Michigan utility commissioners have issued an order to try and ensure that utilities there are doing their utmost to prevent hacks. Like a lot of regulators, they fear that a cyber invasion could shut down the grid there and cost their state millions of dollars in lost commerce. The move is a harbinger of things to come.
Cyber invasions can take many forms. But the end result is that anyone with bad intensions — whether they be a nerdy kid or a foreign government — can wreak havoc on utilities. Because electricity is the lifeblood of an economy, such nefarious actions could devastate businesses, both big and small.
The renewed emphasis on cyber security is coming at a time when all all utilities and especially U.S. nuclear energy companies are informing regulators how they are safeguarding their “critical digital assets.” Nuclear power plants are enviable targets, says Booz Allen, a global consultancy; government statistics show that attempted cyber attacks against them are up at least 40 percent in recent years.
Outsiders are infiltrating those computer systems through unsuspecting workers, says David Cronin, principal of power generation for Booz Allen, in an earlier talk with this writer. Malware and spyware, for instance, are invading control systems when employees download infected items and when they connect corrupted mobil devices to the company’s network. The best line of defense, says Cronin, is to install firewalls, apply patches and to always perform upgrades. Still, hackers are always seeking new voids and oftentimes, companies are too busy with other security concerns.
Generally speaking, it is estimated that a single brownout can cost as much as $10 billion, which comes in the form direct losses as well as forsaken opportunities, according to the Federal Energy Regulatory Commission. Lloyds of London projected even more dire damages, or as much as $1 trillion, according to Utility Dive.
The electrical transmission network serves more than 300 million people and it is comprised of 200,000 miles of wires, says a congressional study. It is valued at more than $1 trillion — assets that are primarily owned and operated by private entities and ones that are interwoven into the fabric of the entire American economy.
“It is of paramount concern to the (Michigan Public Service Commission) that utilities and other energy providers protect their gas and electric systems, customers and the public at large from a cybersecurity attack,” says Sally Talberg, chairwoman of the Michigan Public Service Commission, in a statement issued on November 22. “With natural gas and electric utilities facing cybersecurity threats and attempted intrusions into computer systems on an almost daily basis it is a question of when — not whether — an attack will occur.”
As for the Michigan commission, an Associated Press story says that utilities there are hit daily. This is something that has been backed up by consultants with whom this reporter has spoken, all of whom have emphasized that the attacks can be both and big and small. In the case of Michigan, the AP story says that utilities there will have to provide regulators an overview of their cyber security efforts — and the level of resources that they are putting into defense.
A key point to note is the lack of specificity. This is not intended to deflate the efforts; rather, it is intended to ensure that corporate methodologies are kept secret and that would-be invaders don’t have access to the tools that corporations are using to protect themselves. Understandably, companies do not want to publicize their internal weaknesses, or more precisely, just how invaders are gaining entry to their information systems.
Therein is a key issue: should the standards by which Michigan is intending to enforce become mandatory or should they remain largely voluntary and flexible? As for utilities, they have said protecting their assets is in their own interest and that they do not need mandatory rules to give them any added motivation. Ditto for just about every corporation.
The persistent threats prompted Congress to act and in December 2015, President Obama signed into the law the Cyber Security Information Sharing Act that makes it easier — and voluntary — for companies to share their sensitive information with the government, while preventing the identifiable data from getting into the wrong hands. It all comes in the wake of attacks on Target and and Home Depot, where customers had their financial info stolen.
The United States has awoken to old-school terroristic assaults. But cyber attacks are insidiously infecting critical infrastructure assets both here and abroad. It’s a problem that all sides agree is pervasive and never-ending. The state of Michigan wants to establish some basic rules to help fend off attacks. It’s a “solution” that other states are bound to follow as well.