Members of the Senate Intelligence Committee recently introduced legislation intended to improve cybersecurity for the U.S. power grid by reintroducing “retro” analog technology to grid control systems. Specifically, the Senators want to reengineer the last-mile of the grid by replacing the modern automated controls currently in place with older analog controls. Their goal is to prevent a Ukraine-style cyber attack from causing a nationwide blackout that lasts weeks or even months.

An admirable goal, but the proposed solution is shortsighted. Instead of spending millions of dollars and two years trying to downgrade grid technology, we should look for ways to improve security for the technology in use today and invest in the development of new, even more secure technologies for the future.

ADVERTISEMENT
The Securing Energy Infrastructure Act of 2016 (S.3018) has four main points:
  • Directs the National Labs to conduct a two year $10 million pilot program to identify new technology, including analog devices that could isolate parts of the grid from cyber attack.
  • Establishes a working group to evaluate proposed by the National Lab
  • Requires the Secretary of Energy to report to Congress on the results of the program
  • Further defines what a ‘covered entity’ is in relation to critical infrastructure of the energy sector

One of the sponsors of S.3018 was quoted as saying, “We can learn something from what happened in Ukraine,” referring to last December’s cyber attack on the Ukrainian power grid. Ukrainian power companies were able to quickly restore power despite having most of their critical computers wiped by malware because the lineman at each of the impacted electric companies physically drove out to each substation and switched them to manual control.

Here’s the problem: humans make mistakes, a lot of them. In fact, human error contributed to two of the largest power outages in recent memory, the Southwest Blackout of 2011 and the Northeast Blackout of 2003. Humans are also inefficient. This is especially true when it comes to things like automatically rerouting power distribution in the case of load imbalances as well as other complex tasks. Human mistakes and inefficiency come with a cost, a cost that consumers ultimately pay with their pocketbooks through higher electric fees and higher taxes. That’s why we computerized the electric grid in the first place.

This is also why the world has been removing and updating analog systems across all industries almost as fast as we can blink. Telephone calls, for example, are no longer routed over copper lines. Even those few holdouts who still have a physical landline to their house, that wire only goes as far as the local central office where the call is transferred to a data network.

The solution is not to cling to the past simply because we are afraid of the future. We know the security of the systems controlling our electric grid are inadequate and out of date. The solution should be to encourage innovation and deploy new and better technologies.

Instead of spending two years and $10 million dollars exploring ways to downgrade critical systems with even more outdated tech, we should instead invest that time and money into transforming security for the technology currently in place, and into building next-generation security features directly into the technology we will have in five or ten years from now. We should also make a greater effort at applying the cybersecurity lessons we have learned over the last 20 years on the internet directly to the electric grid. The problems are well known, but are left to fester because of an unequal application of knowledge and a lack of resources. $10 million and two years can go a long way to change that.


Cris Thomas is a strategist for Tenable Network Security.