The civilized world is bracing for an almost-inevitable cyber terrorism attack. Many analysts expect disruption of online banking, energy, and healthcare to become a pillar of warfare and terrorism. FBI director James Comey voiced these concerns at a Congressional hearing in 2013, saying, "There are no safe neighborhoods. All of us are neighbors online."
But if an attack significant enough to disrupt normal life happens, it will likely hit a utility plant. According to a survey released last October by the Pew Research Center,nearly two-thirds of technology experts expect a major cyber attack somewhere in the world that will cause significant loss of life or property in the tens of billions of dollars by 2025.
Cyber Vulnerabilities Across the Grid
As plants add digital networks to increase efficiency, they are also opening the door to potential cyber attacks. "There are vulnerabilities at the plant level and the grid level, down to the substations. The problem with cyber security, is the more we modernize the plant, the more it becomes vulnerable," Darren Hammell, chief strategy officer and co-founder of Princeton Power Systems told Design News. "More technology means greater numbers of ways the plant can be attacked."
For the sophisticated attacker, the goal may involve simply changing the settings of networked devices. "There are control vulnerabilities," said Hammell. "A sensor can be programmed to go out of range, and that can produce a cascading effect. You can cause the plant to go out of balance."
MORE FROM DESIGN NEWS: Cyber Attacks Fuel Security Innovations
It has often been remarked that a wrench thrown at an electrical substation could do as much damage as a cyber attack. After all, the substation is only protected by a chain link fence. Hammell concedes a substation could be damaged by an analog attack, but it wouldn't have the same scale. "Some substations are pathetically protected. They're located away from population centers and protected only by a wire-link fence. You could easily do a physical attack, and a properly tossed wrench could do a lot of damage," said Hammell. "But it's easier to scale a cyber attack across different locations in different regions. That's going to do a lot more damage."
When it comes to protection, nuclear plants are the top dog of fortification. That is, fortified against offline attacks. "Nuclear plants are better protected, but there are ways to penetrate them with cyber attacks," said Hammell. "The ability for a cyber attack to scale and do a lot of damage quickly is frightening."
Surviving an Attack
Even while the FBI and the Department of Defense are wringing their hands about major cyber attacks, the energy industry is not breaking a sweat. "Cyber security is not talked about a whole lot at power plants, even though it's talked about by the Department of Defense," said Hammell. Power plants have been more worried about weather, which is understandable, since weather is a common problem on the grid. "We think about weather events, from building substations on better platforms, to building better walls and barriers," said Hammell. "That's more of a focus than cyber attacks."
MORE FROM DESIGN NEWS: Not Even Air-Gapped Computers Are Secure
Weather is also the challenge that prompts recovery plans. Yet recovery plans from rough weather can be deployed to recover from a digital attack. "Coming out of hurricane Sandy, we talked about resilience, about hardening assets so they don't go down under an attack or under a weather effect," said Hammell. "We use battery systems and solar arrays. We have to invest money in the grid anyway, and that investment is going into resilience."
Hammell believes a cyber attack on a power plant would come as a great shock to the population, even if the idea of an attack has become common knowledge. "We are so used to getting very cheap and reliable energy that we really take it for granted. Nobody thinks about electricity until it's not there," said Hammell. "For the first day without electricity, your cell phone is important. After that, it's about heat and about hospitals."
MORE FROM DESIGN NEWS: 2014: A Monumental Year for Cyber Attacks
Recent attacks on corporations such as Sony and Anthem get a lot of attention, but the attacks have not done the level of damage that could come from an attack on an energy facility. "The data centers at Sony have new equipment that can be repaired or replaced easily, but a lot of the equipment at power plants was installed in the 1950s," said Hammell. "We have to deal with assets that have been out there a while. It could be hard to recover from damage. It could take months."
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine, Chile Pepper