Argentina isn’t ruling out a cyberattack as the possible cause for the mass outage that affected millions of people in five South American countries over the weekend. Even if that incident turns out to have a more innocent explanation, the U.S. government is stepping up digital incursions into Russia’s power grid, the New York Times reported Saturday, citing unnamed officials.
The growing threat from hacking is somewhat inevitable given the way our power systems are changing. Electricity networks are traditionally highly centralized, with limited ability to monitor and control supply and demand in real time, leaving grid operators dependent on forecasting unusual consumption spikes to prevent the system from falling over.
The spread of smart metering and automated control systems has changed that landscape, with more than 10% of global grid investments – equivalent to some $30 billion a year – now dedicated to digital network infrastructure. The grids of the near future are likely to be increasingly decentralized: Owners of domestic refrigerators, air conditioners and industrial facilities will be compensated for switching off to smooth out demand peaks; home, vehicle, and utility-scale batteries will buy cheap electrons and charge up in times of excess generation.
The problem here is the vast amount of infrastructure needed to support such a setup. Any smart electrical grid needs a parallel telecommunications network to collect and harness the volumes of data it will generate, and that makes every connected thermostat or smart refrigerator a potential entry point for cyber intruders.
About 588 million smart meters will be installed worldwide by 2022, according to a report last year by GlobalData UK Ltd., a consultancy. Once you include other connected devices and grid operators’ own control systems, that’s only the tip of the iceberg. Stuxnet, the worm that crippled Iran’s nuclear enrichment facilities in 2010, appears to have been initially spread via an infected USB drive smuggled into one of the plants and plugged into a computer.
Faced with that ever-growing and diversifying list of weak spots, industrial companies are only slowly waking up to the scale of the risk. Overall, about a third of businesses surveyed by Kaspersky Labs Ltd. had suffered at least one cybersecurity incident during 2018, but less than a quarter are compliant with regulations and guidance on preventing intrusions.
For one thing, malicious hacks of electrical grids are far more likely to emerge from sophisticated state actors, who are better at covering their tracks and lying low for years until launching an attack.
For another, the cost of leaving a door open could be far greater. A hack of an internet company or credit-card database will compromise personal information, but – as a 2015 attack on Ukraine’s power grid demonstrated – electricity network intrusions could leave hundreds of thousands without power for hours, or longer.
Our lives are dependent on such utility systems operating in the background, cleanly and without incident. The outage in South America is a reminder of our vulnerability in a more uncertain world.