recommended reading

Lawmakers Want to See If Dumbing Down Smart Grids Might Thwart Hackers

Brian Guest/Shutterstock.com

Some Senate Republicans and Democrats want to see if unplugging critical parts of the power grid from the internet can help prevent digital attacks.

Their proposed $11.5 million Securing Energy Infrastructure Act (S. 3018) would commission the National Laboratories to study electricity companies willing to pull offline their most-vital control systems.

The idea behind the experiment with analog tech is to help identify -- and remove -- hidden vulnerabilities that could let in malware.

Bill sponsor Sen. Angus King, I-Maine, has asked the leaders of the Energy and Natural Resources Committee to hold a hearing on the measure before the Senate leaves for the August work period, a King spokesman told Nextgov.

The 2-year trial program would start within two months after the bill is signed.

King spokesman Scott Ogden said the program does not exclude other possible solutions, and the analog technologies would only be used for the most mission-critical activities.

Companies would use nondigital controllers, physical controls and purpose-built control systems "to isolate and defend" these key systems from malware, according to the legislation.

Bill sponsors describe the proposal to use analog and human-operated techniques as a “retro” approach that has shown promise as a safeguard against cyberattacks. 

Inspiration for the measure came from a December 2015 attack on a Ukrainian power grid that left 225,000 citizens in the dark. Attackers, suspected to be aiding the Russian government, targeted industrial control systems at three energy companies, U.S. Homeland Security Department officials have said. Bill supporters say the outage could have been worse if Ukraine was not also using manual technology to run its grid. 

"One of the reasons they were able to get the power back on so fast was because the Ukrainian grid was not up to modern practices in terms of its interconnectedness and its digitization,” King said June 7, the day after introducing the bill. “There were old-fashioned analog switches and the most old-fashioned analog switch of all, a human being, that could actually throw breakers and get the system back online."

Ogden said his boss’ legislation takes a measured and tailored approach to protecting the electric grid.

King’s office, for months, consulted relevant government agencies, experts within the cybersecurity and energy fields, and organizations representing electric grid owners and operators to shape the legislation, he said.

Under the legislation, a federal and industry working group would evaluate how the dumbed-down systems are performing.

After the assessment, the 10-member group would establish a "national cyber-informed strategy" to isolate the energy grid from attacks.

Some cybersecurity experts note that manmade mistakes, not malware, have been to blame for modern-day American power failures.

Two of the largest electricity outages in recent memory, the Southwest blackout of 2011 and the Northeast blackout of 2003 involved human error, said Cris Thomas, a strategist at Tenable Network Security, known in the hacker community as "Space Rogue."

Humans make mistakes, which can cost consumers time and money, in the form of higher fees, he wrote in The Hill.

"That’s why we computerized the electric grid in the first place," Thomas said. 

Under the proposed program, the technologies that might be taken offline could include SCADA systems (supervisory control and data acquisition systems), distributed control systems and programmable logic controllers.

"Instead of spending two years and $10 million exploring ways to downgrade critical systems with even more outdated tech, we should instead invest that time and money into transforming security for the technology currently in place, and into building next-generation security features directly into future technology," Thomas added.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov