Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said many people believe that all three major components of the grid – generation, transmission and distribution – are internet facing.
But he said the generation and transmission components are not. He told an audience at the recent RSA conference in San Francisco that while the risk of a damaging cyberattack is “greater than zero … the real threat is Mother Nature and humans doing stupid stuff.”
Sachs agreed that cyber attacks have caused damage to energy infrastructure in other parts of the world – the 2015 hack of the energy grid in Ukraine took out power for several hours to 225,000 people. But he told the audience the North American grid is exponentially less vulnerable because of its, “diversity and separation of infrastructure.”
He told CSO it is also because, “the control systems don’t connect to the internet.” This, he said, is one of the mandatory Critical Infrastructure Protection (CIP) reliability standards.
“The threat is real and the risks are high, but our exposure is low,” he said, contending that it would take physical access to control systems to interfere with their operation. That, he said, is possible but highly unlikely.
“We’ve bent over backwards to decrease our exposure – we’re anal about it,” he said.
This doesn’t mean there are no internet connections in the overall industry – there are many in the corporate networks and the distribution of power to customers. “But that’s at the edge, where you’re flipping the lights on or off,” he said. “We see power companies get spammed and phished all the time. We see ransomware. But even if the lights go out locally, the grid is still working.”
That was essentially the message from former Director of National Intelligence James Clapper, in a “statement for the record” about 18 months ago to the House Permanent Select Committee on Intelligence. Clapper said he believed the chances of a “Cyber Armageddon” are remote.
But that message clearly has not reached the mainstream media. The Wall Street Journal headlined a Dec. 30, 2016 story, “Cyberattacks Raise Alarm for U.S. Power Grid,” and NBC Nightly News just this past week reported that public utilities were essentially sitting ducks for cyberattacks.
Nor has it convinced every other expert in the ICS field either. Joe Weiss, managing partner at Applied Control Systems, vehemently disagreed, calling Sachs’s comments, “bizarre … beyond the realm of credibility.
“Cyber can bring down the grid for months,” he said, adding that the “diversity” of power companies is essentially a mirage, since there are only “eight to 10 vendors worldwide” that manufacture the kind of generators used in ICSs.
Sign up for CIO Asia eNewsletters.