Going on Offense Against Electric Grid Attacks

It is not a question of if, but to what extent China has penetrated America’s electric grid through relentless, sophisticated cyberattacks.

As he was leaving office in January, FBI Director Christopher Wray told 60 Minutes, and anyone else who would listen, that China was positioned to “wreak havoc” on critical infrastructure, particularly the electric grid and water systems.

Wray said China has pre-positioned malware to “lie in wait on those networks” so it can “inflict real-world harm at a time and place of their choosing.” He had previously raised similar strident warnings in Congressional testimony and at a prestigious Munich security conference.

China can be expected to pursue the paths of least resistance for electric grid cyber penetration. It likely perceives that America’s 900 local electric cooperatives are more vulnerable entry points through which greater systemic damage can occur. Smaller water utilities are also a ripe target.

China is certainly not the only bad cyber actor out there. Criminals demanding ransomware are also abundant, further underscoring the need for vigorous cyber protection.

Thus, electric and water companies have not only a business duty, but a patriotic duty to undertake comprehensive cyber protection, and to rip out troubling items already planted for potential future use. Organizations should no more tolerate unknown and likely vicious items in their IT and operational technology systems than they should allow strangers to run around their offices.

Other pressures are also significant. Insurance premiums are rising and qualifications for coverage are becoming more challenging. Electric cooperatives providing power to defense installations must now meet the standards of U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program which took effect December 16, 2024.

Cyberattacks have become more sophisticated. For example, phishing attacks now can take the form of appearing as if they are coming from supply chain partners. The data generated by attacks is quite voluminous. As such, AI should be used to read and analyze it. And there are also strict regulatory standards from the North American Electric Reliability Corporation that have to be met or else face hefty fines.

Importantly, the National Rural Electric Cooperative Association (NRECA) will be examining these and related issues at a Cyber Tech Conference, June 24-25. It says, “Conference content specifically highlights co-op cyber and is designed to provide opportunities for peer-to-peer and industry-to-peer collaboration, skills development, and advancement.”

The NRECA conference will also look at both information technology and operational technology (OT) issues, that is the remote monitoring and control of components in the electric systems. A challenge for many companies is how to get the flexible and yet comprehensive coverage that can be scaled up as needed.

Among the offered solutions that will be exhibited is Binary Armor, a system from SNC that places an in-line barrier device to cyber intrusion, while monitoring all communications to a piece of OT. This can also be integrated with its security operations center.

One thing should be clear to electric cooperatives and others who operate critical infrastructure: cyberattacks are not going away or slowing down. Indeed, these attacks and infiltrations present a fundamental threat to companies’ operations and reputations that must be confronted.

With or without onerous federal and state regulations, initiative-taking cyber protection is cost-effective good business and the right thing to do – for customers and America.

Paul Steidler is a Senior Fellow with the Lexington Institute, a public policy think tank based in Arlington, Virginia.