MIAMI — The world is becoming “a scary place” for those defending the electric grid against cyber and physical security threats, representatives of the Electricity Information Sharing and Analysis Center (E-ISAC) told the NERC Board of Trustees’ Technology and Security Committee at its meeting Feb. 12. 

Matt Duncan, the E-ISAC’s vice president for security operations and intelligence, said “the watch order for the E-ISAC going forward is ‘be ready’” in the face of continuing threats from international adversaries like China, Russia, Iran and North Korea. In particular, he noted that suspicious activity from China “has continued unabated” amid the country’s stated plans to have the capability to invade Taiwan by 2027, potentially sparking armed conflict with the U.S. 

“The naming and shaming defenses that we’ve put in have not stopped the persistent cyber espionage and possible prepositioning in critical infrastructure networks in North American and allied countries” by Chinese operatives, Duncan said. He mentioned the Salt Typhoon group, which was recently found to have breached the networks of multiple telecommunications firms, along with the Volt Typhoon group accused of infiltrating U.S. infrastructure organizations for at least five years. (See CISA Leader Reiterates China Cyber Warnings.) 

“While there is no credible, specific and imminent threat to the grid, this [malicious] activity is continuing, which suggests that preparedness and investment in our cyber defenses, as well as increased information sharing, [are] essential to keeping the lights on,” Duncan added. 

The cyber attackers targeting the grid tend to use similar tools and techniques, he said, with probes on identity access management, unpatched firewalls and open ports, and the use of social engineering tools supported by artificial intelligence to trick human grid operators. Duncan stressed that “the best defense is the training of the humans that are on the network,” rather than investments in technology. 

One tool for this training is the E-ISAC’s direct share program, Duncan observed, through which the organization researches cyber and physical security gaps on behalf of the industry and shares them proactively with members and partners from other industries. 

Last year the number of direct shares to electricity industry asset owner or operator member organizations grew by 2.3% to 748, Duncan said; conversely, the number of shares sent to independent partners of the E-ISAC — organizations in other critical industry sectors or the government — declined by 6.5% to 2,790. The E-ISAC attributed these shifts to “a renewed focus on the electricity and gas industries and their equipment, and improved email security.” 

Media Frenzy Fed Drone Sightings

Duncan also discussed the unusually high number of drone sightings reported in December. Numerous citizens on social media described seeing unexplained unmanned craft in the sky that month, and the FBI said it had received more than 5,000 reports of drone sightings through its tiplines.  

The Federal Aviation Administration temporarily restricted drone flights over 22 cities, though investigators later determined that there was nothing suspicious about the reports and that the sightings were all either of lawful drones from hobbyists and law enforcement, or planes, helicopters and stars mistaken for drones. 

Duncan acknowledged that the E-ISAC also received a large number of reports of drones flying near critical infrastructure equipment in December, which were described in accompanying material (page 29) as being equal to about half the number of reports normally received in a two-year period. However, he emphasized that the E-ISAC determined there was no threat to grid reliability. The uptick in reports was driven largely by the media attention given to drones in general, he said. 

Drones can be used to attack grid facilities, as in the case of a Tennessee man charged with planning to rig an unmanned aerial vehicle with explosives and fly it into an electric substation. (See Feds Accuse Tenn. Man of Substation Attack Plot.) While Duncan pointed out that drones do have legitimate uses for electric utilities, he said the E-ISAC must continue to work with partners to address their potential dangers. 

“The challenge, of course, [is that] there’s not a lot that can be done in the mitigation front yet, but we’re working with the [Federal Aviation Administration, the Cybersecurity and Infrastructure Security Agency] and industry to make them aware of the potential impact and request additional support,” Duncan said.