By Michael Brooks

WASHINGTON — Experts in cybersecurity last week painted a somewhat dire picture when detailing the threats to the electricity industry posed by countries such as Russia, Iran, North Korea and China.

Perhaps the only thing they described that was more worrying than hackers’ persistence and the inevitably of a major attack on the U.S. grid was the No. 1 cyber risk: lack of common sense.

Eight out of 10 cyberattacks are caused by people making very poor decisions, said Jerome Farquharson, a cybersecurity consultant at Burns & McDonnell. “One of the biggest things, and I always say this when I sit down and start talking about cybersecurity and trying to close the gaps, is that cybersecurity [requires] a common-sense approach,” he said. “If we just did some very simple things, we can start making ourselves secure.

“Human nature by itself is very trusting. But when we start training people, for an example, not to use USBs [thumb drives] or not to click on email links [when] you know you’re not winning the lottery any time soon, [they] still click on them! … We go to vendor shows, and guess what vendors give out? USBs.”

Farquharson told several stories to illustrate his point. In one, an employee allowed his children to play on his laptop — the same one he used to perform system maintenance at a substation. The laptop became infected with malware at home, then went on to infect the substation’s system and his colleagues’ computers, leading to a control center outage.

In another example, Farquharson’s team sent phishing emails to a company’s 200 employees to test them after it had trained them in cybersecurity awareness for a week. More than 90 employees clicked on the links in the emails. After retraining those employees, it conducted another test a week later. More than 50 of those employees still clicked on the links.

In a different training exercise for another company, Farquharson’s team scattered USB thumb drives infected with malware throughout the company’s building and parking lot. Twenty employees picked them up; 10 plugged them in.

“The biggest threat sometimes is the human factor,” he said. “And so that’s where you have to really [spend] a lot of time on training and awareness.” The most secure companies are those with consistent, regular training, he said.

On another panel at the summit, Jim Cunningham, executive director of nonprofit Protect Our Power, said he sees similarities between the pre-9/11 airline industry and the electricity industry’s defenses against cybersecurity today. He recounted his experience witnessing the explosion caused by United Airlines Flight 175 crashing into the South Tower of the World Trade Center on Sept. 11, 2001. He recalled that television media at the time were calling the attack “sophisticated.”

“I thought, ‘Oh my God, that’s wrong.’ It was 19 guys with boxcutters; it was an unprepared airline industry; and it was an unprepared security industry,” he said. “We were paying people at the airports $10/hour to keep bad people off the planes. And we didn’t spend a few extra bucks to take those thin doors that were in front of the cockpit and make them stronger.”

Cunningham’s organization recently published a report focusing on the solar inverter supply chain. It found that about 47% of the world’s inverters come from Huawei, “a company that is banned by the U.S. government from the telecommunications business,” he said. The report says evidence is mounting that Huawei regularly flouts U.S. and international laws. “A threat actor with access to the inverter supply chain allows the manipulation of massive quantities of inverters, the ability to embed malware into the operating system away from the end-consumer and to operate under the veil of a reputable manufacturer,” it says, and makes several recommendations to mitigate the risk.

Still, preventing a catastrophic cyberattack on the grid “is the equivalent of a modern-day moonshot,” he said. “We’ve got to get everybody together, we need to get all the money we need and we have to get the smartest people on this issue to come up with a solution now.”

Ronald Keen, senior energy adviser at the Department of Homeland Security’s National Risk Management Center, said the days of companies independently defending themselves “are pretty much gone. We need to begin looking at cohesive defense: defense where we’re working together. We need to be able to start working together to design multilayered defenses that work with each other.”