian.com/technology/2007/sep/04/news.internet accessed 14 March 2020.
74 See generally Richard Clarke, Cyber War – The Next Threat to National Security and What to Do About It (Harper Collins 2010).
75 Benjamin Monarch, ‘One Minute to Midnight: Amending the War Powers Resolution to Confront the Coming Cyber Wars’ (2015) 103 Kentucky Law Journal 462; Booz Allen Hamilton, ‘When the Lights Went Out: A Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure’ www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf accessed 14 March 2020.
76 National Intelligence Council, Global Trends 2025 (U.S. Government Printing Office 2008) 97.
77 Andy Greenberg, ‘Here's the Evidence that Links Russia's Most Brazen Attacks’ (Wired Magazine, 15 November 2019) www.wired.com/story/sandworm-russia-cyberattack-links accessed 14 March 2020; Michael Imeson, ‘Russia Cyber Aggression Fuels Tensions with West’ (Financial Times, 13 October 2019) www.ft.com/content/0aa7a6e0-ca52-11e9-af46-b09e8bfe60c0 accessed 14 March 2020.
78 Electricity Information Sharing and Analysis Center, ‘Analysis of the Cyber Attack on the Ukrainian Power Grid’ (18 March 2016) https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
79 Ibid.
80 Michael Assante, ‘Confirmation of a Coordinated Attack on the Ukrainian Power Grid’ (SANS Blog, 6 January 2016) https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid
81 Kim Zetter, ‘Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid’ (Wired.com, 3 August 2016) <www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid> accessed 14 March 2020.
82 Ibid.
83 Ibid.
84 Kim Zetter, ‘Everything We Know About Ukraine's Power Plant Hack’ (Wired Magazine, 20 January 2016) www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack accessed 14 March 2020.
85 Monarch (n 75).
86 Kim Zetter, ‘The Ukrainian Power Grid was Attacked Again’ (VICE, 10 January 2017) www.vice.com/en_us/article/bmvkn4/ukrainian-power-station-hacking-december-2016-report accessed 14 March 2020.
87 Ibid.
88 Ibid.
89 Lauren Cerulus, ‘How Ukraine Became a Test Bed for Cyber Weaponry’ (Politico, 14 February 2019) www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks accessed 14 March 2020.
90 Ibid.
91 Julia Pyper, ‘Russian Hackers Breach US Utility Network via Trusted Vendors’ (Greentech Media, 24 July 2018) www.greentechmedia.com/articles/read/russian-hackers-us-utility-power-grid-trusted-vendors accessed 14 March 2020.
92 Lily Hay Newman, ‘Russian Hackers Haven't Stopped Probing the US Power Grid’ (Wired Magazine, 28 November 2018) www.wired.com/story/russian-hackers-us-power-grid-attacks accessed 14 March 2020.
93 Ibid.
94 Nash Jenkins, ‘Feds: Russian Hackers Are Attacking US Power Plants’ (TIME Magazine, 16 March 2018) https://time.com/5202774/russia-hacking-dhs-report-power accessed 14 March 2020.
95 Blake Sobczak, ‘Feds to Review Nuclear Plant Hit by Hackers’ (Energy & Environment News, 22 March 2019) www.eenews.net/energywire/stories/1060127921?t=https://www.eenews.net%2Fstories%2F1060127921 accessed 14 March 2020.
96 Andrew Phillips, ‘The Asymmetric Nature of Cyber Warfare’ (USNI News, 14 October 2012) https://news.usni.org/2012/10/14/asymmetric-nature-cyber-warfare accessed 14 March 2020.
97 FERC News Release, ‘FERC Strengthens Cyber Security Standards for Bulk System’ (20 June 2019) www.ferc.gov/media/news-releases/2019/2019-2/06-20-19-E-2.asp#.Xm2esy2ZM0Q;CriticalInfrastructureProtectionReliabilityStandardCIP-008-6 accessed 14 March 2020.
98 Ibid; Environment and Energy Bloomberg, ‘INSIGHT: New FERC Cyber Rules May Push Companies to Revise Plans’ (14 August 2019) https://news.bloombergenvironment.com/environment-and-energy/insight-new-ferc-cyber-rules-may-push-companies-to-revise-plans accessed 14 March 2020.
99 Christian Vasquez, ‘Feds Band Against Energy Hackers as Ransom Threat Rises’ (EnergyWire, 4 February 2020) www.eenews.net/energywire/stories/1062258033 accessed 14 March 2020.
100 Ibid.
101 Mohana Ravindranath, ‘27 Separate Federal Programs Protect Power Grid’ (Nextgov.com, 27 February 2017) www.nextgov.com/cio-briefing/2017/02/27-separate-federal-programs-protect-power-grid/135740 accessed 14 March 2020.
102 Robert Walton, ‘Senate Passes Cybersecurity Bill to Decrease Grid Digitization, Move toward Manual Control’ (Utility Dive, 1 July 2019) www.utilitydive.com/news/senate-passes-cybersecurity-bill-to-decrease-grid-digitization-move-toward/557959 accessed 14 March 2020.
103 Ibid.
104 Ibid.
105 Daniel Shea, ‘Cybersecurity and the Electric Grid: The State Role in Protecting Critical Infrastructure’ (NCSL, 24 January 2020) www.ncsl.org/research/energy/cybersecurity-and-the-electric-grid-the-state-role-in-protecting-critical-infrastructure.aspx accessed 14 March 2020.
106 Ibid.
107 Jim Garamone, ‘Esper Describes DOD's Increased Cyber Offensive Strategy’ (US Department of Defense, 20 September 2019) www.defense.gov/Explore/News/Article/Article/1966758/esper-describes-dods-increased-cyber-offensive-strategy accessed 14 March 2020.
108 Ibid.
109 Taylor Armerding, ‘US Vows to Go on Cyber Offense’ (Forbes, 28 September 2018) www.forbes.com/sites/taylorarmerding/2018/09/28/u-s-vows-to-go-on-cyber-offense/#42cdbad87e19 accessed 14 March 2020; The White House, ‘National Cyber Strategy’ (September 2018) https://assets.documentcloud.org/documents/4916949/National-Cyber-Strategy.pdf;DepartmentofDefenseCyberStrategy,2018availableathttps://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF accessed 14 March 2020.
110 The White House (n 109).
111 Zetter, Countdown (n 68).
112 Ibid.
113 Hamilton (n 75). For those interested in a deeper analysis of these factors at an engineering level, please see the publication.
114 Ibid.
115 Newman, ‘Russian Hackers’ (n 92).
116 Edward Moyer, ‘Stolen NSA Hacking Tool Now Victimizing US Cities Report Says’ (CNET, 25 May 2019) www.cnet.com/news/stolen-nsa-hacking-tool-now-victimizing-us-cities-report-says accessed 14 March 2020.
117 Ibid.
118 Richard Chirgwin, ‘No Big Deal … Kremlin Hackers “Jumped” Air-Gapped Network to Pwn US Power Utilities’ (The Register, 24 July 2018) www.theregister.co.uk/2018/07/24/russia_us_energy_grid_hackers accessed 14 March 2020.
119 Zetter, Countdown (n 68).
120 Stuart Madnick, ‘Preparing for the Cyberattack that Will Knock out US Power Grids’ (Harvard Business Review, 10 March 2017) https://hbr.org/2017/05/preparing-for-the-cyberattack-that-will-knock-out-u-s-power-grids accessed 14 March 2020.
121 Ibid.
122 Ibid.
123 Ibid.
124 Aaron Klein and Scott Anderson, ‘A Federal Backstop for Insuring Against Cyberattacks?’ (Brookings Institute, 27 September 2019) www.brookings.edu/blog/techtank/2019/09/27/a-federal-backstop-for-insuring-against-cyberattacks accessed 14 March 2020.
125 Ibid.
126 Ibid.
127 Ibid.
128 Doug Olenick, ‘Cyber Insurance Premium Costs Rise 5 Percent for 2019, Despite Increased Attacks’ (SC Media, 19 September 2019) www.scmagazine.com/home/security-news/data-breach/cyber-insurance-premium-costs-rise-5-percent-for-2019-despite-increased-attacks accessed 14 March 2020.
129 William Crumpler, ‘The Cybersecurity Workforce Gap’ (Center for Strategic and International Studies, 29 January 2019) www.csis.org/analysis/cybersecurity-workforce-gap accessed 14 March 2020.
130 Frost & Sullivan, 2017 Global Information Security Workforce Study (2017) https://iamcybersafe.org/wp-content/uploads/2017/06/europe-gisws-report.pdf accessed 14 March 2020.
131 Ibid.
132 Peter Behr, ‘FERC Official's Comments Spotlight Pipeline Cyber Risk’ (Energy and Environment News, 10 August 2018) www.eenews.net/stories/1060093825 accessed 14 March 2020.
133 Govindarasu (n 33).
134 University of Arizona, ‘NSF Renews Grant for University of Arizona Cybersecurity Program’ (EurekAlert, 15 October 2019) www.eurekalert.org/pub_releases/2019-10/uoa-nrg101419.php accessed 14 March 2020.
135 Bosch (n 59).
136 Ibid.
137 Matt Burgess, ‘What Is the Internet of Things?’ (Wired Magazine, 16 Febuary 2018) www.wired.co.uk/article/internet-of-things-what-is-explained-iot accessed 14 March 2020.
138 Statista Research Department, ‘Internet of Things – Numer of Connected Devices Worldwide 2015–2025’ (27 November 2016) www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide accessed 14 March 2020.
139 Alireza Ghasempour, ‘Internet of Things in Smart Grid: Architecture, Applications, Services, Key Technologies, and Challenges’ (Department of Information and Communication Technology, University of Applied Sciences and Technology, University of Tehran, 26 March 2019) www.mdpi.com/2411-5134/4/1/22 accessed 14 March 2020.
140 Navigant, ‘Energy Cloud 4.0 – Capturing Business Value Through Disruptive Energy Platforms (Q1 2018) www.navigantresearch.com/-/media/project/navigant-research/reportfiles/wpec418navigantresearchpdf.pdf accessed 14 March 2020.