US plan to use "retro" technology to bolster power grid defences

Securing Energy Infrastructure Act plan will use low-tech used to improve the US power grid's cyber defences

The US has unveiled plans to use ‘retro' technologies to protect its power grid against cyber attacks.

The Securing Energy Infrastructure Act is intended to defend the US energy grid by "partnering with industry to utilize engineering concepts to remove vulnerabilities that could allow hackers to access the grid through holes in digital software systems".

Passed by the US Senate on June 28, the Act will explore ways in which automated systems can be replaced with lower-tech alternatives, such as manual procedures not connected to the internet, directly controlled by human operators.

US officials claimed that the approach would "thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment" while making "cyber attacks much more difficult".

Senator Angus King, who introduced the Act, said: "As our world grows more and more connected, we have before us both new opportunities and new threats.

"Our connectivity is a strength that, if left unprotected, can be exploited as a weakness. This bill takes vital steps to improve our defences, so the energy grid that powers our lives is not open to devastating attacks launched from across the globe."

The senator's office said that the legislation was inspired by the 2015 cyber attack on Ukraine's power infrastructure - believed to have been perpetrated by neighbouring Russia - that left 225,000 people without electricity.

That attack, which formed part of a series of attacks on Ukrainian infrastructure, was traced to the Russia-linked hacking group BlackEnergy. Further attacks and outages occurred a year later.

It added that the attack "could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid".

Some of the steps that will be taken through the scheme include establishing a two-year pilot study to identify new classes of security vulnerabilities and research systems to mitigate attacks; establishing a working group to evaluate the technology solutions proposed by the National Laboratories; and, requiring the Secretary of Energy to submit a report to Congress describing the results of the program.

Andrea Carcano, co-founder of Nozomi Networks, said that while the approach may reduce cyber risks the associated operational impact should also be carefully assessed.

"Operational risk, safety, process excellence and cyber risk cannot be decoupled. Furthermore, the forces of industrial modernisation cannot be stopped or stalled. Organisations and governments should be taking steps to prudently enable digital transformation rather than thwart it," said Carcano.

"In the context of critical national infrastructure, the increased operating costs and inefficiencies could be tolerated if it reduces perceived cyber risk, but the approach needs to be carefully balanced.

"This is not the case within manufacturing and industrial processes where inefficiencies cannot be tolerated as they could result in the reduction of an organisation's competitive positioning in the marketplace."