This piece was originally published in the November 2017 issue of electroindustry.
Patrick Le Fèvre, Chief Marketing and Communication Officer, Powerbox
Mr. Le Fèvre is the author of numerous papers and articles related to power electronics.
As communication and intelligence are added to power supplies, is the industry prepared to address software security? While there is little risk a hacker could reach a single digital point of load (POL) at board level, the risk increases exponentially as we move upward in the value chain. In that chain, the smart grid is probably the most exposed to attacks.
Are we safe?
Between March 2007, when the United States demonstrated in the Aurora Generator Test that hackers could take control of a power plant and physically destroy a generator with only 21 lines of code, and April 2016, when a water and electricity authority in Michigan became the victim of a ransomware attack that forced it to keep IT systems locked down for a week, the number of cases reported to security authorities rapidly increased.
Florida International University estimated that during the first six months of 2015, more than 100 cyber incidents affected infrastructure in the U.S., and the energy sector had the largest number of attacks. Cyberattacks on the smart grid are a global threat.
In February 2016, the U.S. Department of Homeland Security described an attack on a power grid in Ukraine that involved physical sabotage; this case motivated the smart grid community to strengthen efforts to accelerate sustainable security. On December 23, 2015, the Ivano-Frankivsk region was plunged into darkness for several hours and more than 220,000 customers lost power. The IT and communications systems of the electric companies were severely damaged by the attackers.
The attackers employed several tools. They sent a phishing email containing a variant of BlackEnergy 3 and KillDisk malware, exploited MS Office documents’ security holes to get into the IT network of the electric companies, and bypassed security filters in the firewalls. At the same time, they managed to break credential codes to access deeper levels of the system, controlling industrial communication busses such as the ones interconnecting uninterruptible power sources (UPS) and the supervisory control and data acquisition (SCADA) systems.
SCADA systems are process control systems (PCS) that monitor, gather, and analyze real-time environmental data. PCSs are designed to automate electronic systems based on a predetermined set of conditions, such as traffic control or power grid management. Managing to control the SCADA systems, the hackers accessed the electricity network, with the possibility of shutting down and severely damaging equipment.
Making Smart Safer
According to Michael McElfresh, adjunct professor of electrical engineering at Santa Clara University, technological advances in grid operation and the Internet of Things have made the power grid increasingly vulnerable to cyberattacks. “The growth of smart grid…has created many more access points for penetrating grid computer systems.”
All over the world, governments, consortiums, and groups of experts are engaged in a race to deploy security methods and protocols to make the grid safer. In the U.S., the set of critical infrastructure protection (CIP) standards issued by the North American Electric Reliability Corporation (NERC) became mandatory in 2007 for owners, operators, and users of the Bulk Electric System (BES) to ensure that certain assets on the grid critical to reliable operation are protected from both a cybersecurity and physical security standpoint. CIP is undergoing a wave of revisions, moving from CIP V3 to CIP V5, skipping V4, and accelerating V6. This pace reflects the situation faced by organizations that develop security standards in a fast-evolving world of threats.
Despite a number of initiatives within the European network and information security community to establish frameworks and standard operating procedures, the EU-level response to cyber incidents lacks consistency, although projects such as the EU-funded Smart Grid Protection Against Cyber Attacks (SPARKS) are showing very good signs of progress.
Step by step, the worldwide smart grid is getting stronger and safer, though the potential of threats remains high.
Because of the complexity and variety of connected devices (Figure 1), power supplies manufacturers will have to consider security when their products are integrated within a grid. Software-defined power architecture is being deployed quickly in the information and communications technology industry. Some systems, already installed in data centers, are connected to the grid and communicate through the SCADA system.
Even if there is little risk a hacker can send a command to a POL blasting a local core processor, it is still possible for UPS and even front-end rectifiers to receive fatal commands. The Ukrainian case triggered the alarm for all of us involved in developing power systems connected to the grid, sending a signal that we should never forget about the final application—to be smart security innovators to power the smart grid with excellence.
 Cyber-Attack Against Ukrainian Critical Infrastructure, IR-ALERT-H-16-056-01, U.S. Department of Homeland Security, February 25, 2016, https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.
 Analysis of the Cyber Attack on the Ukrainian Power Grid, SANS and E-ISAC, March 18, 2016, www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
 Michael McElfresh, “Can the power grid survive a cyberattack?,” The Conversation, June 8, 2015, https://theconversation.com/can-the-power-grid-survive-a-cyberattack-42295.