Our critical infrastructure is too vulnerable to cyberattacks

Last week, Sen. Charles SchumerCharles SchumerOvernight Tech: It's debate night | FTC oversight hearing | New Twitter suitor? Saudis hire lobbyists amid 9/11 fight Consumer bureau remains partisan target after Wells Fargo settlement MORE (D-N.Y.) confirmed that, two years ago, the Bowman Avenue Dam in Rye Brook, New York was accessed remotely by Iranian hackers – a move characterized as “shot across our bow” and a clear indication of the tremendous risk that cyber attackers pose. 

While an attack on a dam in Westchester is frightening, it is only symptomatic of the weaknesses in our critical infrastructure. A recent U.S.-led report produced by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that a “synchronized and coordinated” cyberattack shut down a large section of the Ukrainian power grid in December 2015, a situation which, if replicated in the U.S., could cost anywhere between $243 billion and $1 trillion dollars.  

ADVERTISEMENT
The threat of a cyberattack on our critical infrastructure is very real and could have devastating effects on our communities, economy, and health and safety. The solutions put forth to address these risks must, therefore, be as realistic as the problems they are meant to solve. In suggesting solutions that only focus on separating utilities from bad actors, such as the call to isolate systems used to run critical infrastructure from the internet and limit the ability for remote access, the ICS-CERT report misses a simple truth; it is no longer an option to disconnect. These “airgaps”, as the industry has coined the phrase, are a fallacy in the 21st century. 

If we stand any hope of tackling issues such as grid reliability and climate change, we need infrastructure that is smart and connected. This need for connectivity and greater insight into power usage is why the U.S. Government has granted utilities millions to install smart meters, and why companies like Utilidata are working to build an ever more advanced electrical infrastructure, capable of handing the addition of solar, wind, storage, and every energy innovation that the 21st Century promises.  

Luckily there is an alternative – a course correction rather than backtracking on progress. There are a few simple steps that can keep a connected grid safe.  

First, within the utility industry, physical security and cyber security teams should be integrated and aligned. In most major utilities, operations technology – the actual electrical equipment – is overseen by different teams than the information technology that plays an ever-growing role in the modern utility. In a world where cyber attackers, like those in the Ukraine, are using information technology to attack operations technology, the current practices put the grid and consumers at risk and affects the ways that utilities can anticipate, manage, and respond to cyber threats. 

Second, the systems of government that regulate utilities must support cybersecurity investment. State public utility commissions were conceived to ensure consumers were guaranteed a level of service from their utilities. In the post-Ukraine attack era, the time has come to accept that coherent measures to respond to cyber threats are no longer a luxury, but instead a necessary part of the service that utilities provide. State utility commissions must start to incentivize security, through measures such as offering cost-recovery for cyber investments. Doing so will not only increase safety, but also speed investment, incentivizing further innovation.   

The Bowman Avenue Dam hack is only one example of myriad of cyber threats faced by our critical infrastructure. We must embrace innovation and tackle cyber threats head-on with safer, more connected infrastructure, less we put but our infrastructure and the economy deeply in harm’s way.

DePasquale is chairman of the Rhode Island Cybersecurity Commission and CEO of Utilidata, a global software company working with utilities to redefine energy efficiency, reliability and grid security.