Is our electric grid safe from cyber attack?
Is our electric grid safe from cyber attacks? That’s the question I posed to Andrew Ott, chief executive of a regional transmission organization that acts as an air traffic controller for electrical power in 13 states and Washington DC.
To give you an idea of how big PJM Interconnection is, it coordinates power for 990 major utilities, such as PECO, PSE&G and PP&L, plus major customers like Walmart. If there are power outages, or other problems, power can be routed different utilities to fill in the gaps. But what about the safety of the grid as a whole?
“The biggest threat is people sending emails — they call it phishing,” he said. Employees innocently open their emails and end up “loading bad software onto machines.”
Isn’t that usually a play to gain financial information and access? Does that affect the grid as well?
Well, there have been instances around the world where folks used that mechanism and avenue to get into control systems. The grid is, to some extent, controlled by computers. From our perspective, we have done a lot already to secure the grid. I can’t get into all the details, but there are things to protect the control systems that run the grid. They’re very sophisticated energy management systems. We use things like segmenting networks. The external network isn’t really connected to our network that runs the grid. So, you can’t get there from the Internet and things like this. There are ways and mechanisms that you use to protect that kind of infrastructure.
Is it a nightmare for you?
A nightmare? No, it’s a concern. It’s something that you never can say, `Ah, I’m finished. I’ve solved the cybersecurity problem.’ It’s something you have to pay attention to very day. But, the good news is we have, in the U.S., tremendous resources available to us, whether they be defense contractors, the defense department, people who have really, really done tremendous work. So, we’re very good at dealing with cyber threats.
But there was an incident in Vermont.
The Vermont thing was, in my opinion, miscommunication. There was a computer that had an older version of, I’ll say, malware on it, but it was old. It wasn’t connected to the main systems that run the grid. It really was an overblown situation, frankly.
Did it worry you when it happened?
No, actually. I had known about those types of vulnerabilities and that type of malware. In fact, what I would worry about is something that’s much more sophisticated and much more connected, if you will — something that’s more aggressively deployed.
What about a drone?
Well, that’s physical security.
Right. Buy what about that? That’s from above. It’s not like you have a shield.
The key there is something we call resilience. In other words, the power grid has been built to be able to withstand loss of a certain piece of equipment. If you think about it , the power grid has to withstand all kinds of weather, all kinds of atmospheric conditions, whether it be lightning, whether it be sunspots, etcetera, etcetera. So, for any one small scale physical attack, we’ve already built the grid to be robust to physical attacks. What I would care about is coordinated physical attacks, like a series of things. That’s when you’ve got to start to worry, if you start to see coordinated and more sophisticated types of attacks. Then the traditional resilience needs to be strengthened.
We’ve been talking cyber and terrorism, but what about the errant tree threat?
Absolutely. A not well-trimmed tree in Ohio actually caused a blackout in 2003, I believe it was. But, luckily, the PJM grid was largely spared. So, this area’s region never experienced a blackout. That was more in New York.
But, still it was just one tree.
Yes. But, the key there was a series of failures all at once. Obviously, there was “a tree,” but there had to be a lot of other failures to allow that [problem with the] tree to happen. The monitoring equipment wasn’t up to speed. The monitoring software was incorrect.