Enable breadcrumbs token at /includes/pageheader.html.twig

Warfare and Weather Have the Power To Paralyze the Grid

A combination of cyber attacks and extreme weather could be devastating.

A Civil Engineer Squadron electrical power production journeyman inserts a metal wire into an encasing for a ground automobile retractable barrier net, at Dover Air Force Base, Delaware. Credit: Senior Airman Marco A. Gomez, U.S. Air Force

Power is among the most coveted targets of cyber warfare. A well-executed attack may cripple a country and its ability to fight. Planners and businesspeople are stepping up their technological game to thwart intrusions. Still, the risks multiply.

Major power generation facilities attract attention as potential targets, but such attacks are unusual. And many are turning their attention toward distribution vulnerabilities, where the system is only as strong as its weakest link, and extreme weather could change an otherwise inconsequential attack into a massive disaster.

“You’re going to see a strong increase in what government concerns itself with as the baseline standards across the board,” said Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology.

The increased demands on physical power infrastructure posed by extreme weather create additional vulnerabilities.

“Climate change is expected to have far-reaching effects on the electricity grid that could cost billions and could affect every aspect of the grid from generation, transmission, and distribution to demand for electricity,” said a Government Accountability Office (GAO) report.

In a separate publication, the GAO described how changes in weather intensity compound these risks, especially in power transmission. “Hurricanes pose significant threats to the electricity grid in some U.S. coastal areas and territories and are a leading cause of major power outages,” said the 2021 report.

This physical risk can be mitigated by taking several steps, one of which is negotiating legal contracts. “Better contracts with folks to come and repair damage—that helps you recover faster,” said Frank Rusco, director of GAO’s Natural Resources and Environment team.

While extreme weather can incapacitate parts of the grid, thereby reducing power supply, it also creates more demand for heating, cooling and other countermeasures to secure food supplies and necessities. This pushes demand at a time when supply could be limited because lines may be out.

Another dimension of regulating temperatures is not only about keeping people comfortable.

“The air conditioning system, the cooling system, that maintains the proper temperature for data centers, for example, it’s very, very critical if these systems get too hot,” said Richard Scalco, senior cyber staff engineer at the Naval Information Warfare Center (NIWC) Atlantic.

Businesses, law enforcement and the military need data centers to operate. A cunning attack targeting their cooling systems could be enough to complicate operations across an array of activities seeking to mitigate damage.

Among nonphysical dangers are potential attacks that come not from nature, but from adversaries.

“Critical infrastructure faces three main risks: cyber, supply chain and physical,” explained Ken Masica, senior systems engineer and research principal investigator at the Lawrence Livermore National Laboratory. Masica specializes in critical infrastructure and lobbies academia to ensure future practitioners will be equipped with the right tools as early as possible.

In terms of cyber attacks on critical power infrastructure, isolating access is the first step in placing limits. In case an adversary succeeds in an intrusion, “assume breach at a certain level to where you make sure an adversary doesn’t get to jump all over your network if they get through one door,” Hayden said.

Some experts agree that the term “zero trust” is losing its relevance, and new ideas are surfacing to step up security beyond this paradigm.

And not all devices have been created equal. Some can accommodate safety using more complex engineering, and others are designed for limited functionality. “All these systems are called operational technologies, OT, is a term versus IT—information technology—which is the everyday internet and computers,” Scalco told SIGNAL Media in an interview.

OT is where cyber touches the physical world, Scalco explained: valves, controls and other devices that now perform functions that mainly were done manually in the past.

When producing a service, every step in OT gains relevance. “A potential supply chain attack vector would be an adversary that can penetrate the embedded system firmware development and build process that then makes its way to the asset owners as firmware updates and into the infrastructure devices and systems they manage,” Masica said.

Similar application software attacks occurred in the build process that reached customers before they were detected. Ideally, the firmware development environment is secured and adequately traced to ensure integrity throughout the development, build and testing process, according to Masica.

“Particular focus should be on integrity—checking and verification at the product and system assembly point where firmware is downloaded into the target—embedded microprocessors or microcontrollers that provide the control and intelligent operation of the device or system.” Masica explained that supply chain injection attacks could potentially create points of vulnerability within critical systems such as the energy transmission and distribution infrastructure but defensible development approaches could help address the issue.

These risks also could be mitigated by looking at the problem from a different perspective.

“Special tools have to be adapted; for instance, actively scanning an operational technology device with a tool that does vulnerability detection. Instead of actively scanning that device, you would have to look at the traffic on the wire passively,” explained Hank Osborne, senior science and technology manager, Cybersecurity, Test & Evaluation at the NIWC Atlantic.

Given the limitations of many OT devices, Osborne said it is key to observe the data traffic to understand if there could be a compromised mechanism.

And the worst possible scenario is a combination of extreme weather and an attack that keeps power down for prolonged periods, compounding its consequences and creating a major disaster that overwhelms responders and maximizes casualties.

In late 2022, a historic blizzard hit Buffalo, New York, leaving dozens dead. If an adversary had used this opportunity to further disrupt power and other critical services, the situation could have been worse.

But as threats can be combined, so can countermeasures.

“The trend that we’re starting to see—specifically around physical security applications—is really driving operational efficiency. What I mean by that is this duality of multiple sensors playing a role in not only the physical security assessment detection arena, but also in driving operational efficiency for operations IT safety,” said Steven Sinclair, director, Utilities Vertical Market at Convergint Technologies, in an interview with SIGNAL Media.

Monitoring includes assessing cyber attacks as well as potential physical impairments and even hostile individuals.

“The government views cyber risk and ways that we can start to build mitigations that two years from now they’re going to need, so it’s really looking at the landscape of cyber operations and building in that risk tolerance of the government,” said Hayden, a former assistant secretary of homeland security for cyber, infrastructure, risk and resilience.

The patchwork of companies operating in this field means that some systems may have been built when breaches were rare and the current system safety philosophies were not in place. For those, there may be remedies that do not require a company to rebuild its whole system.

“For legacy devices, they’re starting to see frameworks that are zero-trust for non-zero-trust devices, and that is really where we’re seeing a great jump in confidence in that security because before you had to put it in a separate box,” Hayden said.

Another possible limitation when a part of the grid is compromised is being able to isolate portions of it and maintain those areas while the disruption is corrected. This would be “the ability to island from the grid and operate in parallel with the grid, and you can choose your mode of operation for emergency or for security purposes,” said Jim Plourde, federal business director at Siemens Smart Infrastructure.

And breaking down the grid into smaller areas has another benefit: increased environmental friendliness.
“In order to hit the goals of decarbonization, lowering greenhouse gas—or gas emissions—and raising resilience of federal installations, there has to be some sort of on-site generation or local generation, so you’re not just relying on the utility,” Plourde added.

The Australian army is developing the concept of microgrids for use in the field, thus completely separating the power supply for operations from civilian networks.

“The Deployable Adaptive Smart Grid project funded by the Defence Innovation Hub seeks to develop a deployable electrical power microgrid system, by using new energy management algorithms and adapting existing commercially available electrical monitoring and distribution technology,” said an Australian Government Department of Defence spokesperson.

“The project is exploring the feasibility of a deployable micro-grid for electrical power distribution that may potentially improve electricity supply resilience, by minimizing disruptions to the energy network and reducing the consumption of diesel fuel,” added the institution in an email to SIGNAL Media.

You’re going to see a strong increase in what government concerns itself with as the baseline standards across the board.

Matt Hayden

Vice President of Cyber Client Engagement, General Dynamics Information Technology

Engineers train at Fort Belvoir, Virginia. Credit: Patrick Bloodgood, U.S. Army photo

As stakeholders continue acting, new trends emerge, some in technology, others at a human level.

New tools are being deployed in the digital networks that guard these systems. “I think we’re going to see a lot of AI [artificial intelligence], a lot more AI, a lot more machine learning,” Sinclair said.

Another trend includes devices that will do what people cannot.

“We’re seeing robotics come into play from autonomous drones and field-level type robotics where they’re using these things,” Sinclair offered.

At a human level, the future of the grid starts with education.

“The concepts and principles of resilience engineering need to evolve to the point where they are included in current system and infrastructure design, incorporated into industry products and solutions used to create defensible and adaptable systems, and also integrated into the educational curriculum to build the skill set of the next generation of systems engineers,” Masica said. Many share concern for the security culture among those who drive every day to a facility and perform their duties. The locations “are only as safe as someone who uses the exact same password for everything—for their favorite Spotify account being the same password they use to get into their work account,” Hayden warned.

“If I’m a very large agency that has hundreds of thousands of employees, I can’t tell them all to have a 12-character password,” Hayden said. To mitigate risks without forcing people through too many safety hoops, criteria like location, or other login routines could serve to lower risk thresholds. Still, the zero-trust principle should also be applied despite validating the user who logs in, much like in other critical activities in the military or government.

Another cultural change is in the corporate world, where breaches have become almost a daily occurrence, “[businesspeople] actually cracked open playbooks and started writing response strategies,” Hayden said.

And a healthy power network also decreases the risks if well managed. As lower energy consumption levels will lead to burning fewer fossil fuels, it will also lead to a greener future—and hopefully more predictable weather.

“I think everything really stems back to the overarching government mandate that they’re trying to reach for greenhouse gas reduction, and it’s 60%-65% operations emissions reduction by 2030, and then 50% in building emissions reduction by 2032,” said Brandy Henson, head of federal government business at Siemens Smart Infrastructure.

The emerging logic behind increased security goes hand in hand with making power generation, transportation and consumption more efficient and environmentally friendly. This may very well be one of the few areas where defense advocates and green activists march in lockstep.