Terrorists take aim at PG&E. Can it shield itself?

Terrorists would like nothing better than to bring down Silicon Valley in one fell swoop. One way is to cut off its electric power. But PG&E is arming itself, too.

|
Ben Arnoldy/Staff
One way to bring down Silicon Valley would be to attack the infrastructure of San Jose, Calif., and surrounding communities.

After masked gunmen popped out of a manhole into a San Jose, Calif., substation last year, firing automatic weapons and destroying 17 transformers, Pacific Gas & Electric Co. (PG&E) got the message. The utility will spend $100 million over the next three years beefing up security at its Northern California operations that is home to many of America's high-tech giants.

In a world where terrorists are looking to stage dramatic attacks, Silicon Valley represents a huge opportunity. One way to bring it down is by attacking the electric grid that powers it – not just with cyber weapons but also with physical assaults. How PG&E responds to these threats is an early test of how well utilities in the United States, especially those serving high-profile centers of finance and government, will protect themselves from an amorphous, ever-evolving enemy.

“The bad guys are getting smarter,” says Siobhan MacDermott, chief information security officer for Utilidata, a Providence, R.I.-based firm that advises companies on how to protect their critical infrastructure. “It used to be that Wall Street companies were attacked, cyberwise. Then the attackers started to look at where they would get the most impact: Google, Facebook, Amazon – all of which are in Silicon Valley and in PG&E’s network.”

The good news is that PG&E has hired the best minds and is investing plenty of money to deter such violations, she says in an interview.

The company will start by erecting fences that can obscure sensitive operations as well as by improving lighting and providing better physical security as well as cybersecurity. The company will also enhance its internal and external communications, and its coordination with local law enforcement – all things that it revealed at a workshop it performed before its California Public Utilities Commission.

One of the secrets to its success is that PG&E is bridging its information technology department with its operations unit, meaning that those who are responsible for securing the company are communicating closely with those who keep the lights on, Ms. MacDermott adds.

Plenty can go wrong. Some common ways that cyberattackers can enter secure systems is by impersonating key corporate personnel, she says. Unknowing employees then provide the names and passwords that allow attackers to access sensitive information. Or they plug USB devices into networks by using a power box located near the facility, giving them entry.

“Utilities need to continually increase cyber security awareness and accountability to strengthen the weakest link: humans,” adds Scott Marshall, senior consultant for critical infrastructure at Norway-based DNV GL, in an e-mail.

The electric grid is a fat target for two reasons. First, it's a critical economic asset. A single brownout can cost as much as $10 billion, which comes in the form of direct losses as well as lost opportunities, estimates the Federal Energy Regulatory Commission, or FERC. Second, the grid is vast: some 200,000 miles of wires serving more than 300 million people and valued at $1 trillion.

The Department of Homeland Security reports that in 2012 there were 198 attacks on oil pipelines, electric grids, and other critical infrastructure assets – and that utilities may need better insight into who has admission to these areas. Because the network is so interconnected, managerial and information systems should be capable of catching internal errors or intentional sabotage, concludes a November 2012 report by the National Academy of Sciences.

The question for lawmakers is whether the FERC should require utilities to take certain precautions, such as forcing background checks on key employees, as suggested by Democrats in a congressional study last year, or whether today's largely voluntary system is better.

Power companies are already supposed to certify with the FERC that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. But utilities prefer voluntary efforts, noting that as owners of the assets, they are naturally motivated to secure them. More than 200 utilities and several government agencies participated in an emergency drill last fall that simulated prolonged blackouts from both physical and cyber attacks.

Utilities have yet to deploy new physical and cybersecurity systems on a wide scale, mostly because the threats are continually evolving in type and sophistication and because companies must budget for such unforeseen threats. But as the spotlight shines on these issues, utilities and regulators are motivated to act.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Terrorists take aim at PG&E. Can it shield itself?
Read this article in
https://www.csmonitor.com/Environment/Energy-Voices/2014/0705/Terrorists-take-aim-at-PG-E.-Can-it-shield-itself
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe