Internet & Social Media Law Blog
Although that new smart refrigerator might seem like a fun gadget and great way to sync up grocery lists, smart appliances have the potential to become vectors in malicious power grid attacks. Or what about the increasingly popular addition of a solar plus storage solution or an EV charging station in individual homes? These home energy hubs, connected to the power grid and often linked with a host of devices via a mobile phone, pose another layer of risk that is only beginning to be explored. As the World Economic Forum draws attention to a worldwide “cyber pandemic,” electrical grid breaches remain an ongoing point of alarm. Power grids are more exposed than ever to cyberattacks, thanks in part to the vast expansion of (often poorly secured) consumer internet-connected devices, large remote-work networks and new smart grid technologies that connect power meters remotely to aging grid infrastructure. As we look to the future, the rapidly evolving technologies that are necessary to enable distributed energy resources and virtual power plants, such as residential energy storage, home energy hubs and EV bidirectional charging (V2H, V2G or V2X), have the potential to dramatically redefine those risks—for the better or the worse.
The United States, along with many other countries, is grappling with how to protect sprawling, interconnected networks of private and public energy generating resources from cyber threats. The complex system includes 200,000 miles of transmission lines, 55,000 substations and 5.5 million miles of distribution lines. Any of these essential elements could be the aim of a cyberattack, as could any number of personal smart devices or grid-connected distributed energy resources in homes across the country. Consider just a few of the high-profile electric grid attacks that have made headlines in recent years:
- During the winter of 2015, hackers working for the Russian government knocked out Ukraine’s power grid, switching off lights and warmth to more than 200,000 Ukrainians. Just a year later, they did it again—this time taking out about a fifth of the power consumption in Kyiv for an hour. The second attack demonstrated an alarming new level of capabilities that some experts say could be employed on any electric transmission site in the world.
- In another hit to Ukraine, in 2017 attackers used malware stolen from the U.S. National Security Agency to freeze computers in hospitals, grocery stores and even radiation-monitoring systems at the old Chernobyl nuclear plant. The complex attacks inflicted collateral damage to the tune of $10 million worldwide, and at major corporations including Rosfneft, a Russian state-owned energy company.
- As recently as April of 2022, using the same malware from the 2016 attack, Russian hackers came close to another massive electric grid takedown in Ukraine that would have left two million people in the dark. Though they were thwarted, intelligence officials then said that in its ongoing conflict with Ukraine, Russia would be ramping up its cyber offenses for the spring of 2023.
- At around the same time, it was disclosed that about a dozen U.S. power and energy stations were targeted in a similar such attempt, with Russian cybercriminals believed to be at the helm of the operation. The malware was blocked, but still exists and is designed to target almost any major infrastructure system.
- In 2017 another group, whose origins are unknown, penetrated computer networks at a nuclear power plant in Kansas by placing malicious links on websites frequented by employees, as well as by placing malware within highly convincing résumé attachments. Attackers specifically targeted senior engineers with access to control systems. Although the FBI and Department of Homeland Security reported that no operations systems were breached, the attack highlights the susceptibility of sensitive energy hubs to online threats.
- A widespread outage in Mumbai in 2020 is also believed to be the result of malware, which was uncovered at a load dispatch center. It took two hours for authorities to restore power to essential services, and some affected areas were offline for 12 hours.
- In another attack, hackers cut power in South Africa’s largest city, Johannesburg, with a virus that in 2019 targeted the locale’s primary electric provider, first attacking its databases and eventually turning off the electricity.
These past cyber breaches indicate that future break-ins involving the power grid are not far-fetched, especially as more and more unsecured devices connect to the grid. Although the U.S. energy grid now operates in a digital environment with components that are internet-accessible, most plants were never designed with high-tech security in mind. Additionally, hackers are becoming increasingly sophisticated with the help of AI technology.
While none of this is necessarily news to the executives helming the companies in charge of crucial grids and networks, that does not mean the threat has been fully addressed. In a 2022 cybersecurity preparedness survey of more than 150 corporate executives of organizations (with a minimum annual revenue of $500 million), 40% of respondents in the energy, mining and utilities sector admitted to not currently having a dedicated in-house team with full-time responsibility for cyber incident response. Perhaps not surprisingly, while the vast majority of TMT (86%) and financial services executives (80%) were confident in their existing cybersecurity capabilities, only 34% of energy, mining and utilities respondents felt the same.
Jon Wellinghoff, former chairman of the Federal Energy Reserve Commission (FERC), told The New York Times that “we never anticipated that our critical infrastructure control systems would be facing advanced levels of malware.” In another much-reported interview with 60 Minutes, he also revealed that a FERC report “found the U.S. could suffer a coast-to-coast blackout if saboteurs knocked out just nine substations.” The stakes are high when it comes to girding electricity grids against cyberattacks. To grasp the potential consequences of widespread power failure, we need only look at a few major outages:
- Most recently, Pakistan suffered a nationwide blackout in January 2023 that left nearly 220 million people without electricity. Though the outage was attributed to a technical failure rather than a cyberattack, the results paint a picture of how one grid malfunction can have a cascading effect in a system of interconnected energy. Locals faced crippling disruptions. Hospitals were thrown into chaos as they lost power, and some people went without water, as water pumps relied on electricity to run.
- In Texas, a 2021 surprise winter storm knocked out most of the state’s power for as long as three days in some areas. The power loss led to the deaths of almost 250 Texans, many to hypothermia, and others to carbon monoxide poisoning as they tried to stay warm with portable generators. Texas is unique, as it has its own power grid independent of other states (and federal regulations), meaning that it was unable to borrow power from other states when the entire system failed, raising questions around the security risks of a fully independent power grid.
- When Hurricane Sandy struck in 2012, a staggering 8.1 million homes and businesses throughout the Northeast U.S. lost power after a transformer explosion at a Manhattan substation. It took weeks (and many millions of dollars) to fully restore power, with citizens scrambling to keep food fresh without refrigeration, and to find safe drinking water. The storm was a wakeup call about the need for failsafe power grids.
To state the obvious—the modern world is not well-equipped to survive without electricity. A cyberattack on the power grid could be catastrophic—for regions and also for entire nations. Losing power is also bad business, as restoring a broken grid is costly, and regions can take major economic hits when commerce is forced to a halt.
The biggest threats come in the form of political adversaries and cybercriminals hoping for ransom money. The United States and others can benefit from modernizing aging infrastructure in order to avoid “cascading failures” seen in places like Pakistan. Multiple federal agencies are now scrambling to determine how they can impose regulations or requirements on energy companies.
Leaders are beginning to heed warnings about fortifying power grids against hackers. President Biden issued an executive order to modernize and expand cybersecurity for the U.S. power grid. The Department of Energy (DOE) also launched a $45 million initiative to boost cybersecurity for the electric grid, and the IoT Cybersecurity Improvement Act of 2020 established minimum security standards for federal government devices. Most recently, FERC approved a new cybersecurity standard to address supply-chain risks within the electric system, and the DOE partnered with members of the EV industry to ensure cybersecurity issues are addressed. The U.S. Government Accountability Office has called for even further action, asking the DOE to conduct a full assessment of cybersecurity risks to the grid followed by a coordinated response with the Department of Homeland Security, state and industry partners. As countries continue to move toward better oversight of these cybersecurity needs, additional legislation is sure to come. A joint effort will be needed to get the energy sector’s security measures up to snuff, but many across the industry are working to make it happen.
All industry players, from a startup developing a novel technology solution to enable V2G interconnection to a developer installing commercial solar that may form part of a virtual power plant, to a conventional energy company looking to redefine its position in the energy transition, to utilities and transmission companies of all sizes should evaluate the cybersecurity risks of our increasingly interconnected, internet-enabled power grid. A key tool in understanding and mitigating those risks will be conducting a risk assessment—protected by attorney-client and self-review privileges—that takes into account the latest legal developments and available countermeasures. As part of that assessment, companies and their internal legal, compliance and IT teams should develop an understanding the applicable cybersecurity regulatory framework and design a cybersecurity governance framework in light of those requirements. Regular audits of those risks and governance frameworks are also recommended in light of the rapidly evolving technology and regulatory frameworks. Finally, if a cybersecurity breach does occur, bringing together data protection, privacy, regulatory, white collar and litigation expertise in a unified crisis management team will be critical.
RELATED ARTICLES
Ransomware, Data Breaches and the Tension Between Disclosure and Damage Control