Over the next two years, 50 to 75 billion home and industrial electrical devices will be connected to the Internet, enabling more convenient home energy use, efficient manufacturing, improved healthcare, safer transportation and a cleaner environment. This is commonly known as the “Internet of Things” or IoT.
But every device connected to the Internet creates a potential pathway for foreign governments and other malevolent actors to compromise essential networks — particularly the electric power grid, the backbone of our critical infrastructure. Today, the United States remains exposed to the potential for large-scale or prolonged disruption of the power grid, which could cripple the economy.
Earlier this year, I joined several of the nation’s top cyber-security experts in concluding that threats to critical infrastructure networks such as the power grid are increasing rapidly in scope and sophistication, and cybersecurity must be built into the business strategies of all businesses, especially energy companies.{mosads}
What is needed is a culture of enhanced and sustained resilience. We must manage digital risks aggressively through existing and emerging technologies and security practices, backed by a deep ability to rebound quickly and continue operations following a cyber-attack. Developing this culture of resiliency will require the government and the private sector to jointly defend our critical infrastructure, since more than 85 percent of those assets in the U.S. are privately owned.
American leaders have already acknowledged the risks to other critical networks — namely the communications system — posed by companies such as Huawei and ZTE, which are closely connected with the Chinese government. CIA Director Gina Haspel was asked during her confirmation hearing if she would use Huawei products — she said no. In response to the administration’s attempt to aid ZTE, Florida Sen. Marco Rubio tweeted that the “problem with ZTE isn’t jobs and trade, it’s national security and espionage.”
The deep connections between these companies and the Chinese government, according to a congressional report, would give the Chinese government the ability to easily intercept communications or initiate a cyberattack on critical U.S. infrastructure.
This situation is even more urgent for the electric grid, which provides the power upon which other critical infrastructure elements rely to operate. Improving the resilience of the grid must be our first and most urgent priority in upgrading critical infrastructure.
The American energy grid is a large, sophisticated and delicately balanced machine that has always been vulnerable to cyber-attacks. Unlike the water supply system — which draws on reservoirs to match demand — the energy grid must carefully and constantly balance input and output to maintain a stable supply of power throughout the grid. This balancing act is becoming increasingly difficult because of the addition of renewable sources of energy and the increasing sophistication of the grid. According to a new plan from the U.S. Department of Energy, the sophistication of the electric grid is creating a “growing interdependence among the nation’s energy systems,” which increases the risk of energy disruptions cascading from one state to the next.
The billions of internet-connected devices that draw power from the electric grid, and many that feed power back, create a vast range of vulnerable access points for hackers.
For example, connectivity concerns have arisen recently with solar inverters, devices widely used to maximize solar photovoltaic panel operations. The concern is that a hacker could access thousands of web-connected inverters and control the flow of power from them to the grid. In a worst-case scenario, a hacker could cause large, sudden spikes or dips in electricity supply, disrupting a local, state or national grid’s balance and potentially causing a widespread power outage. For these reasons, as is now the case for our nation’s telecommunications network, access through IoT to the U.S. electric grid should be off limits to state-controlled companies such as Huawei.
My former colleague Dan Coats, now the nation’s director of national intelligence, said recently “the warning lights are blinking red” and “today, the digital infrastructure that serves this country is literally under attack … these actions are persistent. They’re pervasive and they are meant to undermine America’s democracy on a daily basis.”
American lawmakers did the right thing with the telecom industry by taking exception to companies that are inextricably linked to foreign governments. Legislators now should turn their attention to strongly supporting industry efforts to protect America’s electric grid from the same kind of malicious foreign interference. Modernizing the grid and incorporating rigorous security measures requires close coordination and cooperation across government and industry and both must take leadership roles.
As Christopher Krebs, undersecretary for the Department of Homeland Security’s main cyber unit, said recently, “No company out there, no state out there, is going to overcome this challenge by themselves. We have to work together.”
The time is now, before a major grid attack occurs, to bolster our electric grid against the threats created by the growing number of home and industrial internet-connected devices. We’ve been lucky to date, but that luck cannot hold out against a determined foreign agent with billions of possible points of entry.
Tom Ridge served as the 43rd governor of Pennsylvania and was the first U.S. secretary of Homeland Security. He is chairman of the Ridge Global Cybersecurity Institute and is an adviser to Protect Our Power, a bipartisan not-for-profit organization whose mission is to strengthen the reliability and resilience of the U.S. electric grid.