- September 12, 2018
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Ask Archer, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid
Your whole world depends on electricity.
So, you may want to know — can the electric grid be hacked?
This question came in during our live Ask Archer Facebook show where we answer your question on security.
“Over the last year, we have heard a lot of news about the vulnerability of the electric grid and other critical infrastructures like the finance sector. How bad is it really? And should we be worried, or is it getting better?”
See answer here:
Can the Electric Grid Be Hacked?
We turn to Patrick Miller of Archer International — Archer News Network’s parent company — for the answer.
The electric grid uses some equipment that is hackable and some that is not, according to Miller.
“There’s a lot of kind of physical, analog, electromechanical stuff that’s not a computer at all,” he said. “That stuff obviously can’t be hacked. You’ve got to physically go damage that to hurt it.”
But now plants are digital as well.
“The critical infrastructures — gas, electric, water, transportation, manufacturing, chemical — they all use computers, too,” Miller said. “Pretty much anything that’s a computer can be hacked.”
Power lines at sunset. Image: jplenio
Miller pointed to an example of a researcher who planted malware on a hand drill and made it play the Star Wars theme.
“I don’t care what it is, whether it’s an industrial system, or your laptop, or an e-mail server. Anything with a chip in it can be hacked,” he said.
So, how vulnerable is the electric grid?
Some news stories paint a scary picture.
“The news would have you believe that the sky is falling and you should run for the hills and buy a generator because the power grid is going to get hacked by some 12-armed terrorists on the network,” Miller said.
But that’s not reality, he added.
“My job is critical infrastructure security, so I see a lot of different infrastructures,” he explained. “They’re remarkably well-designed for resilience.”
For example, if one section of the grid has a power outage, the system is designed to prevent other parts of the grid from blacking out, too.
“There’s a lot of engineering basis that’s been put into this over the long haul of creating these infrastructures,” Miller said. “They’re designed for failure already. It’s already designed to be kind of fail-safe and resilient.”
“Should you freak out? No, it’s not that bad,” he said.
However, there are vulnerabilities.
“Any computer can be hacked,” he emphasized.
A power plant in Florida. Image: Rebecca Humann
How They Could Get In
A lot of those critical infrastructure systems don’t get patched — or updated — on a regular basis, Miller said.
Some operators may think the systems are in a closed environment, away from the Internet.
But attackers could still get malware into them by carrying in a USB stick or CD or other portable computer item.
“There’s still ways to get malware into these closed or protected networks,” Miller said. “They’re not perfect by any means.”
Attackers can reach systems that are not connected to the Internet through infected USB drives. Image: Esa Riutta
And in many cases, the software was built more for reliability than security.
“It was designed to run all the time and never be rebooted, never go down,” he said. “Since it wasn’t built with security in mind, a lot of them are frankly fairly easy to hack.”
Game over? No.
“The good thing is there’s a lot of layers you’ve got to get through to get to those systems on the inside,” he explained. “And there’s a lot of organizations that take their job seriously. They know their critical infrastructures and they behave accordingly.”
For some organizations, there is room for improvement from a security perspective, Miller said.
“I’m not going to say that catastrophic events can’t happen, because anything can be hacked. But, by and large, there’s no need to go run out and buy a generator and freak out and take your money out of the bank and put it in a mattress.”
A worst-case scenario could be a regional event or a city-wide outage, he suggested.
Power lines at sunset. Image: StockSnap
“It’s easier to take out a smaller scope of systems than it would be to actually like take out the entire North American power grid, for example,” he said. “It’s too interconnected, it’s too diverse. There’s just so many different kinds of systems doing different things that support the overall environment.”
But the Hollywood version, where an attacker performs one hack and the entire grid goes down, is not realistic, according to Miller.
“Yes, it’s vulnerable. Yes, it’s not that hard to hack. But reality is, it’s designed in such a way that it’s actually fairly robust and resilient,” he said. “If we keep giving it some attention, the right kind of attention, without the knee-jerk reaction stuff, then we’ll keep moving forward.”
See more Ask Archer questions & answers: