Our electric grid is comprised of generation facilities, high voltage transmission networks, substations, renewable point generation sources, and low voltage distribution networks.

Protecting the electric grid from cyber-attacks is complicated by its enormous scale – upwards of 7,000 power plants, more than 150,000 miles of high voltage transmission lines, and more than 50,000 substations. Some are managed by massive regional super utilities and others by small municipal utilities.  Add into this the interconnections among these power systems and the complexity is unimaginable.

Two further complications are the reality of old infrastructure that was designed to be robust against typical weather related events, but not today’s cyber threats and the asymmetrical nature of the threat. Inexpensive small attacks can have crippling impacts on the US economy.

The core large scale generation systems and high voltage transmission networks are better prepared to deal with cyber-attacks than the periphery. The North American Electrical Reliability Corporation (NERC) has developed rules governing Critical Infrastructure Protection (CIP). These rules describe both the physical and electronic controls such as authentication, authorizing actions, and monitoring for attacks.

Background Note: Cyber-attacks on electric grids are usually either Denial of Service (DoS) attacks, which tend to be brute force attacks intended to simply overwhelm the control computers or more sophisticated Business Process (or machine) Compromise attacks (BPC).  These BCP attacks target specific devices in the grid and disable them (think Iranian centrifuges).

The problem with wind and solar generation is that they are generally small scale facilities that connect at the periphery – the least cyber secure part of the grid.

One final problem to ponder is the culture of the US power industry itself; this is an industry that moves at glacial speeds. It is common for technology refresh cycles to be measured in 10 year increments. That is good from a durability perspective, but completely misses the mark from a cyber security perspective.