Bolstering Power Grid Cybersecurity in an Era of Hybrid Threats

Soon after Russia invaded Ukraine in February 2022, Russian government-affiliated hackers orchestrated cyberattacks that targeted Ukraine’s electrical grid and energy infrastructure.  In early March of last year, one cyberattack successfully disabled a high-voltage transmission station near Kyiv, resulting in a power outage in the capital. Later that month, another cyberattack targeted three regional electric power dispatch centers in Ukraine, disrupting communication between substations and control centers and leading to further power outages.

In April of last year, hackers employed malware to specifically target the customer service centers of several Ukrainian power companies, resulting in the theft of sensitive data and laying the groundwork for later disruptive attacks. And throughout the spring of 2022, multiple distributed denial-of-service attacks were launched against websites associated with the Ukrainian energy sector, causing significant disruptions to operations. Once again, Russia was highly suspected to be behind these attacks.

COMMENTARY

Also in April 2022, hackers targeted European energy companies to support Russia’s war aims, highlighting potential threats to the U.S. electrical grid. These acts emphasize the vital role of the energy sector in national security and the necessity for strong cybersecurity. As a look at Ukraine makes clear, the energy sector provides essential services that all aspects of society and the economy depend on. Without electricity, modern life grinds to a halt.

The Colonial Pipeline cybersecurity hack in 2021 underscored the vulnerabilities of critical infrastructure systems to sophisticated cyber-attacks. Although the primary impact was on fuel distribution, causing widespread shortages and panic buying on the East Coast, the incident also highlighted potential threats to the electrical grid. A pipeline, like many other essential infrastructure systems, relies on interconnected digital systems for its operation. If similar cyber vulnerabilities exist in the electrical grid—which is even more complex and interconnected — then potential cascading failures could result in widespread blackouts and severe economic consequences. The Colonial hack served as a stark reminder of the need to bolster the cybersecurity measures of all vital infrastructure, including the electrical grid, to prevent disruptions that could have catastrophic implications for daily life and national security.

The U.S. energy sector faces an array of constantly evolving cyber threats from various actors: nation-states like Russia, China, Iran, and North Korea that aim to penetrate networks for espionage and prepare for potential disruptive attacks; cyber criminals seeking financial gain by stealing data or deploying ransomware; hacktivists looking to cause operational disruptions for political reasons; and insiders who may intentionally or accidentally enable network access.

Major cyber incidents targeting operational technology and industrial control systems can lead to the theft of sensitive data, financial losses, a disruption of energy delivery, and even potential physical impacts. The convergence of information technology (IT) and operational technology (OT) networks has increased exposure.

Enhanced cybersecurity guidelines for energy firms emphasize the necessity of continuous risk evaluations on both IT and OT platforms, pinpointing paramount assets and potential weak points. It is imperative that enterprises adopt a multitiered security approach, encompassing firewalls, intrusion detection mechanisms, robust encryption protocols, and multi-factor authentication. Integral to the security framework are vigilant network monitoring and strategic segmentation.

It is equally important that organizations craft comprehensive incident response strategies, which should be integrated with business continuity blueprints. Regularly testing these plans, maintaining fortified backups, and ensuring system redundancy are critical for ensuring operational resilience in the face of cyber threats. Equally vital is the commitment to nurturing a security-centric culture through consistent employee training and heightened cybersecurity awareness.

Interconnected power grids create unique cybersecurity challenges. Attackers can target small, often more vulnerable operators and still cause cascading failures that impact entire grids, for the simple reason that grid stability depends on maintaining precise power frequencies. If an attacker compromises systems controlling a significant amount of power generation or load, the attack can disrupt grid frequency. This can overload and disable components across interconnected networks, leading to widespread blackouts.

Smaller operators often have fewer resources to harden their industrial control systems compared to major utilities. And they may have limited staff for monitoring, detection, and response. This makes them attractive targets. Attackers may also target behind-the-meter distributed energy resources like rooftop solar, battery storage, and smart buildings. By hacking many smaller systems in unison, bad actors can impact grid frequency without infiltrating utility networks.

This means that cyber defenses have to be strengthened across all grid participants—not just at large utility companies. Comprehensive solutions that boost security for smaller operators, distributed energy providers, and residential customers are essential. Building true resilience requires protecting all the diverse public, private, and household entities that interconnect to form collective power networks.

The government contributes to energy sector cybersecurity through various agencies and initiatives. For instance, the Dept. of Energy (DOE) serves as the designated Sector-Specific Agency responsible for coordinating cybersecurity programs and guidance. The DOE works closely with industry groups on technology development, information sharing, standards, training, and more.

The Dept. of Homeland Security (DHS) provides threat intelligence to asset owners and operators in addition to conducting cybersecurity assessments of critical infrastructure entities. DHS shares cyber best practices and mitigation recommendations. And the National Institute of Standards and Technology (NIST) develops widely adopted voluntary cybersecurity frameworks that define controls and maturity models. NIST also engages in collaborative R&D to address cyber grid challenges.

As for the bulk electric system, the North American Electric Reliability Corporation (NERC) crafts mandatory cybersecurity reliability standards in that arena.

These regulations and frameworks aim to establish effective cybersecurity baselines across the energy sector. However, diligent voluntary action by companies themselves remains essential given the limited legal authority of government over privately held critical infrastructure such as pipelines and generators. Asset owners across the energy ecosystem must vigilantly monitor their systems, communicate risks, and coordinate responses across interconnections. Government counterparts need to provide timely and relevant support.

Ukraine’s experience reveals that in an era of hybrid warfare, adversaries may target electricity infrastructure to gain geopolitical advantage. The energy sector must take this lesson to heart as it partners with government agencies to adapt protections and plan responses against emerging threats targeting America’s indispensable energy grids.

—Andy Lee is a partner in Jones Walker’s Litigation Practice Group and a member of the corporate compliance group. He maintains an active national appellate and trial practice focused on business and commercial disputes. Andy founded and serves as head of the firm’s privacy and data security team and holds the CIPP/US designation from the International Association of Privacy.