Making the electricity grid greener is boosting its vulnerability to computer hacking, increasing the risk that spies or criminals can cause blackouts, security experts have warned.
Adding wind farms, solar panels and smart meters to the power distribution system opens additional portals through which hackers can attack the grid, according to computer security experts advising governments and utilities. Where traditionally the grid took power from a few sources, it is now absorbing it from thousands.
The communication networks and software that link green energy sources to the grid as well as the electronic meters that send real time power usage to consumers and utilities are providing new back-door entry paths for computer hackers to raise havoc with the grid.
The disclosure this week that hackers known as “Dragonfly” and “Energetic Bear” gained access to power networks across the US and Europe in the past 15 months is a reminder of how vulnerable the system has become.
“Attacks against the grid have moved from theory to reality,” said Raj Samani, chief technology officer for Europe, Middle East and Africa, at McAfee, a unit of Intel Corporation, one of the biggest security software providers.
Utilities, already grappling with other challenges to the grid, may spend what may run into the billions of dollars for computer security. A new multitude of energy inputs is forcing grid managers to run systems that communicate real-time data on power flows to consumers and power plants, bringing networks that were previously closely controlled into contact with computer and telecommunication systems used by millions.
“There have been documented attacks, both cyber and physical on the electric grid which resulted in equipment damage, service disruption and long term repair,” said Sean McGurk, global manager for critical infrastructure protection at Verizon Communications, the largest US wireless carrier.
Consulting and testing services associated with cybersecurity at utilities in Europe will more than double to 412million euros ($564 million) a year by 2016, according to International Data Corporation, a market researcher based in Framingham, Massachusetts.
Already, the energy industry was the sixth-most targeted sector worldwide last year. It was the top target in the US, accounting for 59% of the 256 attacks recorded last year by the US Department of Homeland Security.
Almost all the specifics of the incidents are kept quiet to prevent damage to the companies victimized.
In the past, all power use was measured by mechanical meters, which required a utility worker to inspect and read them. Now, utilities are turning to smart meters that communicate data on flows minute by minute both to customers and utilities.
In Britain, the government wants most homes to have smart meters by 2020, opening millions of new access points for attackers. Similar programs are in place across the US and Europe.
“Anytime you introduce more software, you introduce more complexity and inevitably more potential holes to the system,” said Gavin O’Gorman, a threat intelligence analyst at Symantec Corporation, the security company that identified the “Dragonfly” threat.
Energy companies are only starting to understand the vulnerabilities that smart meters bring, said Nick Hunn, chief technology officer at WiFore, a UK-based wireless technology consultant.
Every meter being deployed in the UK has a “relay” that can disconnect a household from the power supply. This is controlled by the utility from a computer keyboard. Since the same code goes into all meters, it would take just one small piece of code inserted by a rogue programmer to disconnect the power from millions of meters and disable the remote connection to the utility, Hunn said.
“If you talk to the utilities about what you have to protect against, it is about transformers shorting out and trees falling on lines,” Hunn said.
“That is what they have been dealing with for the past 100 years.”
In the “Dragonfly” incident, hackers thought to be in Eastern Europe started targeting power companies with spam in February 2013 and gained access to networks at three companies a few months later. Symantec did not name the companies. It said most of the incidents were in Spain, the US, France and Italy.
Renewable energy companies were targeted. The “Dragonfly” hackers used a French website of a clean power provider as a “watering hole,” where victims from the targeted company visit and pick up infected code, Symantec said.
They were able to compromise industrial control systems and install malware that can replicate itself and spread to other computers.
“Dragonfly” was the latest in a series of breaches affecting energy companies. In June, the US traced dozens of surveillance sorties in 2012 and 2013 on gas pipelines and electric utilities to the People’s Liberation Army in China.
“There’s a reluctance to talk about attacks because no one wants to disclose their vulnerabilities,” said Sameer Patil, associate fellow of Gateway House, a researcher in Mumbai specialized in terrorism and national security. It has seen attacks from Chinese and Pakistani hackers against Indian utilities.
In one of the very few cases that reached the public, a 17-year-old in the Netherlands was arrested in March 2012 in Barendrecht for breaching hundreds of servers maintained by KPN, a telecommunications company providing smart-meter services to utilities.
“The amount of renewables being integrated into the grid is challenging reliability because there are more information and computer technology components being introduced in the grid,” said Maurice Adriaensen, a consultant for DNV GL who is co-chairman of a pan-European group advising on smart meters.
“The amount of cyber vulnerabilities is increasing.”
Peter Terium, chairman of the management board of RWE, Germany’s second-largest power company, said even the most secure and well tested networks are not entirely impregnable.
“Nothing is un-hackable,” he said.
