Digital cyberattacks on the power grid so far have failed to leave America in the dark, but utilities and grid operators are preparing for that day so they can quickly respond, industry experts told a Congressional panel.
The House of Representatives' energy and power subcommittee prodded electricity sector experts on cybersecurity threats during a hearing Feb. 1, one day after President Donald Trump postponed signing an executive order directing a 60-day review of the nation's cybersecurity defenses.
"The threat of cyberattacks by nation states, terrorist groups and criminals is at an all-time high," said Gerry Cauley, president and CEO of the North American Electric Reliability Corporation. "We've seen an increased presence of ransomware, data theft, and other criminal activities against all sectors of our economy."
Cauley said the suspected Russian cyberattack of Ukrainian utilities in December 2015 that left 225,000 people without power for several hours "indicates that nation state adversaries have the cyber tools and now the will to disrupt the grid of other nations."
"Electric companies have to be right 100% of the time and the adversary has to be right once," said Scott Aaronson, executive security director for the Edison Electric Institute. "There isn't enough money in the world to protect against every threat in every location but we are working to prevent incidents from having long-term or devastating impacts."
Speaking on behalf of the Electricity Subsector Coordinating Council that serves as the main liaison between the federal government and the electric power sector, Aaronson said the industry is developing a cyber mutual assistance program to coordinate resources for companies affected by cyberattacks. The program, which was suggested in the wake of the attack in Ukraine, already has more than 80 participants and growing, he said. The industry also has numerous mutual assistance programs that allow companies to share information and spare equipment.
Energy and Commerce Committee chairman Rep. Greg Walden, R-Ore., raised the specter of hackers harnessing "the internet of things" into "a swarming attacking machine," like the October 2016 incident, when a million electronic devices were hijacked and used in the largest denial of service attack to date against internet providers.
Aaronson acknowledged that solar panels and other distributed energy resources pose a paradox to security. "There is some resilience that can be brought from distributed resources but it broadens the attack service and largely these are consumer grade electronic devices that do not have the same security standards," he said.
Thus, Aaronson said security needs to be "baked in, not bolted onto" those consumer devices, such as digital thermostats. He said utilities and operators also need to see what is being produced by distributed energy resources, and have "assurance" that the information they are receiving back has not been altered.
Rep. Fred Upton, R-Mich., who chairs the energy subcommittee, said in a news release that the subcommittee is focused this Congress on structural, economic and technological factors hindering the development of the nation's electricity system.
"We must continue to build a record about electric sector efforts to address cybersecurity threats," said Upton. "Moving forward, we will identify whether additional measures, are necessary."
The hearing was also held a day after the release of the third update of National Association of Regulatory Utility Commissioners' cybersecurity manual.
NARUC President Robert Powelson said in a news release that the primer is meant to be used a "practical guide" for state regulators engaging with regulated industries. The manual includes the most recent guidelines and tools for improving security and covers a broad range of topics from supply chain issues to managing insider threats.