Center for a New American Security

Security of the nation’s electrical system from cyber attacks has received much attention as of late, but a recent event reminds us of the vulnerabilities in physical security. Last weekend, a security officer at Watts Bar nuclear power plant in eastern Tennessee exchanged gunfire with a man attempting to break into the facility.  When confronted, the man opened fire on the officer, and a gunfight ensued. The officer was not harmed, and the gunman fled the area after the exchange.

The FBI, Nuclear Regulatory Commission and local authorities are investigating the incident. The gunman remains at large.

While little information is known about the suspect, this incident demonstrates the physical security challenges posed by our electricity system. Nuclear facilities, of course, are particularly high profile targets that require a level of physical security far greater than that of other power plants. Nuclear facilities are required to have extensive security plans, and the response at the Watts Bar plant proved effective. But this event should serve as a reminder of the physical vulnerability of the U.S. electricity system writ large. The threat of a concentrated, coordinated attack is troubling and should not be ignored.

Reliance on centralized power plants and an outdated grid makes the electricity system vulnerable to terrorist attacks. A coordinated physical attack on several power plants and/or the grid itself could cause extensive and sustained power outages, which would have dire effects. According to Scott Pugh at the Department of Homeland Security, an attacker who understood vulnerabilities in the grid could use a “hunting rifle from a couple hundred yards away” to take out six key substations and “black out most of the U.S. east of the Mississippi.” And a more sophisticated attack, such as an electromagnetic pulse, could shut down large parts of U.S. electricity infrastructure for months. Food distribution, telecommunications, banking, heating/cooling systems, medical and safety infrastructure and security institutions (such as DoD installations) are all dependent on the grid and would struggle to function. Such an event would cause tremendous economic disruption and widespread chaos. Imagine the impacts of Hurricane Sandy, which caused over 8 million homes to lose power and necessitated 57,000 additional utility workers to restore it, but magnified many times over due to the targeted nature of an attack.

Yesterday President Obama delivered his Fiscal Year (FY) 2013 budget request to Congress. We’ll spend the next few days digging through the relevant agencies to highlight some of the requests related to programs that touch on our natural security work.

I thought we’d kick off the week by looking at cyber security, given that it is an issue that touches on our energy work, specifically with respect to smart and micro grid technologies. We have been quiet on the cyber security front in recent months, but our interest has not abated. Nor has the Obama administration’s, which will continue pushing cyber security spending in the president’s FY 2013 budget.

Let’s begin with the Department of Defense (DOD). Like last year, DOD announced that one of its strategic goals is to reduce its vulnerability with respect to the electric grid. According to the DOD overview, the department strives to “Protect critical DoD infrastructure and partner with other critical infrastructure owners in government and the private sector to increase mission assurance.” To accomplish this, the department has set a priority goal that “By September 30, 2013, the DoD will attain a passing score on a comprehensive cybersecurity inspection that assesses compliance with technical, operational, and physical security standards, on an overwhelming majority of inspected military cyberspace organizations resulting in improved hardening and cyber defense.” Meeting this goal would presumably reduce DOD’s vulnerability to the electric grid, which has been a particular concern for defense experts in recent years.

DOD’s budget includes a ton of funding for cyber security broadly, which may include electric grid-related activities. The White House Office of Science and Technology Policy provides an overview with a little more nuance about how that DOD funding may break down with respect to cyber security and energy efficiency programs, like smart and micro grid technologies: “The 2013 Budget sustains DOD’s basic research (“6.1”) with a record commitment of $2.1 billion for research in high-priority areas such as cybersecurity, robotics, advanced learning, information access, cleaner and more efficient energy, and biodefense.”

This morning, The Washington Post ran a headline that seemed all too familiar: “As the sun awakens, the power grid stands vulnerable.” Indeed, the sun’s increased solar activity has been a concern for scientists and power industry experts who recognize that vulnerability. “Since February, our star has been spitting out flares and plasma like an angry dragon,” The Washington Post reported. And if a large solar flare headed our way, it “could knock some of the North American power grid offline.”

The consequences could be pretty severe, affecting everything from communications satellites to oil pipelines. According to the Post:

Communications satellites will be knocked offline. Financial transactions, timed and transmitted via those satellite, will fail, causing millions or billions in losses. The GPS system will go wonky. Astronauts on the space station will huddle in a shielded module, as they have done three times in the past decade due to “space weather,” the scientific term for all of the sun’s freaky activity. Flights between North America and Asia, over the North Pole, will have to be rerouted, as they were in April during a weak solar storm at a cost to the airlines of $100,000 a flight. And oil pipelines, particularly in Alaska and Canada, will suffer corrosion as they, like power lines, conduct electricity from the solar storm.

“But the biggest impact will be on the modern marvel known as the power grid,” the report cautioned.

You will recall that several months ago Christine wrote a post for the blog during our Final Frontier (Space) Week asking the question: “Will the Sun Take Down the Electric Grid?” Here’s what she found.

For my final note to Smart Grid Cyber Security Week, I wanted to draw your attention to "Night Dragon," a cyber attack on energy companies which a pal brought to my attention a few weeks back. According to this TechWorld article:

"Chinese hackers working regular business hours shifts stole sensitive intellectual property from energy companies for as long as four years using relatively unsophisticated intrusion methods in an operation dubbed "Night Dragon," according to a new report from security vendor McAfee.

The oil, gas and petrochemical companies targeted were hit with technical attacks on their public-facing Web sites, said Greg Day , director of security strategy. The hackers also used persuasive social-engineering techniques to get key executives in Kazakhstan, Taiwan, Greece, and the U.S. to divulge information."

The article describes the method of attack and why McAfee experts trace it to China. It also highlights many of the common challenges that ensuring grid cyber security will entail, such as unknown attribution of attacks and lags in detection. This piece offers a concrete public example of the issues we've been touching on all week.

Sleep tight, energy companies!

At a White House Energy Security Summit on Tuesday the Departments of Defense and Energy reaffirmed their commitment to the joint memorandum of understanding they signed in July 2010. As Deputy Secretary of Defense William J. Lynn III explained it on Tuesday:

“The key to this partnership is focusing DOE’s unique knowledge on meeting defense requirements. By taking technology from labs to the battlefield, the Department of Energy can once again [use] its scientific ingenuity in service of our nation’s most important mission- our national security. Innovative energy technology can increase the operational effectiveness of our forces.”

Towards this end, the MOU has led to creation of some innovative programs such as the Smart Power Infrastructure Demonstration for Energy Reliability and Security, or SPIDERS for short. The SPIDERS program deploys smart microgrids to military bases and installations in order to improve energy efficiency by using advanced meters and integrating different energy sources. During his remarks on Tuesday, Deputy Secretary of Energy Daniel Poneman told the audience that while only three SPIDERS programs are currently underway, “These projects, one under each of the major services, will demonstrate smart, secure and reliable microgrids that can be replicated throughout the military.” Based on CNAS conversations with folks involved with this program, we suggest that Poneman is including cyber security in his "secure and reliable" definition. 

Those outside the military may also come to benefit from the DOD’s pursuit of smart grid and other energy technology. Indeed, the panelists at the White House on Tuesday regularly touched upon the subject of commercializing the technological innovations made through efforts to reduce DOD’s energy consumption. DOD’s size, funding and warfighting needs - and cyber security needs - make it an attractive place to accelerate the development of new energy technology. Recognizing this, the department has undertaken initiatives like the Installation Energy Test Bed program which seeks to centralize technological innovation efforts to a greater extent, as well as harness the size and scale of DOD’s operations to test promising new technologies.   

For these reasons, DOD has notable influence in setting the standards that others in the industry may come to adopt. This makes it troubling that the panel did not devote greater attention to the threat cyber attacks pose to smart grid technology. As Will noted in his post yesterday, one of the central challenges in getting the industry to take cybersecurity into account when developing new technology is the government’s inability to enforce the standards it sets. In this sense, then, placing a high premium on cyber security for the technology DOD purchases makes sense not only for protecting the effectiveness of our military, but also for contributing to a better standard for technology used for civilian purposes. In order to realize these gains, DOD must remain vigilant in giving due weight to new technologies vulnerability to cyberattacks when making procurement choices.

You can watch the video of the White House Energy Security Summit on the White House’s website here.

Building on our Smart Grid Cyber Security Week, I'd like to take you back in time a few months. For our "Final Frontier Week" on space issues & natural security, I posed the question that EMP geeks, sci-fi nerds and many security officials have been asking for decades but with increased frequency in the past few months: can/will the sun take out the grid? As I wrote:

Many are warning that we’ll see a major increase in electric system vulnerability to space weather events over the next few years as the sun enters a new solar maximum period. So I’ve dug through my archive of research on this topic to provide you with some good resources to look to as the media follows these events, especially as they pertain to energy.

It's not cyber security-related exactly, but solar activity has affected electric grid reliability in the past. Policymakers should consider this history in determining the scale of risks and responses. Read our full post from February here. It's possible that it contains a Douglas Adams reference...sometimes I can't help myself.

America’s critical civilian infrastructure – including its power, oil, and gas systems – is vulnerable. Today’s threat environment is vastly different from nearly a century ago when some of the existing infrastructure was being put in place, and yet the necessary improvements to meet the changing times have by and large been lacking. As a consequence, according to one industry expert who spoke with CNAS during an off-the-record meeting, the electric sector today is where the IT sector was in the 1980s. So perhaps it is not surprising that our brittle power grid and related systems are exploitable and ill-prepared for cyberattacks. But many power companies are doubling down on that vulnerability with smart grid technology, according to a recent report from CSIS and McAfee. Power utilities “are implementing ‘smart grid’ technologies that give their IT systems more control over the delivery of power to individual consumers – or even to individual appliances in customers’ homes.”

Investment in smart grid technology has been, in part, an investment in our energy security future. Indeed, the promise that smart grid technology can help us better manage electrical loads so that energy production and consumption are managed more efficiently (e.g., by ensuring that if a community’s energy demand at one time is 20 Gigawatts (GW), the local power utility is only producing 20 GW so that excess electricity is not lost), and allow power generated from alternative energy sources such as biomass, wind and solar to be put into the grid with power from conventional sources (i.e., fossil fuels) are just some of the many areas ripe for better managing the nation’s energy resources.

We’re making this smart grid cyber security week on the blog – a topic we’ve been dabbling in for the past year or so. Our own exploration has primarily taken the form of research and discussions with DOD officials, though the need to scope our work has prevented us from doing an entire project focused on this topic to date.  

Part of the reason we’ve never made this a subject of a full-fledged research effort is that we could never really get our arms around what was happening. What’s the status of deploying a tolerably secure smart grid? Does the government (and in particular DOD) need a major course correction? Is there a need for think tank-style policy analysis? We couldn’t really answer these questions clearly enough to develop a full project.

A few factors drove this difficulty. For years, DOD-focused discussion could be characterized as many heads of hair on fire. We saw tons of arm-waving, sky-is-falling near-hysteria within different parts of the Department of Defense on the cyber vulnerabilities of smart grid technology. We’ve spoken to a range of people at bases and Combatant Commands about this issue, and received a very broad range of different perspectives on the nature of the threat.  Perhaps most important, we consistently spoke to DOD folks who were working energy security issues who had little to no contact with those working this issue in other federal agencies.