CONTINUING COVERAGE
The Atlanta Journal-Constitution is committed to showing how technology affects our lives. From the “connected” car and “digital” home to today’s story on cyber security, the AJC is following trends that impact how we live.
“Smart” devices help us drive our cars more safely, monitor our homes from across the country and pay for something with a tap of our phone.
But could such technology become an Achilles’ heel?
Georgia Power and other utilities, for instance, use “smart” meters to remotely record how much electricity is being used at a home or business. The digital meters are part of a modern electrical grid that can be run by remote computer-based systems, cutting costs for the company and enabling customers to monitor their electricity use online.
Along with those advantages come concerns about keeping critical and personal information safe. Cyber attacks on the digital power grid or individual meters could cause a massive blackout or customer data theft.
“The threat is real. But this is an industry that … is accustomed to addressing threats on a daily basis,” said Philip Jones, president of the National Association of Regulatory Commissioners.
So far the threat has not become reality. But securing the nation’s infrastructure from cyber threats is a growing concern, and one that some say neither industry nor government has adequately addressed.
Last week Defense Secretary Chuck Hagel called cyber threats a “quiet, stealthy, insidious danger” to the U.S. and other nations. In one case reported last month, Iranian-backed hackers gained access to control-system software that could let them access oil or gas pipelines.
A Congressional report released last month said utilities are complying with existing security mandates but aren’t doing more on their own. Gen. Keith Alexander, the U.S. military’s top cyber commander, also said some utilities have lagged in spending on network security to stay ahead of hackers.
The U.S. and China just agreed to hold regular talks on cyber issues in efforts to curb what the U.S. government says are daily intrusions from China.
Closer to home, new federal cyber security requirements call for an estimated $9 million in changes at Georgia Power’s Plant Vogtle nuclear expansion project near Augusta, according to a document filed last August.
Changes include adding more hardware, software and people to set up a cyber security program to meet a new Nuclear Regulatory Commission standard for digital communication systems and networks.
Tom Fanning, top executive at Atlanta-based Southern Co., Georgia Power’s parent, said he gets briefed regularly on cyber terrorism and cyber threats.
Southern has installed 4.4 million smart meters across its four-state territory, which includes 2.4 million Georgia Power residential, commercial and industrial customers. The energy giant recently named a new head of information security to manage its cyber security risk.
“One of the worries I have – we get attacked all the time – is for somebody to use a gateway that gets opened up to your home to steal data, or to infiltrate the electric networks,” Fanning, said at a recent Atlanta Press Club event. Such attacks have been unsuccessful.
Southern said its chief operating officer, Mark Crosswhite, is on a team of industry and government officials formed to ensure protection of the grid. The company received a “smart grid investment grant” that included a review by the Department of Energy in 2012. The review found Southern “has an established, mature cyber security program … with a cyber security team that is proficient and motivated.”
“This is an ongoing effort because the threat always mutates,” Fanning told the Atlanta Journal-Constitution. “We’re continuously working to ensure we adapt defenses to changing threats in cyberspace.”
One expert said utilities are looking to regulators and other government agencies for more direction.
“This is an incredibility complex issue,” said Andrew Howard, a research scientist at the Georgia Tech Research Institute. “I think it’s easy to say the sky is falling here, but I don’t think that’s the case. There are concerns here, and they are trying to be addressed.”
The chief risk with smart meters is theft of personal information, such as bank or credit card numbers, officials say. But the risk could be broader: If a hacker got into a smart meter system and turned off 100,000 meters, the rest of the grid would overload and become unstable, leading to blackouts.
Georgia Power — which says there are no known cases of the smart meters being hacked — started installing smart meters in 2007 and finished the installations across its territory at the end of 2012. The company says it sends customer data over a private network and stores the information on secure servers.
The bigger concern is the power grid — the network of power plants, transmission lines and wires that let utilities deliver electricity to homes and businesses. Risks include remotely shutting down a number of power plants, which could lead to blackouts.
Threats include other nations, so-called hactavists who break into computer systems, or simply lone wolf hackers. Such hackers have targeted the oil and gas industry, including the pipeline system, trying to infiltrate computer systems to obtain proprietary information, but there have been no known reports of successful attacks on the electric utility industry in the U.S., officials and experts say.
An 2007 experiment dubbed “the Aurora project” showed how a $1 million diesel generator could be destroyed when a hacker with remote access to controls at the Department of Energy’s Idaho National Laboratory was able to continuously turn it on and off.
“The most important cybersecurity problem to deal with is the power grid, not because (a cyber attack) is likely, but because it’s catastrophic,” said Martin Libicki, a senior management scientist at Rand, a nonprofit public policy think tank.
Federal regulators are working to update rules, including one that requires utilities to routinely test equipment and systems to see where hackers could get in.
The utility industry says it is working with agencies including the Department of Homeland Security and the Department of Energy to beef up security standards.
“The industry certainly is improving the way in which it protects its system,” said Brian Harrell, associate director of critical infrastructure for the North American Electric Reliability Corporation, an Atlanta-based not-for-profit that oversees the nation’s major power grid operations.
“The threat is continuously evolving. What we want to do is create that solid baseline of security where it’s going to be difficult to get into the bulk power system.”
About the Author
