U.S. government releases plan to protect the power grid from cyberattacks

The U.S. government is asking energy experts and the general public to weigh in on a new plan to protect the power grid from cyberattacks.

The draft proposal, titled “Identity and Access Management for Electric Utilities,” is the result of a partnership between energy companies’ security teams and the National Cybersecurity Center of Excellence (NCCoE), a division of the National Institute of Standards and Technology (NIST).

Donna Dodson, the center’s director, said in a statement that the document “demonstrates how organizations can reduce their risk and gain efficiencies in identity and access management.”

These security concerns, which numerous reports have said remain unaddressed, have only gained prominence as cyber intrusion techniques have repeatedly defeated the subpar protections upon which energy companies rely. Of the many doomsday scenarios that cyber experts theorize about, one of the most disturbing is a state-sponsored cyberattack on the U.S. electrical grid that brings America’s technologically dependent society to a halt for months or even years.

Hackers could start a nationwide blackout by disabling just nine of the 55,000 power substations that transmit electricity across the grid. 

The Federal Energy Regulatory Commission, one of the lead agencies overseeing the nation’s electric grid, has determined that hackers could start a nationwide blackout by disabling just nine of the 55,000 power substations that transmit electricity across the grid. Multiple power companies reported cyberattacks on their systems to the Department of Energy between the middle of 2013 and the middle of 2014.

Access management is one of the industry’s best hopes of preventing such a calamity. The term refers to controls on what people can do once they log into a system. Improperly configured access controls could let low-level employees at an energy company execute commands that they are not entitled to perform, potentially destabilizing the company’s infrastructure and starting a cascading power failure.

The NIST report does not recommend a particular access-management product. Instead, its recommendations focus on the qualities that a product should have in order to be considered secure.

Although recent large-scale cyberattacks have mostly focused on information theft, such as the massive data breach at the Office of Personnel Management (OPM), a cyberattack that disabled critical energy infrastructure is not unheard of. In 2009 and 2010, the Stuxnet computer worm disabled one thousand of Iran’s nuclear centrifuges. After the virus escaped containment at the Iranian facility and spread to the rest of the world, researchers analyzed it and determined, based on the unprecedented sophistication of the code, that it was the work of the United States and Israel.

NIST’s utility cybersecurity proposal is open for public comment through Oct. 23, 2015.

Photo via Oran Viriyincy/Flickr (CC BY SA 2.0)

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.