Cybersecurity of the Power Grid: A growing challenge

A cyber attack on the electricity grid happened in Ukraine – could it happen here too? Valentyn Ogirenko/Reuters
A cyber attack on the electricity grid happened in Ukraine – could it happen here too? Valentyn Ogirenko/Reuters

Manimaran Govindarasu, Iowa State University and Adam Hahn, Washington State University

Called the “largest interconnected machine,” the U.S. electricity grid is a complex digital and physical system crucial to life and commerce in this country. Today, it is made up of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines. This web of generators, substations and power lines is organized into three major interconnections, operated by 66 balancing authorities and 3,000 different utilities. That’s a lot of power, and many possible vulnerabilities.

The grid has been vulnerable physically for decades. Today, we are just beginning to understand the seriousness of an emerging threat to the grid’s cybersecurity. As the grid has become more dependent on computers and data-sharing, it has become more responsive to changes in power demand and better at integrating new sources of energy. But its computerized control could be abused by attackers who get into the systems.

Until 2015, the threat was hypothetical. But now we know cyberattacks can penetrate electricity grid control networks, shutting down power to large numbers of people. It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too.

As researchers of grid security, we know the grid has long been designed to withstand random problems, such as equipment failures and trees falling on lines, as well as naturally occurring extreme events including storms and hurricanes. But as a new document from the National Institute of Standards and Technology suggests, we are just beginning to determine how best to protect it against cyberattacks.

Understanding the Ukraine attacks

On Dec. 23, 2015, a cyberattack penetrated electricity distribution control centers in Ukraine using software vulnerabilities, stolen credentials and sophisticated malware. The attackers were able to open dozens of circuit breakers and shut off power to more than 200,000 customers for several hours.

A year later, the country’s electricity transmission facilities were attacked. That attack also cut off electricity service, though to a much smaller geographic area, and for only about an hour. In both cases, it is widely reported that hackers aligned with the Russian government were responsible.

How can we prevent this sort of attack in the U.S.?

Protecting the American electricity grid from cyberattacks is challenging not just because it is made up of so many physical and computerized elements connecting nearly every building in the country. It’s difficult because the grid has to continue to operate in real time, making adjustments to ensure the right amount of electricity gets where it needs to go at every moment.

And it’s especially hard because the electricity industry is used to a slower pace of technological advance: While computer technologies like smartphones and servers are updated every two to three years, grid infrastructure typically must operate for over a decade.

Increasingly computerized: electricity transmission lines.
Powerlines via

Over time, though, older traditional electricity meters have given way to digital smart meters. Similarly, power substations that are crucial for converting electricity from high-voltage transmission lines to lower voltage for household use, are increasingly controlled via internet-enabled networks and software.

Security standards can help ensure utility companies keep their protection strong. The North American Electric Reliability Corporation, which oversees the grid in the U.S. and Canada, has rules, known as Critical Infrastructure Protection (CIP) compliance, for how electric companies must protect the power grid both physically and electronically. This includes monitoring the grid for attacks, as well as requiring safeguards such as multi-factor user authentication to keep unauthorized intruders from accessing control networks.

NERC also hosts regular tabletop simulation exercises, where electricity companies can practice defending against major attacks. The U.S. National Institute of Standards and Technology has its own recommendations, though they are not mandatory for utilities. A draft version of a new set of guidelines was just released, adding both urgency and detail for utility companies.

These standards, guidelines and exercises have significantly improved the security of the larger elements of the power system, such as power plants and high-voltage transmission networks. But they have done little to protect the low-voltage distribution networks that supply power directly to our homes and workplaces. Attacks on these low-voltage parts of the overall system cover less territory than intrusions at higher levels, but they can still cause large-scale power outages, like in Ukraine in 2015.

Defending the edges of distribution system is much more complicated than protecting its center. Not only are there many more physical locations to safeguard, but there are also many more companies involved in operating them. Municipal governments and utility cooperatives, for example, are significant distributors of electricity, and yet have limited security requirements. In addition, they may not have the money or expertise to protect their systems against cyberattacks.

Joining forces

The grid depends on a number of key control systems and algorithms, each of which presents its own unique vulnerabilities. The growing scale of this problem requires techniques to manage and reduce the number of vulnerable points the grid has.

Research into grid security is moving away from investigating ways to better handle equipment failures and natural disasters, and toward creating a well-defended power grid for the future. One approach could be to add more redundancy – additional equipment that can fill in when an attack takes out a power plant or a transmission line. That is very expensive, though.

The other approach involves systematically analyzing the risks inherent in critical systems and methodically defending against each of them. Key elements of this approach involve developing techniques that can prevent attacks, detect and respond to them when they happen, and allow us to investigate what happened after an attack has ended. That will help us to improve protection for the future.

This approach will require the industry to ensure each new device it connects to the grid is protected, no matter how small or how big. We’ll also have to develop new systems that can detect anomalous grid communications and create more secure network architectures for critical grid control systems.

In addition, regulators will need to keep updating the rules governing the industry to raise minimum security standards over time. Schools and universities will need to teach people to be not only electricity experts but cybersecurity defenders. Our ability to flip a switch and turn on the lights depends on it.

The Conversation

Manimaran Govindarasu, Professor of Electrical and Computer Engineering, Iowa State University and Adam Hahn, Assistant Professor of Electrical Engineering and Computer Science, Washington State University

This article was originally published on The Conversation. Read the original article.

Political Scrutiny 101 Top Stories in your inbox. Subscribe.


11 things every Snapchat Spectacles owner should know – CNET

Get the most out of your new sunglasses.

Now that Snapchat Spectacles can be purchased online — and you don’t have to chase down a vending machine — it’s a lot easier to get your hands on a pair of Specs. If you picked up a pair, know this: There’s a lot more to the sunglasses than you’d expect.

Here are 11 tips to help you get the most out of your fancy sunglasses.

Source: 11 things every Snapchat Spectacles owner should know – CNET

Eyes in the sky: Cutting NASA Earth observations would be a costly mistake

NASA Earth Science Division operating missions, including systems managed by NOAA and USGS. NASA Earth Observing System
NASA Earth Science Division operating missions, including systems managed by NOAA and USGS. NASA Earth Observing System

David Titley, Pennsylvania State University

Donald Trump’s election is generating much speculation about how his administration may or may not reshape the federal government. On space issues, a senior Trump advisor, former Pennsylvania Rep. Bob Walker, has called for ending NASA earth science research, including work related to climate change. Walker contends that NASA’s proper role is deep-space research and exploration, not “politically correct environmental monitoring.”

This proposal has caused deep concern for many in the climate science community, including people who work directly for NASA and others who rely heavily on NASA-produced data for their research. Elections have consequences, and it is an executive branch prerogative to set priorities and propose budgets for federal agencies. However, President-elect Trump and his team should think very carefully before they recommend canceling or defunding any of NASA’s current Earth-observing missions.

We can measure the Earth as an entire system only from space. It’s not perfect – you often need to look through clouds and the atmosphere – but there is no substitute for monitoring the planet from pole to pole over land and water. These data are vital to maintaining our economy, ensuring our safety both at home and abroad, and quite literally being an “eye in the sky” that gives us early warning of changes to come. To paraphrase Milton Friedman, there’s no free lunch. If NASA is not funded to support these missions, additional dollars will need to flow into NOAA and other agencies to fill the gap.

NASA satellite data show the spread of hemlock decline, caused by an invasive insect called the hemlock woolly adelgid, near North Carolina’s Mount Mitchell in February 2016. Brown areas have less vegetation than normal for the time of year.
NASA Earth Observatory

Shared missions

The National Aeronautics and Space Act of 1958, which created NASA, explicitly listed “the expansion of human knowledge of phenomena in the atmosphere and space” as one of the new agency’s prime objectives. Other federal agencies have overlapping missions, which is normal, since there are few neatly defined stovepipes in the real world. The National Oceanic and Atmospheric Administration, which is part of the Department of Commerce, works to “understand and predict changes in climate, weather, oceans, and coasts.” And the U.S. Geological Survey, a bureau of the Interior Department, is charged with “characterizing and understanding complex Earth and biological systems.”

These primary earth science agencies have a pretty clear division of labor. NOAA and USGS fund and operate a constellation of weather- and land-observing satellites, while NASA develops, prototypes and flies higher-risk, cutting-edge science missions. When these technologies have been proven, and Congress funds them, NASA transfers them to the other two agencies.

For example, in the NOAA-NASA partnership to develop the next generation of operational weather-observing satellites, NASA took the lead in prototyping and reducing risk by building the Suomi NPP satellite. That satellite, now five years old, is improving our daily weather forecasts by sending terabytes of data every day to supercomputers at NOAA. Its images also help with tasks as diverse as navigating in the Arctic through the Northwest Passage and monitoring the tragic wildfires near Gatlinburg, Tennessee. The experience NASA gained by developing the new technologies is now incorporated into NOAA’s Joint Polar Satellite System, whose first launch is scheduled for next year.

In an image from the Suomi NPP satellite, Hurricanes Madeline and Lester, both hovering between Categories 3 and 4, bear down on Hawaii on Aug. 29, 2016.
NASA Earth Observatory

When I served as NOAA’s chief operating officer, I met regularly with my NASA counterpart to ensure that we were not duplicating efforts. Sometimes these relationships are even more complex. As oceanographer of the Navy, I worked with NOAA, NASA and the government of France to ensure joint funding and mission continuity for the JASON-3 ocean surface altimeter system. The JASON satellites measure the height of the ocean’s surface, track sea level rise and help the National Weather Service (which sits within NOAA) forecast tropical cyclones that threaten U.S. coastlines.

It is vital for these agencies to coordinate, but each plays an important individual role, and they all need funding. NOAA does not have enough resources to build and operate a number of NASA’s long-term space-based Earth observing missions. For its part, NASA focuses on new techniques and innovations, but is not funded to maintain legacy operational spacecraft while simultaneously pushing the envelope by developing new technologies.

The value of space observation

To many members of the earth science community, organizational issues between NASA and NOAA are secondary to the real problem: lack of sufficient and sustained funding. NASA and NOAA are working jointly to patch together a space-based Earth observing system, but do not receive sufficient resources to fully meet the mission.

An administration that truly wanted to improve this situation could do so by developing a comprehensive Earth observing strategy and asking Congress for enough money to execute it. That would include maintaining NASA’s annual Earth science budget at around US$2 billion and increasing NOAA’s annual satellite budget by $1-2 billion.

There’s a reason why space is called “the ultimate high ground” and our country spends billions of dollars each year on space-based assets to support our national intelligence community. In addition to national security, NASA missions contribute vital information to many other users, including emergency managers and the Federal Emergency Management Agency (FEMA), farmers, fishermen and the aviation industry.

While NASA’s Earth observation satellites support numerous research scientists in government labs and universities, they also provide constant real-time data on the state of space weather, the atmosphere and the oceans – information that is critical to U.S. Navy and Department of Defense operations worldwide.

Six years ago while I was serving as oceanographer of the Navy, I was asked to estimate how much more money the Navy would need to spend if we did not have our NASA and NOAA partners. The answer was, very conservatively, $2 billion per year just to maintain the capability that we had. That figure has almost certainly increased. If the Trump administration cuts NASA’s earth science funding, that capability will need to come from some other set of agencies. Has the new team thought seriously about which agencies should have their budgets increased to make up this gap?

Sea surface temperatures, October 2016, based on NASA satellite data. Sea surface temperatures affect weather, including hurricanes, and animal and plant life in the oceans.
NASA Earth Observations

Finally a few thoughts about the elephant in the room: climate change. Mr. Walker has said that “we need good science to tell us what the reality is,” a statement virtually everyone would agree with. The way to have good science is to fund a sustained observation system and ensure the scientific community has free and full access to the data that these satellites produce.

Not funding observation systems, or restricting access to their data, will not change the facts on the ground. Ice will continue to melt, and our atmosphere and oceans will continue to warm. Such a policy would greatly increase risks to our economy, and even to many Americans’ lives. In the business world, this stance would be considered gross negligence. In government the stakes are even higher.

The Conversation

David Titley, Professor of Practice in Meteorology & Director Center for Solutions to Weather and Climate Risk, Adjunct Senior Fellow, Center for New American Security, Pennsylvania State University

This article was originally published on The Conversation. Read the original article.