Remember the Y2K bug? That special party you attended with your friends, on December 31st 1999, where the whole world was supposed to come to a screeching, crashing halt? Where control systems would mistakenly revert to 1900 instead of 2000 because they’d only been designed to hold two year digits? It’s been a while, and after all that champagne, it seems now like a foggy memory. But I remember we partied, expecting the worst and … nothing much happened. The world continued as normal, traffic lights kept their patterns, and the alarm clock blared the next day on cue, along with the hangover. That’s because of the tremendous effort made by countless engineers, programmers, technicians, and planners to ensure computer clocks everywhere properly rolled over into the next millennium. The Y2K bug is similar to the situation we face today when it comes to our power grid. The threat this time isn’t a design flaw in real-time clocks, but one where cyber attacks could put our lights out. Do you wonder about how to prepare for a cyber attack on the power grid?
I don’t think I have to mention how important electricity is in the 21st century, but will say I’m firmly in that camp that believes it’s fundamental to Maslow’s basic level in the hierarchy of needs. And the best way to prepare for a cyber attack on the grid is for the grid’s owners and operators to deploy sophisticated, engineering-grade protections that control the flow of attack information into our grid.
How A Cyber Attack On The Grid Can Ruin Everything
There are probably many ways a cyber attack on the grid can cause major damage, but four immediately spring to mind. First, attackers could interrupt or damage generating plants, by blinding operators to the generating plants conditions, by faking readings on meters or monitoring systems, or by deliberately disabling safety systems. Or attackers could shut down a turbine and open a breaker at the local generating substation, thereby preventing the plant from starting back up again, because power is required for a restart.
Second, attackers could cause physical damage to expensive, long lead-time equipment, like transformers. Every substation has transformers. Bringing about physical damage is a two-step attack: first, the attack disables electrical protection, and then second causes a fault. For example, disabling transformer protection relays and then opening an upstream circuit breaker during peak load demand could overload a transformer beyond it’s rated capacity and cause permanent damage. An attack could also disable protection and activate bypass switches, bypassing a transformer to overload and explode a second unit in the same substation yard where the two units normally share the load. Most utilities have a very small number of high voltage transformers stored as spares, but at millions of dollars each and over one year lead times made worse by the recent COVID-19 pandemic, the loss of more than a handful of transformers or similar equipment in a region could lead to long term blackouts, economic damage, and larger unforeseen societal impacts.
Third, attackers could open circuit breakers in a local distribution yard and cut off power to thousands of residents. With a combo attack that could also leave power company customer support and control systems and relays wiped or disabled, recovery can be slowed or hampered for hours or days. This is not theoretical but has occurred twice, with physical consequences: Sandworm’s BlackEnergy attack on Kiev, Ukraine in 2015 and another, separate attack, dubbed CrashOverride (or Industroyer) in 2016. A third attack on a transmission station north of Kiev in 2022, dubbed Industroyer2, attempted to cause similar consequences but ultimately failed to cause significant physical consequences.
The Worst Nightmare Is A Cascading Power Failure
The fourth and most troubling attack would be threat actors causing cascading power failures in the transmission network, by accidentally or strategically opening the right breaker or two. Because the grid normally operates in a stable state, with power flowing through all elements, it can only tolerate a handful of breakers tripping and switches switching here and there. Other portions of the system will pickup the excess load demand. But trip just enough of the right breakers, on purpose or by accident, switch or disconnect power in other places, and all the other protection elements will activate causing blackouts that could blanket entire nations. It’s happened many times before from typical non-cyber causes, like in 2003. And even though regulations were strengthened, and systems were upgraded, cascading failures are still possible. Note the focus of studies and upgrades were on the assumption traditional failures would occur: a branch on the line, or a lightning strike on a tower, but not a hacker!
How to prepare for such a cyber attack on the grid intent on causing cascading failures? All the control systems must be protected from malicious information entering them. If the hacker can’t get in or can’t manipulate any of the control information, then you can sleep easy. The consequences of not engineering strong cyber security here are severe.
Grids Everywhere Need More Engineering-Grade Solutions
What is really needed is to control the information flow into substation automation SCADA systems and control centre networks, and if possible, to implement engineering-grade solutions that remove or mitigate information flows. A lot of material is available to help understand how to do just that:
- Segmenting substation networks,
- SEC-OT design methodology,
- Idaho National Labs and the US DOE’s Cyber-Informed Engineering Strategy
- An Emerging Consensus for Industrial Security Engineering
There is much work left to do before our power grid is so thoroughly protected that a serious cyber attack is simply not a credible threat any more. The good news is that the work is on-going, and the path to success is clear.
Your feedback is always welcome. Feel free to reach out on LinkedIn.