Cyberattacks Make Smart Grids Look Pretty Dumb
(Bloomberg Opinion) -- Imagine if your thermostat led to a region-wide power blackout.
It’s a scenario that’s looking increasingly plausible. Argentina isn’t ruling out a cyberattack as the possible cause for the mass outage that affected millions of people in five South American countries over the weekend. Even if that incident turns out to have a more innocent explanation, the U.S. government is stepping up digital incursions into Russia’s power grid, the New York Times reported Saturday, citing unnamed officials.
The growing threat from hacking is somewhat inevitable given the way our power systems are changing. Electricity networks are traditionally highly centralized, with limited ability to monitor and control supply and demand in real time, leaving grid operators dependent on forecasting unusual consumption spikes to prevent the system from falling over.
The spread of smart metering and automated control systems has changed that landscape, with more than 10% of global grid investments – equivalent to some $30 billion a year – now dedicated to digital network infrastructure. The grids of the near future are likely to be increasingly decentralized: Owners of domestic refrigerators, air conditioners and industrial facilities will be compensated for switching off to smooth out demand peaks; home, vehicle, and utility-scale batteries will buy cheap electrons and charge up in times of excess generation.
The problem here is the vast amount of infrastructure needed to support such a setup. Any smart electrical grid needs a parallel telecommunications network to collect and harness the volumes of data it will generate, and that makes every connected thermostat or smart refrigerator a potential entry point for cyber intruders.
About 588 million smart meters will be installed worldwide by 2022, according to a report last year by GlobalData UK Ltd., a consultancy. Once you include other connected devices and grid operators’ own control systems, that’s only the tip of the iceberg. Stuxnet, the worm that crippled Iran’s nuclear enrichment facilities in 2010, appears to have been initially spread via an infected USB drive smuggled into one of the plants and plugged into a computer.
Faced with that ever-growing and diversifying list of weak spots, industrial companies are only slowly waking up to the scale of the risk. Overall, about a third of businesses surveyed by Kaspersky Labs Ltd. had suffered at least one cybersecurity incident during 2018, but less than a quarter are compliant with regulations and guidance on preventing intrusions.
The good news is that the telecommunications and computing sector has been dealing with the same risks for a generation. If industrial and electrical systems can get their cybersecurity up to the standards of the technology sector, they stand a good chance of mostly keeping one step ahead of the hackers.
Peripheral networks, for instance, provide a reasonably tried-and-tested method of quarantining vital internal networks from more vulnerable external ones, and are widespread in industrial control systems. The decentralization that smart grids enable could also make them more robust, allowing infected nodes to be isolated while the wider network keeps running or breaks up into smaller micro-grids.
The bad news is that this might not be enough. For one thing, malicious hacks of electrical grids are far more likely to emerge from sophisticated state actors, who are better at covering their tracks and lying low for years until launching an attack.
For another, the cost of leaving a door open could be far greater. A hack of an internet company or credit-card database will compromise personal information, but – as a 2015 attack on Ukraine’s power grid demonstrated – electricity network intrusions could leave hundreds of thousands without power for hours, or longer.
Our lives are dependent on such utility systems operating in the background, cleanly and without incident. The outage in South America is a reminder of our vulnerability in a more uncertain world.
To contact the author of this story: David Fickling at firstname.lastname@example.org
To contact the editor responsible for this story: Rachel Rosenthal at email@example.com
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
David Fickling is a Bloomberg Opinion columnist covering commodities, as well as industrial and consumer companies. He has been a reporter for Bloomberg News, Dow Jones, the Wall Street Journal, the Financial Times and the Guardian.
For more articles like this, please visit us at bloomberg.com/opinion
©2019 Bloomberg L.P.