With hackers always on the prowl, local utilities keep defenses up

The Harrisonburg Electric Commission’s West Market Street substation. Photo by Eric Gorton.

By Eric Gorton, Contributor

While local officials and experts say cybercriminals couldn’t actually shut down the local grid by hacking into systems controlled by the Harrisonburg Electric Commission and Shenandoah Valley Electric Cooperative, they have plenty of other incentives to try – and never give up.

“It’s a constant barrage,” said Brian O’Dell, general manager of HEC, adding that it is difficult to quantify the number of attempts hackers make trying to get into HEC.

Wayne Hannah, chief information officer for SVEC, said the utility sees about 200 attempts a day from foreign and outside systems trying to enter their network. That count is mostly comprised of bots, automated hacking machines that search through all possible IP addresses hoping to find a way into any of them. It does not count phishing emails, which are more prevalent and tend to be more successful.

“They make a lot of attempts. They knock on a lot of doors,” he said.

In April, the Biden administration announced a 100-day initiative combining federal government agencies and private industry to protect the nation’s electric system from cyberattacks. The push encourages owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks and includes milestones for them to put technologies into use so they can spot and respond to intrusions in real time.

O’Dell and Hannah said they do not expect any new requirements for their utilities and that they already maintain high levels of security.

“We identify threats and protect our systems using modern mainstream multilayered intrusion protection software, modern firewall technology, anti-spam filtering and routine scanning of all devices,” O’Dell said. He added that the industry provides guidance and recommendations on cybersecurity protocols and notifications of new targeted threats.

“We have a lot of systems in place to prevent intrusions,” Hannah said, noting they are monitored 24 hours a day.

Among the security measures used by SVEC, Hannah said, is a tool developed by the National Rural Electric Cooperative Association that helps evaluate and test cybersecurity readiness.

SVEC also coordinates with the State Corporation Commission, the Virginia Fusion Center, the Department of Homeland Security and other coops across Virginia and the nation to address cybersecurity, he said.

Andy Hall, a professor of cybersecurity at Marymount University in Arlington and a former director of the Army Cyber Institute at the U.S. Military Academy at West Point, said knocking out large segments of the U.S. electric grid is not as easy as disrupting the flow of petroleum the way Russian hackers did May 7 by getting control of systems controlling the Colonial Pipeline.

“You’re not just going to knock out the power across the entire country,” Hall said. “There are all these doomsday scenarios, but there is no easy way yet to just take everybody off. You don’t just cyberattack everybody and take the grid down.”

Resiliency built into the electric grid aids in its security. Companies that control the grid, such as PJM Interconnect — a regional transmission organization that coordinates the movement of wholesale electricity in all or parts of Delaware, Illinois, Indiana, Kentucky, Maryland, Michigan, New Jersey, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia, West Virginia and the District of Columbia — have the ability to move power around through various suppliers. “If the power goes out in an area, there are ways to get it back,” Hall said.

Trucking became the main fuel delivery method in the areas affected by the Colonial Pipeline closure.

If hackers cannot disrupt power service in the central Shenandoah Valley, why do they continue to look for ways into HEC and SVEC?

“It’s hard to say exactly, but I can guess that gaining control, installing ransomware and just to complete the conquest could be a few,” O’Dell said.

Hannah said there are several kinds of hackers and their motives determine what they go after. “You have state-supported hackers who have intended targets, you have groups who are in it for money, in it to make a social statement and those who are in it just for the challenge. … They’re criminals like any other criminal. If you think of somebody just going down a row of houses or down the street and looking for that car that’s unlocked, that’s where hackers start in most cases.”

If hackers were successful compromising SVEC systems, Hannah said, they could get account and billing information that might be used in attempts to make money through phishing campaigns, sending emails to customers that appear to be coming from SVEC. But it would involve a lot of work.

Financial gain was the motive for hacking the Colonial Pipeline, which agreed to pay the DarkSide ransomware ring nearly $4.4 million so it could restore its operations.

In 2019, there were more than 100 known ransomware attacks perpetrated against state and local governments, including large cities like Baltimore and Atlanta, according to a recent blog post by the Council on Foreign Relations.

In the post, the authors stated other incentives for hacking include, “causing reputational harm, liability exposure, or loss in share value if an organization is publicly traded.”

Hall said hackers can look to Mother Nature when selecting targets.

“The question is, how does power get knocked out? If the power goes out, what caused the failure?”

A joke in the industry, Hall said, is “cyber squirrels” because squirrels cause a lot of power outages by chewing on things or just knocking things off.

Hackers look for places lacking redundancy.

“You find things that are being optimized,” Hall said. “Optimization is the opposite of resilience. You don’t have the backup. When everything has been optimized so that it works efficiently, it’s also easy to hack.”

Hannah and O’Dell said the local utilities are constantly looking to improve their cybersecurity.

“I feel like if we’re not improving, then we’re falling behind,” Hannah said. “I tell our board, we have to get it right every single time. The bad guys only have to be right once.”

Journalism is changing, and that’s why The Citizen is here. We’re independent. We’re local. We pay our contributors, and the money you give goes directly to the reporting. No overhead. No printing costs. Just facts, stories and context. We’re also a proud member of the Virginia Press Association. Thanks for your support.

Scroll to the top of the page

Hosting & Maintenance by eSaner

Thanks for reading The Citizen!

We’re glad you’re enjoying The Citizen, winner of the 2022 VPA News Sweepstakes award as the best online news site in Virginia! We work hard to publish three news stories every week, and depend heavily on reader support to do that.