Time long past due for protecting power grid from cyber attack, professors say

October 29, 2018

Despite ongoing cautions from experts over the years, the nation’s power grid remains vulnerable to potentially crippling cyber attacks, say two professors at Capitol Technology University, home to a leading cybersecurity program.

The culprits? Legacy systems that were not designed with cybersecurity in mind, and a reluctance to invest money in upgrades.

evening image of city buildings showing the need of construction management and cybersecurity to work together to protect power plants

“Much of our critical infrastructure was designed and built at a time when cyber was not really on most people’s radar,” says Robert Campbell, a cryptography expert who teaches courses on blockchain. “At the dawn of the internet era, being accessible on the internet was a big thing – but this didn’t take into account the cybersecurity issues that could arise. Power supply stations, water facilities, and many other types of infrastructure were connected to the internet with a degree of open access that is astonishing in retrospect.“

“Inevitably, we’ve discovered this wasn’t such good idea. But we have a lot of work to do in order to catch up. It’s difficult to implement security measures when you’ve already designed a complex system. It’s much easier to implement security measures at the beginning, at the design stage.”

Campbell recently penned an article for Hackin9 magazine in which he outlined how power outages combined with a malware infestation could create a perfect storm that cripples hospitals at a time of peak need – leaving ICUs without power and surgeons unable to perform operations. In the scenario he describes, the hospital relies on backup generators – only to find that these, too, contain malware.

“The bottom line is there are currently a lot of ways in which an adversary can get in and do damage,” Campbell says. “If you look at generators, for example – they can be controlled to a point where they blow up. And the list goes on: it’s possible to cause water to be released from a dam, trigger blackouts in a crowded urban area, or damage nuclear facilities.”

Rick Hansen, who mentors student teams at the university’s Cyber Lab, points to an example much discussed in cybersecurity circles: successive cyber attacks in Ukraine. Attacks in 2017 hit government agencies, banks, and transportation systems, while also taking the radiation system at the Chernobyl power plant offline. An earlier incident, in 2015, left 230,000 without electrical power for several hours.

“What saved the Ukrainians was they still had people who understood how to manually operate the system,” Hansen notes. “Here in the United States, that’s a real problem. The people who understand how to use the older tools have almost all retired. We’re extraordinarily dependent in just about every arena, from finance to health care, on computerized systems. If there’s no electricity, then nothing works.”

The cost of upgrading facilities to be more secure is minimal compared to the potentially staggering losses of an attack, he says – yet so far such upgrades continue to fall by the wayside as organizations make budgetary choices.

“For a relatively small amount of money, the grid could be provided with much better security. While there’s no such thing as total protection, it could certainly be protected to a much larger degree – not only from cyber threats, but also from things like electromagnetic pulses. Yes, it would require an expenditure. But the costs are small compared to other things we spend money on. And very small compared to the costs that could arise from a worst-case scenario,” Hansen says.

“Think about what a day without electricity would be like. Now think about what a week without electricity would be like.”

Above all, Hansen says, what is needed are people who understand the problem. That’s one of the reasons why the university has launched new degree programs in construction management and critical infrastructure, adding a crucial cyber component to an academic field that traditionally teaches students to supervise building and infrastructure projects. Capitol is one of the first universities in the nation to do so.

Capitol's offerings include a bachelor of science in construction management and critical infrastructure, a master of science in critical infrastructure, and a newly announced PhD in critical infrastructure.

“If you look at how we got into this situation, you see that lack of awareness was the main culprit,” Hansen says. “Awareness will be needed in order to solve it.”

Build a career that blends construction management education and cybersecurity. Information about our critical infrastructure degree programs can be found here, or email admissions@captechu.edu for more information.

Categories: Cybersecurity

Related posts:
Cybersecurity Issues: Zoom hacking of universities and schools
The Internet of Things and Mechatronics
Questions of ethics arise as Google cybersecurity report exposes US counterterrorism effort
Promoting early STEM education can save lives, Capitol doctoral graduate says
Why a Cybersecurity Career: it’s not just about hacking, professor says