Experts Warn of Security Risks in Grid Modernization
Grid-Enhancing Technologies Are the Future, But Come With Security ConsiderationsThe U.S. electric grid has been strained to a near-breaking point as record demand stresses aging infrastructure. The federal government is banking on new technologies that squeeze out transmission efficiencies to meet the needs of an electricity-driven economy. The bad news is that superimposing onto the grid dynamic routing technology, which is dependent on real-time data, inevitably amps up cyber risk.
The Biden administration is pouring money into Grid Enhancing Technologies or GETs - a family of recently developed tools that optimize existing infrastructure and ensure a more secure and reliable power supply while improving efficiency and resilience against climate change. The White House also announced a federal-state modern grid deployment initiative that aims to further incorporate proven, commercially available solutions such as GETs into the grid while rapidly deploying at-scale technologies to boost capacity and performance.
The downside is that GETs introduce potential vulnerabilities and entry points for cyberattacks. As the grid increasingly relies on advanced digital systems and increased interconnectivity, experts warn that the implementation of new technologies must come with robust security measures to protect against major cyberthreats.
"These technologies increase the attack surface of the grid," Tom Kellermann, senior vice president of cyber strategy for the application security software platform Contrast Security, told Information Security Media Group. "Segmentation, two-factor authentication, least privilege and runtime security are imperatives for the safety of the grid."
What are Grid Enhancing Technologies?
Some of the most common GETs are sensors, automated switches and communication networks designed to enhance the grid's real-time monitoring capabilities. Advanced control systems can reroute electricity to avoid disruptions and optimize operations based on data collected by sensors monitoring grid conditions. These grid automation and control systems rely on advanced metering infrastructure to provide comprehensive information on electricity usage patterns.
Data management systems and smart meters record and maintain detailed energy usage data, which can then be remotely transmitted to utilities for detecting outages, gaining insights and billing.
GETs can also include distributed energy resources such as solar panels, wind turbines, small-scale natural gas generators and energy storage systems. These resources can be integrated into the grid to provide additional capacity during peak demand or during disruptive outages. Distributed energy resources are typically connected to the grid through smart inverters and networks that enable remote control capabilities.
Researchers investigated vulnerabilities associated with modernizing grids in a 2023 report that reveals how hackers can target smart meters to create an oscillation in electricity demand and destabilize parts of the grid. Researchers used a grid simulator to assess how manipulating the level of electricity that flows back and forth after hacking a smart meter can create a load oscillation attack that compromises transmission.
"New technologies have been introduced to make our aging electricity infrastructure more efficient and more reliable," Eduardo Cotilla-Sanchez, associate professor of electrical engineering and computer science at Oregon State University and the lead researcher behind the report, said about advanced metering infrastructure components such as smart meters. "The bad news is: The upgrades also introduce new dimensions for attacking the power grid."
A government watchdog report published in 2022 says the Department of Energy's grid security plans "do not fully incorporate the key characteristics of an effective national strategy" to ensure its security and resilience against emerging threats. The Government Accountability Office report identified several points of vulnerability across the grid exacerbated "in part because their operational technology increasingly allows remote access and connections to business networks."
The report urges the Federal Energy Regulatory Commission to better regulate the national transmission of electricity by developing a full assessment of cybersecurity risks to the grid and ensuring its standards are fully implemented across all components. GAO previously found in 2021 that the federal government "does not have a good understanding of the scale of the potential impacts from attacks" facing distribution systems, which are generally not subject to FERC's standards.
Risk Assessments: Time-Consuming, But Critical
Experts recommend requiring comprehensive security assessments on all GETs and modern grid components. They say malicious actors and foreign adversaries already possess unauthorized access to many critical infrastructure sectors.
The Cybersecurity and Infrastructure Security Agency has steadily released a series of alerts in recent months warning of a Chinese state-sponsored hacking group known as Volt Typhoon. The group is aiming to pre-position itself using "living off the land" techniques on information technology networks "for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States," according to CISA.
"The Volt Typhoon alerts have said the quiet part out loud," said Padraic O'Reilly, chief innovation officer for the risk management platform CyberSaint Security. "The [threat] is in the networks, so new infrastructure must not allow for lateral movement on OT assets."
Biden's federal-state grid modernization plan emphasizes the need to "speed up adoption and deployment" of GETs. It says that "grid modernization can be encumbered by legacy policies" that hinder innovation and delay necessary updates. But experts warn that speeding up project development without reassessing security measures and improving regulations could have unintended consequences of increased cyber risk.
"The expedited process will undermine the cybersecurity preparedness of the grid," Kellermann said. "Given the increase in destructive cyberattacks being launched by rogue nation-states, cybersecurity assessments must be performed prior to projects going live."
The White House grid modernization initiative does not include any specific commitments to address the cybersecurity challenges associated with GETs. The Department of Energy did not respond to requests for comment.