Utilities are worried about getting hacked, and they’re right to worry. Afterall, the risks seem to be greater with every passing moment. Last year, Russian hackers carried out a ransome attack on the colonial pipeline. Since then, Russia’s invasion of Ukraine has further deteriorated America’s relations with the Kremlin. What’s more, if reports are right, Russia tried to take down several Ukrainian substations through a cyber attack. The attempt was shielded off, but it’s obviously part of their arsenal.
Complicating matters for North American utilities, is the fact that modernization efforts that dovetail with carbon cutting initiatives have made our grid all the more vulnerable, albeit smarter.
The predicament so many utilities have found themselves in isn’t completely without precedent. Hawaii set out on an ambitious modernization and renewable plan early last decade, which forced the Hawaii Electric Company (HEC) to contend with extra security concerns. What’s more, HEC’s vulnerability was compounded by the fact that the archipelago can’t share power with any neighbor and that the islands are home to big military bases. The perfect target.
Given all the parallels, I thought it would be useful to revisit a post I made about HEC’s cyber security strategies back in 2018. I’ve added a couple thoughts on what proactive utilities can do now in 2022 beneath the re-post.
“Upon catching wind of this month’s cyber-security themed hot-topic, my mind immediately jumped to Hawaii. The 50th state has been much talked about in utility circles ever since it first made waves through the industry as an early adopter of solar power at the beginning of this decade.
Of course, as often happens with new technologies, there have been growing pains. The islands’ traditional grids weren’t prepared for the extra energy production brought on by so many solar units, and unlike on the mainland where different utilities are connected, the Hawaii Electric Company (HEC) had no neighbor they could offload excess power to. By 2013, HEC, the state’s largest utility, had put in place a solar waiting list to curb the burgeoning renewable’s implementation. Two years later, in 2015, the state ended net metering, causing significant turbulence within the young industry.
Yet despite the initial setbacks, HEC has never doubted that solar is central to the archipelago's future energy infrastructure. Last year, it began an ambitious six year plan to accommodate renewable energies. If it goes as planned, the five islands served by the utility will boast a renewable portfolio standard of 48 percent by 2020 and 100 percent by 2045.
As should be expected, HEC’s updated grids will feature a number of new intelligent technologies: advanced inverters, smart meters, a slew of sensors, etc. And while such tools offer many benefits, they also bring on a whole new set of security concerns.
To find out more about those new risks, and how HEC was preparing, I reached out to Bryan Tepper, the utility’s CISO and Information Assurance Manager.
Early into our conversation, Bryan drew my attention to the case of the “Jeep Hack”. For those who don’t know, In 2015, a pair of computer security researchers made headlines when they demonstrated how they could remotely control a 2014 Grand Cherokee through the SUV’s infotainment system. It was a huge embarrassment for Chrysler, leading them to recall 1.4 million vehicles.
Although electricity and cars are two very different products, the risks exposed by the jeep hackers are analogous to those now facing HEC and other forward-thinking energy providers.
As Bryan put it, “the more advanced the system, the larger the attack surface becomes.”
Advanced metering, for example, is a central tenet of HEC’s modernization initiative. The newest generation of smart meters allow customers to take control of their energy consumption, raise reliability, enhance safety monitoring, and greatly facilitate demand response programs through increased data exchange. However, each unit contains the customer’s confidential information, making them targets for cyber criminals and sinister foreign actors.
HEC protects the meters by emphasizing segmentation and credentials, common themes throughout their cyber-security efforts. First of all, each customer must go through a multi-factor authentication mechanism and provide specific credentials to access their meter. If somehow a hacker finds a way around those obstacles, the meters are kept on a separate system from other components to ensure that such a breach wouldn’t compromise the whole grid.
In addition to the usual set of risks associated with a smart grid, Bryan pointed out that Hawaii’s large military presence and geographic isolation, which prevents it from leaning on neighboring utilities during outages, both make it an attractive target for malicious agents.
He and his team seek to mitigate Hawaii’s unique vulnerabilities by building strong partnerships with public and private organizations alike. He highlighted their close collaboration with the U.S. Department of Energy and praised the agency’s new Cyber Security Risk Sharing Program (CRISP).
Asked how he predicts cyber-security in the industry will evolve over the next five years, he reiterated the importance of cooperation, stating: “Moving forward, I see even more collaboration between companies and more collaboration among groups.”
The job of security gurus like Bryan will only become more important as utilities continue to renovate their grids with ever-more advanced communicative technologies. To make sure innovation in grid efficiency doesn’t outpace advances in cyber-safety, it’s important that leaders in the field remain proactive and work together.”
Most of Bryan’s insights are truer than ever in 2022. The only thing I’d add is that cyber security collaboration between the government and private utilities has come a long way in the past four years. The Joint Cyber Defense Collaborative (JCDC), which was put together last year by CISA, provides a 24/7 feed of threat information compiled from key industrial sectors and the FBI, DHS, NSA and the Energy and Treasury departments. If a utility isn’t taking advantage of the JCDC’s product, they’re doing themselves a disservice.