Making the electricity grid greener is boosting its vulnerability to computer hacking, increasing the risk that spies or criminals can cause blackouts.
Adding wind farms, solar panels and smart meters to the power distribution system opens additional portals through which hackers can attack the grid, according to computer security experts advising governments and utilities. Where traditionally the grid took power from a few sources, it’s now absorbing it from thousands.
The communication networks and software that link green energy sources to the grid as well as the electronic meters that send real time power usage to consumers and utilities are providing new back-door entry paths for computer hackers to raise havoc with the grid. The disclosure this week that hackers known as “Dragonfly” and “Energetic Bear” gained access to power networks across the U.S. and Europe in the past 15 months is a reminder of how vulnerable the system has become.
“Attacks against the grid have moved from theory to reality,” said Raj Samani, chief technology officer for Europe, Middle East and Africa, at McAfee Inc., a unit of Intel Corp. that’s one of the biggest security software providers.
Utilities, already grappling with other challenges to the grid, may spend what may run into the billions of dollars for computer security. A new multitude of energy inputs is forcing grid managers to run systems that communicate real-time data on power flows to consumers and power plants, bringing networks that were previously closely controlled into contact with computer and telecommunication systems used by millions.
“There have been documented attacks, both cyber and physical on the electric grid which resulted in equipment damage, service disruption and long term repair,” said Sean McGurk, global manager for critical infrastructure protection at Verizon Communications Inc., the largest U.S. wireless carrier.
In the U.S., President Barack Obama signed an executive order in February calling for work to assess which parts of the grid are most at risk. Many utilities aren’t waiting for the government’s findings. Dominion Resources Inc., owner of Virginia’s largest electric company, told investors in February it will spend $500 million over five years to harden critical substations. American Electric Power Co.’s Ohio utility has asked regulators to grant the right to levy a special charge for cyber security.
“We cannot predict potential costs,” said Melissa McHenry, a spokeswoman for the company, based in Columbus, Ohio.
About a third of the 61 power and utility companies surveyed by Ernst & Young LLP said they’re spending more than $3 million a year -- at least $183 million in total -- on information security including protection from cyber threats.
Utility chief executive officers began meeting last year with senior Homeland Security officials on ways to detect attacks, block them, and prepare to restore power quickly when one succeeds, said Scott Aaronson, senior director for national security policy at the Edison Electric Institute, a utility trade group based in Washington.
“In the past 18 months, we’ve done more to improve situational awareness that we had in the previous five years,” Aaronson said.
In Europe, the story is much the same. Consulting and testing services associated with cybersecurity at utilities there will more than double to 412 million euros ($564 million) a year by 2016, according to International Data Corp., a market researcher based in Framingham, Massachusetts.
Already, the energy industry was the sixth-most targeted sector worldwide last year. It was the top target in the U.S., accounting for 59 percent of the 256 attacks recorded last year by the U.S. Department of Homeland Security. Almost all the specifics of the incidents are kept quiet to prevent damage to the companies victimized.
In the past, all power use was measured by mechanical meters, which required a utility worker to inspect and read them. Now, utilities are turning to smart meters that communicate data on flows minute by minute both to customers and utilities. In Britain, the government wants most homes to have smart meters by 2020, opening millions of new access points for attackers. Similar programs are in place across the U.S. and Europe.
“Anytime you introduce more software, you introduce more complexity and inevitably more potential holes to the system,” said Gavin O’Gorman, a threat intelligence analyst at Symantec Corp., the security company based in Mountain View, California, that identified the “Dragonfly” threat.
Energy companies are only starting to understand the vulnerabilities that smart meters bring, said Nick Hunn, chief technology officer at WiFore, a U.K.-based wireless technology consultant.
Every meter being deployed in the U.K. has a “relay” that can disconnect a household from the power supply. This is controlled by the utility from a computer keyboard. Since the same code goes into all meters, it would take just one small piece of code inserted by a rogue programmer to disconnect the power from millions of meters and disable the remote connection to the utility, Hunn said.
“If you talk to the utilities about what you have to protect against, it’s about transformers shorting out and trees falling on lines,” Hunn said. “That’s what they’ve been dealing with for the past 100 years.”
In the “Dragonfly” incident, hackers thought to be in Eastern Europe started targeting power companies with spam in February 2013 and gained access to networks at three companies a few months later. Symantec didn’t name the companies. It said most of the incidents were in Spain, the U.S., France and Italy.
Renewable energy companies were targeted. The “Dragonfly” hackers used a French website of a clean power provider as a “watering hole,” where victims from the targeted company visit and pick up infected code, Symantec said.
They were able to compromise industrial control systems and install malware that can replicate itself and spread to other computers.
“Dragonfly” was the latest in a series of breaches affecting energy companies. In June, the U.S. traced dozens of surveillance sorties in 2012 and 2013 on gas pipelines and electric utilities to the People’s Liberation Army in China.
“There’s a reluctance to talk about attacks because no one wants to disclose their vulnerabilities,” said Sameer Patil, associate fellow of Gateway House, a researcher in Mumbai specialized in terrorism and national security. It has seen attacks from Chinese and Pakistani hackers against Indian utilities.
In one of the very few cases that reached the public, a 17-year-old in the Netherlands was arrested in March 2012 in Barendrecht for breaching hundreds of servers maintained by KPN NV, a telecommunications company providing smart-meter services to utilities.
“The amount of renewables being integrated into the grid is challenging reliability because there are more information and computer technology components being introduced in the grid,” said Maurice Adriaensen, a consultant for DNV GL who is co-chairman of a pan-European group advising on smart meters. “The amount of cyber vulnerabilities is increasing.”
Peter Terium, chairman of the management board of RWE AG, Germany’s second-largest power company said even the most secure and well tested networks are not entirely impregnable. ‘‘Nothing is un-hackable,’’ he said.