Bloomberg Opinion
Cyberattacks makes smart grids look pretty dumb
Skip to content
Skip to content
Bloomberg the Company & Its ProductsBloomberg Anywhere Remote LoginBloomberg Terminal Demo Request
MenuSearch
Bloomberg Opinion
Sign InSubscribe
Technology & Ideas
Cyberattacks Make Smart Grids Look Pretty Dumb
An outage in South America is a reminder that connected devices can become easy entry points for hackers.
By David Fickling
ýJuneý ý17ý, ý2019ý ý2ý:ý26ý ýAMý ýMDT
David Fickling is a Bloomberg Opinion columnist covering commodities, as well as industrial and consumer companies. He has been a reporter for Bloomberg News, Dow Jones, the Wall Street Journal, the Financial Times and the Guardian.
Read more opinion
Follow @davidfickling on Twitter
LISTEN TO ARTICLE
3:44
SHARE THIS ARTICLE
Share
Tweet
Post
Email
In this article
0680671D
KASPERSKY LABS LTD
Private Company
NYT
NEW YORK TIMES-A
33.68USD+0.31+0.93%
Imagine if your thermostat led to a region-wide power blackout.
It’s a scenario that’s looking increasingly plausible. Argentina isn’t ruling out a cyberattack as the possible cause for the mass outage that affected millions of people in five South American countries over the weekend. Even if that incident turns out to have a more innocent explanation, the U.S. government is stepping up digital incursions into Russia’s power grid, the New York Times reported Saturday, citing unnamed officials.
The growing threat from hacking is somewhat inevitable given the way our power systems are changing. Electricity networks are traditionally highly centralized, with limited ability to monitor and control supply and demand in real time, leaving grid operators dependent on forecasting unusual consumption spikes to prevent the system from falling over.
The spread of smart metering and automated control systems has changed that landscape, with more than 10% of global grid investments – equivalent to some $30 billion a year – now dedicated to digital network infrastructure. The grids of the near future are likely to be increasingly decentralized: Owners of domestic refrigerators, air conditioners and industrial facilities will be compensated for switching off to smooth out demand peaks; home, vehicle, and utility-scale batteries will buy cheap electrons and charge up in times of excess generation.
Grid and Bear It
More than $130 billion has been spent on smart-grid technologies worldwide over the past five years
Source: International Energy Agency
The problem here is the vast amount of infrastructure needed to support such a setup. Any smart electrical grid needs a parallel telecommunications network to collect and harness the volumes of data it will generate, and that makes every connected thermostat or smart refrigerator a potential entry point for cyber intruders.
About 588 million smart meters will be installed worldwide by 2022, according to a report last year by GlobalData UK Ltd., a consultancy. Once you include other connected devices and grid operators’ own control systems, that’s only the tip of the iceberg. Stuxnet, the worm that crippled Iran’s nuclear enrichment facilities in 2010, appears to have been initially spread via an infected USB drive smuggled into one of the plants and plugged into a computer.
Danger Zone
Identified cyber vulnerabilities in industrial-control systems have spiked in recent years
Source: Kaspersky Labs
Faced with that ever-growing and diversifying list of weak spots, industrial companies are only slowly waking up to the scale of the risk. Overall, about a third of businesses surveyed by Kaspersky Labs Ltd. had suffered at least one cybersecurity incident during 2018, but less than a quarter are compliant with regulations and guidance on preventing intrusions.
The good news is that the telecommunications and computing sector has been dealing with the same risks for a generation. If industrial and electrical systems can get their cybersecurity up to the standards of the technology sector, they stand a good chance of mostly keeping one step ahead of the hackers.
Peripheral networks, for instance, provide a reasonably tried-and-tested method of quarantining vital internal networks from more vulnerable external ones, and are widespread in industrial control systems. The decentralization that smart grids enable could also make them more robust, allowing infected nodes to be isolated while the wider network keeps running or breaks up into smaller micro-grids.
The bad news is that this might not be enough. For one thing, malicious hacks of electrical grids are far more likely to emerge from sophisticated state actors, who are better at covering their tracks and lying low for years until launching an attack.
For another, the cost of leaving a door open could be far greater. A hack of an internet company or credit-card database will compromise personal information, but – as a 2015 attack on Ukraine’s power grid demonstrated – electricity network intrusions could leave hundreds of thousands without power for hours, or longer.
Our lives are dependent on such utility systems operating in the background, cleanly and without incident. The outage in South America is a reminder of our vulnerability in a more uncertain world.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
David Fickling at dfickling@bloomberg.net
To contact the editor responsible for this story:
Rachel Rosenthal at rrosenthal21@bloomberg.net
Comments 0
UP NEXT
Russia's Power Grid Is Vulnerable to U.S. Attacks
Have a confidential tip for our reporters?
GET IN TOUCH
Before it's here, it's on the Bloomberg Terminal.
LEARN MORE
LIVE ON BLOOMBERG
Watch Live TV
Listen to Live Radio
Popular in Opinion
How to Invest and Profit in the Next Recession
by Barry Ritholtz
A slump is likely in the next year or so. There are ways to prepare for it.
Facebook's Answer to Bitcoin Poses a Double Threat
by Lionel Laurent
Mark Zuckerberg's Libra cryptocurrency project may just strengthen his stranglehold on our user data. Financial stability is another huge concern.
Black Poverty Is Rooted in Real-Estate Exploitation
by Mark Whitehouse
A new study in Chicago shows how the dream of homeownership was converted into a poverty trap.
Read more from opinion
cybersecurity
Russia's Power Grid Is an Easy Target for U.S. Hacking
The real message U.S. officials are sending to Moscow is that Russia can be attacked without White House authorization.
By Leonid Bershidsky
ýJuneý ý17ý, ý2019ý ý11ý:ý00ý ýPMý ýMDT
Could the Pentagon literally melt the ice? Photographer: MIKHAIL KLIMENTYEV/AFP/GETTY IMAGES
Leonid Bershidsky is Bloomberg Opinion's Europe columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.
Read more opinion
Follow @Bershidsky on Twitter
COMMENTS
2
LISTEN TO ARTICLE
4:31
SHARE THIS ARTICLE
Share
Tweet
Post
Email
In this article
NYT
NEW YORK TIMES-A
33.68USD+0.31+0.93%
1034431Z
KASPERSKY LAB JSC
Private Company
A report in the New York Times that the U.S. Cyber Command has intensified secret efforts to hack the Russian power grid is less interesting for its content than because of U.S. officials’ apparent cooperation in publicizing the activity. Like any power grid undergoing a digital transformation, the Russian one is quite hackable – but why would the U.S. want public discussion of the matter?
The New York Times story talks about “implants” – the placement of malware in networks involved in managing the Russian power grid that could be activated in case of a major conflict. It’s careful to avoid any detail, but Russians know better than many others how vulnerable power grids are to attack.
Kaspersky Lab JSC, the cybersecurity firm, has been running grid equipment hacking contests for years. In 2016, a hacking group from Yekaterinburg described in a blog post how it won points in the competition by taking over a substation and causing a short circuit on a power transmission line, without any prior knowledge of the specific industrial system or even much general understanding about how substations work. Russian researchers have identified numerous vulnerabilities in so-called smart grid equipment, which constantly analyzes consumption data and helps manage systems flexibly and efficiently. Many elements of electrical grids are accessible from the internet. A relatively successful, and likely Russian, attack that shut down 27 substations in Ukraine in 2015 showed that primitive methods like sending spear-phishing emails to employees of regional energy companies are effective in getting hackers into parts of national grids.
The Russian grid is particularly vulnerable for several reasons. First, it’s vast. Russian Grids PJSC runs 2.35 million kilometers of transmission lines and 507,000 substations. Second, it’s in the process of an ambitious digital transformation. The state-controlled company’s digitization plan, adopted last year, is meant to achieve major cuts in transmission losses and breakdown numbers by 2030. The plan talks about creating a cybersecurity unit, but that’s a work in progress. As my colleague David Fickling has pointed out, making a grid “smart” creates new avenues of attack, and big technology rollouts can be messy and increase the risks. In the case of Russia, the problem is exacerbated by the Western origin of three quarters of all the equipment and pretty much all of the software. If U.S. intelligence puts in the implants before the equipment is supplied or en route, there’s no guarantee they can be detected.
In other words, securing the Russian grid is a mammoth task even with Russians’ superior expertise when it comes to detecting (and likely exploiting) vulnerabilities. U.S. cyberattacks are certainly possible. How crippling they can be is another matter. The 2015 attack on the Ukrainian regional energy companies left some 225,000 customers without electricity for a few hours; that’s not a lot of damage given the wide array of techniques involved (the attackers even flooded an energy company’s call center with automated calls to make it impossible for customers to report outages). Unless critical equipment is irreparably damaged, it’s usually possible to switch to manual mode, which is what the Ukrainians did.
It would be naive, however, to think the Russian government hasn’t been worried about U.S. cyberattacks on the country's critical infrastructure. So President Donald Trump’s vehement reaction to the New York Times story – he called publishing it “a virtual act of treason” in a tweet – is a little overdone. What’s more telling, though, is the newspaper’s response: It says the Times “described the article to the government” before publication and got no objections.
This raises the question what purpose the article might serve for the government officials who talked to the newspaper and those who vetted the publication. My theory is that they wanted to send a message to the Kremlin – but not specifically that the Cyber Command has increased its activity in the Russian power grid. The Russian political leadership, intelligence and cybersecurity professionals are already aware of these efforts.
Rather, the message concerns the approval procedure for the offensive efforts. The Times story says they occur under new, obscure legislation passed by Congress last summer that allows the defense secretary to authorize “clandestine military activity” in cyberspace without going to the president for approval. It’s one thing for the Russians to know the U.S. is working to infiltrate their country’s infrastructure, but quite another to be aware that intrusions and attacks don’t require White House approval and can happen routinely and without much ado. The U.S. officials are effectively telling Russian President Vladimir Putin not to remonstrate with Trump in case of attack – the U.S. president may not even know what’s happening, and it’ll be perfectly legal.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at lbershidsky@bloomberg.net
To contact the editor responsible for this story:
Tobin Harshaw at tharshaw@bloomberg.net
Comments 2
Have a confidential tip for our reporters?
GET IN TOUCH
Before it's here, it's on the Bloomberg Terminal.
LEARN MORE
LIVE ON BLOOMBERG
Watch Live TV
Listen to Live Radio
Popular in Opinion
How to Invest and Profit in the Next Recession
by Barry Ritholtz
A slump is likely in the next year or so. There are ways to prepare for it.
Facebook's Answer to Bitcoin Poses a Double Threat
by Lionel Laurent
Mark Zuckerberg's Libra cryptocurrency project may just strengthen his stranglehold on our user data. Financial stability is another huge concern.
Black Poverty Is Rooted in Real-Estate Exploitation
by Mark Whitehouse
A new study in Chicago shows how the dream of homeownership was converted into a poverty trap.
Read more from opinion
Terms of Service
Trademarks Privacy Policy ©2019 Bloomberg L.P. All Rights Reserved
Careers Made in NYC Advertise Ad Choices Contact Us Help
You have 8 free articles remaining. Save 30% on unlimited access.
View Subscription Offers Sign in
Bloomberg Anywhere clients get free access
|
|