Posts

Cyber Security

Question: What do you do for a living?
Answer: I can tell you, but I’d have to kill you.

We’re not secret agents, but we do have more knowledge than the general public about cyber security concerns. We work hard to mitigate fear mongering and any sense of panic among our members.

At the same time, we need to be cognizant of the dangers of cyber theft and malicious intrusions from hackers – both in our ability to manage the grid and maintaining the privacy of our members.

In rural America, the distance between substations, even between members, can be significant. The electronic devices that we use and how we access them allow us to know when disruptions occur and to quickly respond. As the use of technology becomes more prevalent and increasingly complex, the risk of security breaches grows.

“We have in our minds the picture of a hacker as some 15-year-old in his parents’ basement. That used to be the case but it’s not now. Hackers are bots hitting 10 million systems at once, just looking for a vulnerability,” says Bill West, vice president of underwriting at Federated Rural Electric Insurance Exchange. He also adds, “The average cyber insurance claim costs $733,000.”

Any information technology expert that is involved in cyber security will confirm that attacks are frequent. We know this from the industry reports we read. Data breaches can expose the private information of our members and should hackers gain access to control systems, they could disrupt power flow. Throwing a political tilt into cyber issues, hacker attacks are often from foreign countries.

Across the nation, electric cooperatives are participating at every level – from local, regional and national exercises to legislative improvements that affect information sharing between governmental agencies and utilities. (S. 754, in which electric cooperatives had input)

We recognize that because we are rural and comparatively small, it doesn’t mean that we are at less risk than large utilities. As Deputy Energy Secretary Elizabeth Sherwood Randall said last year, “If we don’t protect the energy sector, we are putting every other sector of the economy in peril.”

Let’s make certain that we take cyber security as seriously as we take keeping the lights on. It’s just one more thing to add to our “To Do” list.

The “Essence” of cybersecurity

The online world can be a dangerous neighborhood. News of another huge data theft or malicious computer virus seems to arrive almost weekly. One study found that 740 million online records were hacked last year. Target, the giant retailer, revealed cyber-criminals had stolen information on as many as 70 million of its customers alone.

While it hasn’t received nearly as much publicity, cooperatives and other electric utilities haven’t been immune from this assault. Craig Miller, chief scientist for the National Rural Electric Cooperative Association (NRECA), says there are thousands of probes, big and small, into utility systems. These threats to the security and stability of the nation’s grid are only expected to grow.

But an ambitious effort by the Cooperative Research Network (CRN), the research and development arm of NRECA, and several partners is underway to make sure the systems delivering your power remain safe and secure. It’s called “Essence” and through the project, researchers are developing the next generation of automated cybersecurity for the industry.

That’s particularly important for co-op members and other consumers, who not only count on the power being there when they need it, but also on their electricity provider protecting their privacy. “The success of Essence will improve the protections around their personal information and it will improve the reliability of their power systems,” says Miller.

Miller says most of the attempts to hack into utility systems have been efforts to grab personal data or business information. Consumers obviously want to be sure bank account information, social security numbers or other personal data don’t fall into the hands of identity thieves.

But there have also been more ominous attacks that should concern any U.S. citizen. “There have been attempts on control systems. They are much rarer because they require a much higher level of expertise, and there’s no potential monetary gain,” Miller says. “But people have done it.”

The assumption, he says, is that some of these efforts are by “state actors,” other nations probing for potential weaknesses. Defense analysts also believe a cyber-attack on the nation’s power grid could be attractive to terrorists for its potential to create widespread chaos.

The essence of Essence is to protect Americans from all these threats. There are existing software programs with the same goal, but it’s how Essence safeguards utility systems that makes it a major advance in cybersecurity.

Most computer systems are protected through firewalls, special software that blocks suspicious attempts to connect or upload software. But these programs largely depend on lists of known threats that have to be constantly updated. “One of the challenges is that these security systems require expert users who are hyper-diligent about staying current,” says Miller. “They also have the potential for human error. This creates vulnerabilities.”

But Essence changes the balance of power in this constant battle. “Instead of monitoring what’s going in and out of the network, it monitors the network itself and uses advanced algorithms (procedures) to determine what is normal,” explains Maurice Martin, CRN’s project manager for cyber security. “Essence looks for anomalies – stuff that shouldn’t be happening – and then raises a red flag when it sees something that’s amiss.”

This means Essence doesn’t have to depend on lists of the latest dangers out there, or on humans keeping it up-to-date. It doesn’t need to know exactly what hackers are up to because anything that’s not right with the system will get its attention.

All this is accomplished by an unassuming device, small enough to be held in one hand, which can be added to a utility system in key spots to unobtrusively monitor what’s happening on the network.

Project managers also have taken several steps, including using storage in the cloud and open software standards, to keep costs down and make sure Essence doesn’t require extensive expertise to manage. “It’s going to bring state-of-the-art cybersecurity to co-ops of every size, from the biggest to the smallest,” says Martin. “The philosophy is no co-op left behind. Everyone will be able to use this.”

Essence is being developed through a $4 million grant awarded by the U.S. Department of Energy to research next-generation cybersecurity devices. CRN has partnered with Carnegie Mellon University, the Pacific Northwest National Laboratory, and the cyber security firm Cigital on the project. Several large corporations are also following the effort.

Researchers hope to have the first version of the Essence device in the field for tests early next year. If it’s as successful as expected, commercial partners will be brought in to produce the product, providing electric utilities with an affordable, automated cybersecurity system they can depend on.

That will be good news for consumers everywhere. As Martin notes, “Maintaining cybersecurity for your co-op or utility is a something that matters to anyone who’s on a power line.”

Reed Karaim writes on consumer and cooperative affairs for the National Rural Electric Cooperative Association, the Arlington, Va.-based service arm of the nation’s 900-plus consumer-owned, not-for-profit electric cooperatives.