'Black Sky' Threat Looms Over Grid, Businesses

'Black Sky' Threat Looms Over Grid, Businesses
David Maxwell, former director of the Arkansas Department of Emergency Management, says preparation will be essential to recovering from a major infrastructure crisis like a cyberattack on the electrical grid. (Kerry Prichard)

David Maxwell is afraid of the dark.

The former Arkansas emergency management chief and Homeland Security adviser lies awake fearing a long and widespread failure of the electric power grid, something he and his fellow experts call a “black sky event.”

Maxwell, an adviser to the nonprofit Electric Infrastructure Security Council in Washington since retiring as director of the Arkansas Department of Emergency Management in 2016, frets that foreign adversaries are already roaming systems controlling the U.S. grid.

“This goes to the survival of the nation,” he said.

So he’s warning that a crippling cyberattack on power could bring a cascade of system failures across society — from communications to water systems to food and fuel distribution.

Individuals and companies, he insists, must plan for the worst.

Natural threats like storms, earthquakes, floods and wildfires have loomed over the grid for years, but one major cyberattack could knock out a region’s or even a nation’s electricity for a month or more, wreaking havoc on millions.

“It looks like certain countries are already in our system and could cause problems any time they really want,” Maxwell said, referring to Russian hackers who, according to the Trump administration, compromised utility control rooms and used “malware and spear phishing to gain remote access into energy sector networks.”

“I think they may be taking a tactical approach,” Maxwell said, suggesting the hackers are biding their time. “Russia was in the country of Georgia’s system and was able to take down its power system before they invaded [in 2008]. So a decision to strike could be timed.”

Refining Defenses
Meanwhile, electric utilities and the nonprofit power transmission organizations like the two that have major headquarters in Little Rock, Southwest Power Pool and the Midcontinent Independent System Operator, are refining cyberdefenses daily. Businesses outside the energy sector are playing defense, and Maxwell says companies that act now can mitigate damage and recover more swiftly after any power grid attack.

Scholars at the University of Arkansas’ cybersecurity center in Fayetteville have also identified tools with capabilities to assess and thwart attacks, but no defense will ever be foolproof against an ever-mutating threat.

“Major companies in all sectors are attacked, every minute of every day,” said Mark Bowman, former cyber director of the Pentagon’s joint staff and another Electric Infrastructure Security Council adviser. Even Robert Mueller III, in his days as FBI director, offered a warning: “There are two types of companies, those that have been hacked and those that will be.”

Maxwell, a 38-year emergency management veteran who became ADEM director in 2006, urges all businesses to invest time and money planning for a long-term failure crippling the grid on a regional scale or larger. Cyberattacks, electromagnetic pulses or even coordinated physical assaults on grid components could devastate commerce and disrupt society at large, he worries.

“We’re becoming more resilient slowly, but if you look at the probability of large portions of the grid going down at some point, you have to look at the resilience of other systems that would be without electricity,” Maxwell said. “Water and wastewater treatment facilities may have systems backed up by generators, but how long would their fuel last? If power is out for long enough, fuel production slows, and you don’t have transportation to get it where it needs to go. Everything just cascades.”

To be safer, businesses must also look beyond their own defenses. A company’s vendors or partners who share data or linked systems could be vulnerable, infecting other systems.

“Some sectors are better protected than others, but the key is where do they have a trust relationship?” Bowman said in an EISC presentation. “Who are they connected to, and is that person as well defended and protected? Most of the intrusions that I’ve seen are due to some user practicing poor network hygiene.”

That risk underlines the need for employee training, which can reduce the threat by closing back doors into systems left open by careless or duped workers. Maxwell also says having an emergency business continuity plan is essential.

Small businesses are particularly ripe for failure after a disaster, he said. “That’s often because they didn’t plan.”

Employers need options for meeting the basic needs of workers and their families in any extended crisis, Maxwell suggested. “If you need good work from the employees, they can’t be worried about food and water for their families. That’s one lesson we can take from the government shutdown.”

Getting to know government officials who’ll be making decisions on resources after a grid catastrophe is another good strategy for businesses, Maxwell suggested. That might not move a company up on the priority list, “but you will at least understand how decisions are made, where you can help and the plans you need to make for yourself.”

Other tips are available on EISC’s website, EISCouncil.org.

Best Defenses Unspoken
Transmission organizations and utilities are constantly refining their defenses as hackers refine their attacks, but energy organizations are understandably vague about details, careful not to tip their hand.

Spokesman Mark A. Brown said Midcontinent Independent System Operator, the nonprofit overseer of high-voltage lines carrying power destined for 42 million Americans, “does not publicly discuss details of our cybersecurity measures.”

Derek Wingfield of Southwest Power Pool, the grid and wholesale energy market manager for another swath of the central U.S., said loose lips might “expose vulnerabilities or invite increased attacks.”

But in a statement, SPP said it has identified potential cybersecurity breaches as one of its top corporate risks, and it is committed to keeping its “cybersecurity posture well beyond federally mandated standards.” The broad goal? “To bring coordinated oversight and a thoughtful approach to managing this ever-changing threat,” and to partner with local, state and federal authorities to heighten infrastructure security.

Entergy Arkansas, the state’s largest electric utility, serving some 700,000 homes and businesses, said in an email that “the best security is the security where specific measures are not discussed publicly.” But Chief Security Officer Christopher Peters said Entergy applies a cybersecurity framework from the National Institute of Standards. “The company has an integrated cybersecurity program designed to protect our business and operational networks as well as sensitive information, from intentional or unintentional cyber, physical or human threats.”

Get The List
Largest IT Consulting Companies - ranked by number of certified technicians. Includes number of Arkansas employees, market area, services, top local executives, year founded and contact information.

To offer a glimpse at the tools the electric sector was loath to discuss, electrical engineering professor Alan Mantooth put his head together with two colleagues, Jia Di and Qinghua Li of the UA’s cybersecurity center in Fayetteville.

“Tools and third-party services can identify security vulnerabilities,” Mantooth said, incorporating his colleagues’ points. One priority is for grid operators to share threat information confidentially and build common defenses.

“One defense approach is patching vulnerable hardware/software systems” seen at risk. “But this requires the vendors to provide the patch and the utility to deploy it in the field over potentially thousands of instances of equipment,” Mantooth said. This takes time and coordination because, “after all, their primary job is to keep the power flowing. They don’t get to reboot the system as a whole like a stubborn cellphone or computer.”

Another tactic is to “cyber-harden” grid devices that are often connected through intranet systems with “some access to the outside world through the internet.” These devices, Mantooth said, “will need to be equipped with hardware and software mechanisms to detect, isolate, mitigate and report the attacks.” Other ideas include firewalls and intrusion prevention systems layered between utility networks and outside systems, an effective tool against known threats.

Maxwell, the former emergency management chief, said utilities have steadily hardened defenses, “so that’s a good thing.” But at some point, he said, “regulators and rate-setters need to look at how much of the resiliency costs should be built into rate structures.”

In other words, your electric bill may eventually go up, as part of the cost of keeping your power safe from hackers.