Phishing Attacks and the National Electric Power Grid
5 Solid Reasons: Why Homes With Solar Panels Sell Faster?
September 18, 2022
ACORE Reply Comments on FERC’s Transmission Planning NOPR
September 19, 2022
In 2019, the U.S. Government Accountability Office (GAO) warned about the vulnerability of the U.S. power grid’s supply chain. Any component of the grid could be hacked due to phishing or other types of cyberattacks, which could disrupt the electricity supply, and if a nuclear source is hacked, it would be a major disaster.
Phishing is a type of cyberattack in which someone acting as a legitimate organization attempts to trick a target into providing personally identifiable information, through emails, websites, text messages, as well as other forms of electronic communication. Cybercriminals are interested in stealing credit card details, usernames, passwords, bank account information and other credentials. They use this information for malicious purposes, like identity theft, hacking, stealing money through credit cards and bank accounts, etc. The aim is to exploit human psychology by pressing the right buttons of a target, in order to get them to take action, like make a phone call or click a link that will start the scamming process.
Some of the different types of phishing attacks include:
- Spear phishing: This type of attack is crafted to trick a specific person. The attackers may already have information about the targeted person.
- Whaling: This is a sub-type of spear phishing and is targeted to specific individuals with high-net worth, like business executives, celebrities, etc.
- Smishing: This type of an attack is typically deployed through an SMS message. Smishing has gained popularity with the rise in SMS messaging between businesses and consumers.
- Vishing: This type of attack is carried out through a phone call. A pre-recorded message may be used to call the target.
What makes the national electric grid vulnerable to cyberattacks?
The following are some challenges that make the U.S. electricity grid particularly vulnerable:
- It has three components: generation and storage; transmission; and distribution of electricity to commercial, residential and industrial users. Electricity generation sources include: nuclear, chemical, wind, solar, and hydroelectric.
- The distribution systems may be connected to smart meters, solar panels, and network devices.
- The national power grid consists of privately owned grids and substations.
- There are three power grid regions – eastern, western, and Texas (ERCOT), and each region has its own policies and cybersecurity strategies. Each stakeholder has its own budget and priorities that are not always aligned with the national level.
- Each power grid has its own machinery, equipment and power generation methods, so there is a lack of uniformity.
How can electricity grids protect against phishing attacks?
Power plants cannot assume that all their employees are knowledgeable and capable of detecting malicious phishing attempts, especially as phishing attacks continue to get more sophisticated. Here are some steps they should take:
- All employees should be given regular security awareness and phishing training. They should be taught how to detect, avoid and report attacks.
- Each operator in the power grid should examine their current state of security and readiness.
- Federal agencies should work with the industry, including providing financial support and incentives to improve and upgrade individual power grids to deal with future attacks.
- Power grids should stay updated with new standards being developed, including IEEE Wi-SUN field area network (FAN), which is designed for power grids.
- It is imperative that electric utilities work with their vendors to implement technical controls and processes to allow utilities to both meet their new regulatory obligations under NERC’s Critical Infrastructure Protection (CIP) standards and to provide for a secure grid.
Stronger leadership across the industry is essential to developing and overall cybersecurity mindset at all levels.
