MINNEAPOLIS — Attendees at this week’s GridSecCon security conference may not have expected discussions of extreme weather at an event normally dedicated to cyber and physical risks to grid reliability. But presenters at the conference, hosted by the Electricity Information Sharing and Analysis Center (E-ISAC) and the Midwest Reliability Organization, emphasized that securing the grid will require understanding the impacts of the changing climate.
The topic was introduced early by Sunny Wescott, chief meteorologist for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Wescott’s keynote address provided “a wide array of different climatological hazards” to the security and reliability of the electric grid and warned against assuming an “if it ain’t broke, don’t fix it” attitude by judging future weather events against those the grid has already endured.
“If you take a sledgehammer and you hit a concrete wall, I would hope that your concrete wall can withstand that first sledgehammer hit,” Wescott said. “Does that mean that that wall is structurally still as sound as it was … prior to being hit? Likely not. … If you pick up a bigger and bigger sledgehammer, over time, you are doing enough damage that you will eventually break through.”
The meteorologist painted a sobering picture, prompting NERC CEO Jim Robb to later joke that he might “track down her parents and ask what they were thinking when they named her Sunny.”
Wescott’s address went beyond the well-known threats posed by the “sledgehammers” of increased storm activity, flooding, drought and wildfire. He also pointed out several dangers more familiar to the GridSecCom attendees, noting that in the aftermath of a major disaster, as crews work to restore power and rebuild damaged equipment in the affected areas, opportunistic actors could try to take advantage of the chaos.
“When you have a community go without power for a prolonged period of time … you’re moving backup generators, [the threat actors] are following them, and they’re trying to get them on the back end of you hooking them up,” Wescott said. “This has become an increasing threat for small business owners, as well as most of our critical sites. Even our telecom groups are reporting this as an issue.”
Another concern for CISA is threat actors posing as recovery crews and looking for items to steal.
“They’ll show up and they’ll rip apart parts of your roof, or they’ll gain access to different materials. And then they’ll leave, and you haven’t checked their credentials because the power is out; you didn’t have connection,” she said. “This is an additional threat as we go forward. It’s not just the mis-, dis- [and] malinformation of scams. It’s all of the additional threats that come from society being impacted by these weather events as well.”
Not all the difficulties Wescott highlighted were security-related. She also pointed to damage the changing climate can do to the bodies of recovery crews, mentioning responders who suffered burns just from the air on extremely hot days, and the speed with which dehydration can set in when crews are working in drought conditions, along with many other health conditions exacerbated by severe heat and humidity.
Attack Multiplier
Wescott’s theme was picked up in a later presentation by Travis Moran, senior reliability and security advisor at SERC Reliability. Speaking on “Weather as an Attack Multiplier,” Moran reminded attendees that the strategic use of bad weather “goes back to the days of Napoleon” and continues today as Ukraine’s electric industry prepares for another winter in a war that has “damaged over 40% of their generation and transmission capability.”
The fact that the U.S. is not actively engaged in war with any of its cyber adversaries, such as Iran, North Korea, Russia and China, does not mean utilities can rest easy, Moran emphasized. He pointed out that the increasing use of internet-connected technology on the grid, and the spread of cyberwarfare capabilities to even smaller threat actors, mean the threat landscape continues to grow and evolve.
“This is [not just] a part of military doctrine anymore. This is part of adversarial doctrine all the way down to violent extremists,” Moran said. “If I attack you during a particular time of heat, for example, or a particular time of cold, I get to exacerbate the effects. Whatever your twisted modality is, it kind of highlights what you’re planning on doing, an impact you want it to have.”
He urged utilities to examine their worst-case scenarios and then imagine how a well-timed cyberattack could make things worse, using the damage from Hurricane Helene as an example.
“You look at western North Carolina right now, and the psychological impact of not having power for weeks is really wearing at these folks,” Moran said. “But had you known that that event was coming beforehand, and you attacked that infrastructure before that weather event, the multiplication of this in terms of the suffering and psychological impact would have been huge.”