Utilities Under Attack
image credit: Photo 18145057 © Olivier Le Queinec | Dreamstime.com
- Sep 24, 2020 12:01 am GMTSep 23, 2020 11:21 pm GMT
- 1149 views
The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) leads the DOE’s emergency preparedness and response to disruptions to the energy sector, from physical attacks, cyber-attacks, natural disasters, and man-made events. This year it seems utilities will suffer from... all of the above. Multiple hurricanes and tropical storms are causing flooding, downed power lines and power outages across some 500 miles off the Gulf Coast, from Texas to New Orleans. Five storms have already hit the Gulf and there are more to come. Utilities are responding to wildfires in California, Oregon and Washington states, issuing warnings and preemptively cutting power to customers in high-risk areas. As crews rush out to restore power in impacted areas, they must protect themselves from joining the rising number of confirmed COVID cases across the country. Last but not least, the U.S. utility sector records millions of attempted cyber intrusions a day.
All things considered, how are utilities preparing for and responding to various physical and cyber-attacks, natural disasters and man-made events? Very carefully. Operational guidelines for assessing and mitigating COVID were drafted by the Electricity Subsector Coordinating Council (ESCC) to ensure grid reliability, security and safety. The ESCC is the principal liaison between the federal government and the electric power industry on efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure.
Their guidelines for personnel require that (1) COVID-19 testing is available and streamlined for essential personnel who work in shift environments, i.e., control center personnel; (2) relief from certain regulatory obligations is obtained to ensure the continued availability of control room operators; (3) travel restrictions for the general public exclude personnel essential to the reliable operation of control centers; and (4) supplies for cleaning/hygiene are readily available. Tiered escalation plans and sequestration is also addressed in the resource guide.
Regarding operations a workflow and biohazard assessment chart were created. Utilities must decide (1) whether to increase/suspend/reduce operations at key accounts and how it will impact load balancing, (2) what enhanced facility management needs will be required to make the environment safe, (3) what type of PPE should be provided to crews operating in areas with high numbers of infections, (4) what support can they provide and how quickly can they share information with the mutual assistance networks. Reliance upon one another will be crucial moving forward.
"The electricity sector is one of the most important, critical infrastructure systems that our contemporary society relies on for its normal operation. The ever-increasing dependency on this system demands it to be secure and resilient against cyberattacks," said Sajal Bhatia, assistant professor of cybersecurity and director of cybersecurity programs at SHU's School of Computer Science & Engineering within the Jack Welch College of Business & Technology. Electricity is imperative to hospitals, clean water, food and agriculture, communications, transportation, financial services, manufacturing and commerce and emergency services. Unfortunately, a large number of people, for one reason or another, are currently in a state of emergency. The threat to the nation’s infrastructure continues to grow at an alarming rate. Duke Energy, one of the largest power companies in the nation, with 7.6 million customers, reported more than 650 million attempted cyberattacks in 2017 alone. Eddie Habibi, founder and CEO of PAS, a cybersecurity firm for energy and power industries, stated plainly, “If you want to shut down the infrastructure of a country, you shut down the grid…” He also alerted utilities to the part they can play in protecting themselves. In any given day, you can find at least 1,000 cybersecurity violations at a power plant, including opening scam emails, using unsecured USB drives, and sharing passwords with co-workers. Beyond employee training, a growing number of cybersecurity firms are offering their services to better prepare utiilties against attack. Who’s the best candidate for the job? Sacred Heart just received a grant to help utilities answer that very question. Sacred Heart will use the $25K grant to critically analyze 10-20 security vendors and their products related to DDoS attack protection and act as a liaison bridging state of the art DDoS detection and prevention solutions to the best practices for US electricity utilities.
Jim Cunningham, executive director of Protect Our Power, said, ”The electric grid is only as secure as its weakest link, so helping utility companies confidently pick appropriate products from reliable vendors is critical to the overall security and integrity of the grid.”
How is your utility preparing personnel, securing operations and responding to the onslaught of emergencies and events?