Most Americans are familiar with the high profile hacking incidents of recent years—the public exposure of Sony Pictures’ private email, for instance, or the theft of credit card information belonging to 56 million Home Depot customers. But the damage from those breaches may pale in comparison to what cybersecurity experts believe is sure to come: a penetrating attack on the power grid.
Hacking into the industrial control systems of our electric infrastructure presents a huge national security risk. Disrupting or sabotaging our power supply would have catastrophic consequences for public safety and health. Yet the electric utility industry remains shockingly ill-prepared to combat the threat even as it insists it has taken adequate precautions. What's holding it back? Three things:
- A disconnect within individual companies among risk managers, IT, engineering and operations.
- The inability to keep pace with a sophisticated hacking culture.
- The industry's stance that it is already doing enough to comply with cybersecurity standards.
The 2013 hack into the controls of a small hydro-electric dam in Rye Brook, NY, by a rogue Iranian group should be a wake up call. So too should be the 2015 Ukrainian power utility attack, widely attributed to Russia. Both incidents demonstrated the capabilities of hostile adversaries and the tacit warning that similar damage can be done—perhaps at will—to U.S. utilities. These intrusions, plus 750 more identified and catalogued by Industrial Control System (ICS) cybersecurity experts, punctuate the need to move faster in light of the rapid changes to our digital world. With about 6.4 billion devices and control systems connected through the Internet of Things, and nearly 21 billion expected by 2020, the number of entry points of attack is multiplying daily.
Minimizing the risk is not just about training a network IT team. It’s about running a comprehensive and continuous scan of operational technology (OT)—the programmable logic controllers, the mobile devices, the supervisory control and data acquisition systems (SCADA), etc.—and then coordinating OT and IT teams with risk officers and crisis management experts to form a cohesive front capable of responding to an industrial cyber incident.
The idea that minimizing risk can be accomplished through IT alone as if it’s a corporate website is a misconception. See if you can identify other misconceptions about the industry with our true or false quiz.