Executive Order Shines a Light on Cyberattack Threat to the Power Grid

It aims to protect the U.S. bulk-power system, but local electricity networks are just as vulnerable

4 min read
Illustration of a electrical transformer with eyes
Illustration: IEEE Spectrum; icons: iStockphoto

On 1 May, Donald Trump signed an executive order aimed at securing the U.S. bulk-power system, the backbone of our national electricity infrastructure. Bulk power comprises high-voltage transmission lines and generators delivering energy to large consumption centers. The order spotlights an important issue, but neither the order nor the issue has received the attention it deserves, due in part to the COVID-19 outbreak. The order highlights the U.S. power system’s extreme vulnerability to attacks by hackers, terrorists, state actors, and other malefactors, and it’s a bold and timely attempt to recognize and appropriately deal with these threats.

We know that terrorists and state-sponsored actors already have the capabilities to disrupt a country’s power supply. In 2015, a Russian group launched cyberattacks against the Ukrainian power system, causing temporary blackouts and leaving more than 200,000 people without electricity on a winter day for up to six hours. Similarly, Russians were suspected of cyberattacks on Estonia’s power system in 2019. There is little doubt that many other countries also have this capability, though nobody else has applied it—yet.

As a means of protecting the U.S. bulk-power system, the new executive order bans the purchase of equipment manufactured outside of the United States. The supply chain for the power infrastructure is multinational, and many components intended for transformers, circuit breakers, and substation equipment are produced outside of the United States. The imported hardware as well as software could potentially include back doors that would provide critical access to this equipment. If these back doors are triggered remotely, they could disrupt or even lead to the collapse of our national power system.

But the executive order doesn’t account for some major details. The bulk-power system, defined in the order as 69 kilovolts and above, already enjoys tight federal regulation, close oversight, and continuous monitoring. Local power-distribution systems, much of whose energy delivery is below 69 kilovolts, are another story.

Research has shown that electric vehicles can be compromised remotely over the Internet and then manipulated to overload power system equipment.

This portion of the grid, which may be thought of as the “last mile” to millions of end users, delivers electricity to countless systems, appliances, and devices—including anything you might plug into a standard 110-volt outlet. Because these distribution networks are regulated locally by states and municipalities, and not by the federal government, they fly under the radar of the new executive order. But they are still just as vulnerable to attack.

This vulnerability is particularly pernicious because it allows for a cyberattack that could propagate from a local network to the bulk-power system. Such a hack could target a local power utility or end-user systems, including large numbers of high-wattage devices like dishwashers, HVAC systems, or electric vehicles (EVs). Research at New York University by Samrat Acharya, Ramesh Karri, and me has shown, for example, that large numbers of EVs can be compromised remotely over the Internet and then manipulated to overload power system equipment. Because this type of attack begins with end users, it may remain invisible to operators of bulk-power systems until equipment failure or major abnormalities occur.

The very real danger here is that these sub rosa attacks, while local, can affect the national bulk-power system in the same way that damming a number of tributaries can damage the major river into which the tributaries flow.

Even if an attack doesn’t propagate to the bulk-power system, local end-user attacks in major metropolitan areas could directly and immediately affect vast numbers of people. Consolidated Edison, the electric power utility in New York City, operates 69 distribution system substations supplying 60 billion kilowatt-hours of electricity yearly to more than 3.4 million customers of all socio-demographic groups. A local attack that brought down even part of ConEd’s distribution system could disrupt service to hundreds of thousands of people.

The human costs of power-supply disruptions can go far beyond inconvenience. People on dialysis machines or ventilators or those with heat-sensitive pre-existing conditions are considered “electricity-dependent,” because the consequences for them of even a brief power outage could be dire. The number of electricity-dependent individuals in the United States who reside at home was estimated to be about 685,000 in 2012. Roughly one-fifth of that population could be harmed by even a short three- or four-hour power outage. The executive order needs to look at the many ways local and particularly metropolitan power systems are still at risk.

The executive order focuses on protecting the power grid against foreign threats. But the danger also comes from non-state actors and even U.S. citizens.

Another limitation of the executive order is its emphasis on hardware—that word appears in nearly every paragraph—without a corollary focus on software, another attractive port of entry for attackers. Despite sophisticated protection, power system software can be compromised in multifarious ways that are more difficult to identify than are hardware backdoors. And this risk exists in both the bulk- and local-power systems. Software is generally tested against known vulnerabilities, and so a valuable modification to the current order would be protocols for software improvements or analysis to discover new vulnerabilities.

Finally, the executive order focuses explicitly on protecting the power grid against foreign threats. But the danger comes from not only state actors, but also non-state actors and even, unfortunately, U.S. citizens. Consider the sniper attack of 2013 at a PG&E transmission facility near San Jose, Calif., in which a group of gunmen fired on transformers at a substation. While not a cyberattack or even technologically sophisticated, the incident nonetheless inflicted millions of dollars in damage and caused a local blackout—a prime example of a domestic attack by non-state actors. And because cyberattacks on the U.S. power system could be launched remotely, they could be carried out by domestic actors residing overseas.

Overall, the executive order is a big step in the right direction. It is bringing attention to a huge problem and could lead to good ideas and solutions. Still, it would be even stronger if it took a more comprehensive view of both the vulnerabilities in our power systems and the sources of potential threats.

About the Author

Yury Dvorkin is an assistant professor of electrical and computer engineering and a faculty member of the Center for Urban Science and Progress (CUSP) at New York University’s Tandon School of Engineering.

The Conversation (0)