The California Independent System Operator, which oversees about 80 percent of the state's electricity consumers and 26,000 miles of transmission infrastructure, is a busy place. It's also a target.
"We are looking at several millions of undesired communications trying to connect with us per month," said Hubert Hafner, who as manager of Information Security Technology makes it his job to ensure that California's grid remains secure from cyberattacks.
"That's our No. 1 risk," Hafner said recently while attending an energy conference hosted by the Institute of the Americas at UC San Diego. "That's why it's getting a lot of priority and, accordingly, a lot of resources."
Hafner would not divulge the exact amount that California ISO budgets on information security and tools aimed at fending off a practically unending number of cyberthreats but said it runs in the millions of dollars each year.
"Our hypothesis on a day-by-day basis is we assume that our attackers are continuously looking at our networks, searching for vulnerabilities and trying to exploit them, and we are continuously hunting for them," Hafner said.
Established in 1998, California's system operator acts as the nerve center for the state's power grid. It not only balances the flow of electricity in California but also makes power purchases to match demand and avoid power outages.
Nicholas Abi-Samra, a power systems expert and an adjunct professor at UC San Diego, said he is not surprised to hear that California ISO is fending off so many potential attacks from bad actors.
The energy sector "is the lifeline for everything," Abi-Samra said. "The California electric grid, and those from other states, could become even more frequent targets for cyberattacks due to their ability to cause abrupt chaos by starting widespread blackouts."
The electric industry, guided by Federal Energy Regulatory Commission and the North American Electric Reliability Corp., has put into place regulatory security rules that provide a minimum set of requirements to protect the critical infrastructure. These include a separation of cyber assets that manage the electric grid from the rest of the enterprise.
"I'm confident that between the separation and our protection, detection and controls, we would detect (potential attacks) early enough so they would not cause harm to the electric grid," Hafner said.
Ironically, as utilities modernize the electric grid with smarter and more efficient products and programs, the number of points an attacker can try to enter or extract data increases.
"If everything is connected, everything could be a point where you can inject something or do something to the grid," Abi-Samra said.
The U.S. Department of Energy recently reported in a vaguely worded filing that a malicious "cyber event" had disrupted grid operations for a utility serving parts of Utah, Wyoming and California. Since it was first reported by E&E News, the Department of Energy has not released the name of the utility, and the "denial of service," or DOS, attack did not result in any outages and did not affect system reliability. The incident occurred on March 5, and though its effects appeared to be relatively minor, it marked the first time a digital attack is known to have interfered with electrical grid operations in the U.S.
In a DOS cyberattack, a targeted network is inundated with bogus traffic, making it difficult for the victim's computers to operate normally.
Hafner said the California ISO works closely with the U.S. Department of Homeland Security and the FBI when the system operator receives "threat indicators" in its networks. The ISO does not make determinations on where the attempts are coming from or who is behind them. "Attribution," as it is called, is Homeland Security's job.
Hafner declined to say where the attacks on the California ISO are coming from but said DHS analysis of data points leads to frequent and likely suspects. Some of the attempted attacks come from hackers, who often look to make money by trying to plant a ransomware virus that can infect a victim's digital property and deny the user access unless the victim pays up.
"But we are not only in the cross-hairs of hackers that are out there for financial gain; we are also in the cross-hairs of terrorists and nation-states that want to harm the electric grid," Hafner said.
In the spring of 2001, the Los Angeles Times learned the California ISO was targeted by hackers in an attack routed through China Telecom in Guangdong province. In a confidential ISO internal report obtained by the Times, hackers mounted an attack that lasted 17 days during the height of California's energy crisis. ISO officials said the attack posed no threat to the grid, but the system operator was criticized at the time for not alerting the Legislature.
Hafner's cybersecurity team is particularly alert to spear phishing attempts aimed at California ISO employees.
Since Hafner came to ISO seven years ago, the system operator has established an awareness training program that consists of monthly tests and disciplinary guidelines established by the executive team that Hafner said has greatly reduced the likelihood of employees clicking on emails from potential malware sites.
Hafner would not disclose specifics of the program because he didn't want to give hackers too many clues but said ISO employees "take it very seriously."
The energy sector in the U.S. has become a prime target for cyberattacks in the past decade, the Department of Energy said in a report detailing its multiyear security plans.
Energy infrastructure and sites experienced more cyberincidents than any other sector between 2013 and 2015, accounting for 35 percent of the 796 incidents reported by sectors deemed to represent critical infrastructure, according to DHS' Industrial Control Systems Cyber Emergency Response Team.
"I think we have reached a high level of maturity in our information security program," Hafner said. "But never say never. ... You have to be very vigilant and continuously working on updating your systems and controls."
Abi-Samra said much the same thing.
"I don't go to bed worrying because we have built so much redundancy in the system, we have so many smart people and checks and balances in terms of these kind of threats," he said. "I think our system has proven to be solid but nevertheless, that doesn't mean that it's invulnerable. I think it is vulnerable and that's why we keep changing and trying to get ahead of the curve in terms of cyberattackers and physical threats ... It is a very tight rope we are walking over here."
(c)2019 The San Diego Union-Tribune. Distributed by Tribune Content Agency, LLC.
