Cybersecurity and the Electric Grid

min read

Guest Blogger: Darren Highfill, Founder & Managing Partner, @UtiliSec

Electric Grid cybersecurity

When was the last time you replaced your computer? How about your mobile phone?

Imagine yourself today, with a desktop computer from 2003 sitting in front of you. You've managed to dust it off and clean it up enough that it actually starts up and runs pretty reliably.

Now your mission is to move money from one of your online bank accounts or retirement accounts to another - maybe at a different bank or fund - all using this machine from 2003.

Think you could do it? Would you want to?

What if the computer was actually from 1993?

Surprising as it is, these are the kinds of things we ask our utilities to do every day. We ask them to keep our electric rates down, keep the lights on, and sometimes get pretty unhappy when they don't do both. But how does this translate into asking them to use a computer from 1993?

Utilities are regulated monopolies. This means that we give them a guarantee of no territorial competition (so we don't have even more wires all over everywhere) and allow them a consistent and moderate return on investment.

However, this also means we now have no choice but to go to the utilities for electric power. So to keep them from gouging us for all we are worth, we have regulators oversee what the utilities do, and approve what they can and cannot charge us.

If our utility wants to buy a new computer, we ask the utility (through our regulators) to demonstrate how they are going to select the least expensive one to meet minimal needs, and milk every last penny out of it so that we are not just padding someone else's pockets.

The result is that highly specialized utility field equipment - the equipment in the substations and on the poletops carrying electricity to our houses - must last many years (usually decades) before we are willing to fund its replacement. These are environmentally hardened computers, capable of withstanding wind, rain, snow, heat, lightning - all with processors and communications, that the utility puts in service and may not touch for 20 or 30 years or more.

More challenging yet, our cyber security threats do not stand still. We continually learn about new tricks that adversaries have learned and are applying against us. We continually see new viruses and malware show up in the most concerning of places. Now imagine if you had to design a computer that had to last 20 years in that fight. Outdoors. On top of a pole.

We are living in an ever-more connected world. Every day, processors and communications are put to work in more places than before. People are constantly figuring out new ways to use these systems, for better and for worse. We are not reversing this trend any time soon.

The point at which these processors and communications hit reality is called cyber-physical systems. These are electronics that don't just control a computer game or a Facebook page - they control a stoplight, or an air-conditioning unit, or a power plant.

It's been called the "Internet of Things," and of these things, the electric grid is the biggest and most complicated machine we have ever built. Our modern society depends on it - increasingly so with every day. Think about how things stop - how society stops, when we have a blackout… when we don't have electricity.

Regardless of who runs it or how much we are willing to pay for it, we are going to need bright minds that know how the grid is built to operate it, maintain it, keep it in safe hands, and probably build more of it.

Building it securely is not something we can take lightly. It is the backbone of modern society, and it is built using equipment from today, yesterday, and several years ago. It is part of our Critical Infrastructure.

If we want it to be there for us tomorrow, we also need cybersecurity.

Darren Highfill is the Founder and Managing Partner of UtiliSec, a consultancy focused on the cybersecurity and resiliency requirements of electric power delivery systems – and specifically, field deployed utility systems. Visit the UtiliSec blog for more information.