Fining utilities for cyber security breaches is a good step – but it’s not the answer…
This month utility firm Duke Energy was fined for major breaches in their security system – but while penalties prove institutions are serious about cyber crime, they are not the solution to securing the networks of the future…
Earlier this month, the North American Electric Reliability Corporation fined utility company Duke Energy $10m for breaches to their security system.
It wasn’t the first time a US utility has been charged for cyber security breaches – PG&E were hit up for $2.7m last year for a data hack – but this time the security violations were said to have posed ‘serious risk to security and reliability’ of the bulk power system.
What’s that mean? It means the hackers were one step away from having their hands on the controls.
Security breaches are constantly hitting the headlines these days but while many hacks focus on stealing data, the infiltration of energy networks can give criminals the potential to actually shut down critical systems.
That happened in the Ukraine in 2015, when hackers caused a blackout for nearly 250,000 customers of three energy distribution companies. It was the first successful attempt to disrupt a power grid through a cyber attack and although it only lasted six hours, it proved the point.
In 2017, Russian hackers broke into systems relating to nuclear power in the US but they didn’t get into the operational systems, just the business and admin levels. A report that same year, however, revealed intruders had gained access to power grid operations in the US and Turkey.
That’s why the energy industry is second only to financial services in terms of sectors targeted by cyber criminals.
Like all industries, energy is undergoing significant transformation in the digital age. Smart meters, IoT devices, distributed renewables, electric vehicles; they’re all being integrated into the grid of the future.
The problem is, the grid of the future is being bolted onto the networks of the past and internet-enabled devices are opening up older and more vulnerable hardware and software systems to potential breaches.
So, it’s not just at a power station level that security is a concern.
A huge amount of data is collected about consumers’ behavior using smart meters and IoT demand response devices like smart thermometers, while renewables like solar panels and wind turbines have demand response functionality that can turn them on and off remotely and automatically.
If hackers can get into the system at the grid edge and manipulate demand and response controls, they can cause serious disruption.
Instead of trying to hack a power plant, hacking into millions of smart devices could create spikes in local and regional power consumption or production that could achieve a similar impact.
Sending constraint notices to a group of wind turbines, for instance, could quickly result in a brown out; hacking domestic appliances to make them look like they are in standby when they are actually consuming much more electricity could cause hidden surges in demand; getting inside EV systems to change peak charging times could cause serious demand spikes.
Let’s not get ahead of ourselves, though, this kind of hacking is not easy – but if we don’t think about it now, our infrastructure will only become increasingly vulnerable.
The recent NARC fines show the US governments and energy institutions are increasingly serous about the dangers of cyber crime.
Likewise, in Europe, the NIS Directive, the first EU-wide legislation on cyber-security, was implemented last year to provide dictated regulation rather than just recommended standards.
But it’s easier said than done – and that’s why we are developing Exergy.
Using distributed ledger technology to log and store energy data makes it impenetrable to hackers. And as we look to build the real network of the future, isn’t that exactly what we want?
We are moving rapidly towards world run on distributed renewables, where energy consumption is managed through IoT device controls, the grid is balanced automatically and local networks interchange energy through demand response.
But without a secure solution for managing all the data that this creates and uses, we risk developing new networks that are built on sand.