How SDG&E and California’s power grid operator try to stay one step ahead of cyberattacks – San Diego Union-Tribune

It’s the nightmare scenario that utilities and grid operators fear the most: A cyberattack that shuts down the power system for days, even weeks.

With organizations becoming increasingly digital, the exposure to hackers breaching critical infrastructure is a constant concern.

“You’re always on guard,” said Robert Melis, director of information security and network operations at the California Independent System Operator, the agency that manages grid operations for about 80 percent of the Golden State, as well as 26,000 circuit miles of transmission lines.

“We are continuously cautious,” Melis said. “We’re also continuously looking at our systems, our security posture and our technology to try to do our best to keep up and stay ahead of the changes in the threat landscape.”

No major cyberattacks have taken down U.S. grid assets for extended periods of time, but attempted hacks are on the rise.

The International Energy Administration recently reported the average number of weekly cyberattacks more than doubled in the global utilities sector between 2020 and 2022.

And the danger is not just focused on grid assets. The IEA analysis said the health care and finance/banking sectors experienced even larger numbers of attempted hacks during the same period of time.

“I think there’s a 100 percent chance that organizations in the critical infrastructure space at some point will experience some short of breach,” said Stephanie Benoit Kurtz, lead cybersecurity faculty at the College of Business and Information Technology at the University of Phoenix. “No longer are the days when organizations can say, ‘We’ll never be breached.’ It’s not if, it’s when.”

Locally, San Diego Gas & Electric officials are reluctant to say how much the utility budgets for cybersecurity, but said it runs into the millions of dollars each year.

“We spend a tremendous amount of time internally, across all aspects of the company, talking about cybersecurity because we believe it’s as important as, say a wildfire, in this day and age,” said Ben Gordon, SDG&E’s chief information and digital officer.

Hack attacks on the rise

Just on a per-day basis, the number of attempts to hack into the California ISO system can run into the millions. But Melis said the level of threat varies.

“A lot of it depends on how you define attacks. They’re all concerning, but some things are less concerning because they’re more general noise,” Melis said. “It is kind of all of the above. It can be anything from what we call a botnet — a whole series of computers that work together just to rattle your doorknob and see if it’s open.”

Melis hesitated to say how many threats rise to a serious level but said it’s “fair to say” the California ISO has increased its cybersecurity spending in the past three years.

Benoit Kurtz said the reticence is understandable.

“If I provide you the business continuity plan and the runbook for exactly how (a system operator or utility) would remediate threats, then you have my playbook for exactly what systems I consider critical and where to target,” said Benoit Kurtz, who is also the regional director for security at Trace3, a consulting firm based in Irvine.

“If a bad actor gets into an organization, are they looking for those documents?” she said. “Absolutely, they are.”

Benoit Kurtz said that overall, she thinks U.S. grid operators and utilities “are doing a relatively good job of managing” the problem.

Outages and resulting costs to customers from extreme weather events like hurricanes and tropical storms, she said, have posed more of an issue than cyber attacks — at least for now.

For example, a lethal winter storm that descended on nearly the entire state of Texas in February 2021 caused more than 4.5 million homes to lose power.

In August 2023, a massive power outage affecting about 50 million people in the Northeast, the Midwest and the Canadian province of Ontario was primarily caused by trees falling on power lines — although a programming bug in the system software in a control room in Akron, Ohio contributed to the extent of the outages.

But the threat from hackers is real.

More than 20 energy companies in Denmark experienced breaches from a cyberattack last May. The hacks came in waves, targeting vulnerabilities in the firewalls of the companies, according to a Danish government report.

Ordinary citizens did not notice any interruptions, but the attackers gained access to some industrial control systems. To ensure continuous power, several Danish energy companies were forced to go into what’s called “island mode,” where they disconnected from the main electric grid and operated autonomously.

The instigators behind the attack have not been identified, but published reports say researchers suspect the hacker group Sandworm, a cyberwarfare unit within Russia’s military intelligence service. Sandworm has also been connected to attempts to take down the power grid in Ukraine.

Though not related to delivering electric or gas services, a wastewater utility in Paris two months ago had to close off external connections after a cyberattack on its system that supplies service to 9 million customers. Water utilities in Italy and Portugal were also victims of ransomware attacks in 2023.

“There’s definitely chatter worldwide,” Gordon of SDG&E said. “I think there’s some increase in activity in Europe.”

In the U.S., organizations such as the Cybersecurity and Infrastructure Security Agency, or CISA, keep tabs on potential threatening actors. That includes ransomware attackers, who penetrate a target’s computer systems and lock and encrypt their data, control systems and digital files until the victim pays a ransom.

“You’ll see some ransomware groups that start to target the utilities,” Gordon said. “They will move from east to west and then disappear for a while. That’s gone on for many years.”

Earlier this month, the U.S. Department of Energy announced spending up to $70 million to support research bolstering resilience for the power grid, electric utilities, pipelines and renewable energy generation from the risk of cyber, physical and weather-related threats.

Who are the bad guys?

Many of the hackers, Benoit Kurtz said, are state-sponsored — from places like Russia, China and sometimes in the Middle East.

“Long gone are the days where we have the single hacker that’s banging on the door to generate some kind of payday,” she said. “The most successful are actually teams of hackers, sometimes in multiple countries. And they’re working on everything from surveillance to reconnaissance to selling or monetizing whatever they can get off organizations as they breach them.”

The Washington Post, citing sources who spoke on the condition of anonymity due to the sensitive nature of the topic, reported last month that the Chinese military has ramped up a cyber campaign on U.S. utilities, communications and transportation systems.

The story said intrusions have been made into the operator of the power grid in Texas, at least one oil and gas pipeline and a water utility in Hawaii, presumably to complicate U.S. operations should a conflict break out in the Pacific over Taiwan.

“It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict,” said CISA executive director Brandon Wales, “to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis.”

The California ISO, along with 250 other organizations, just wrapped up a two-day event called GridEx — an intense security and resilience exercise hosted by the North American Electric Reliability Corporation.

Held every two years, GridEx tests the abilities of organizations to respond to and recover from coordinated cyber and physical security threats and incidents.

Melis did not go into the details of the threat simulations but said, “I was satisfied with the way our team performed. We take it seriously, so there’s a lot of pressure.”

California’s big three investor-owned utilities also took part — Pacific Gas & Electric, Southern California Edison and SDG&E.

“It’s really meant to help strengthen you and get better,” Gordon said. “Not only learning internally but across multiple utilities,” the exercise “has been worth its weight in gold.”

Should people be worried that a cyberattack could some day take down their electricity or natural gas services for days or weeks?

“There’s always some scenario that you can’t account for,” Gordon said. “But I guess what I would say is that we as a company, as a culture, spend a lot of time making sure that those scenarios (are prevented) at all costs.”

In many ways, when it comes to cybersecurity, grid operators and power companies are like goalies — but with practically no room for error.

“Without a doubt, these utility organizations are attacked millions of times a day,” Benoit Kurtz said. “They have to get it right every time. Bad actors only need to get it right once to get in.”

Originally Published: January 16, 2024 at 8:00 AM PST