By Bill Gertz
The U.S. Cyber Command will conduct large-scale military exercises this week simulating cyber attacks against critical U.S. infrastructure, and the war games will highlight the growing threat posed by foreign states capable of crippling the electrical grid and financial networks through digital attacks.
The exercise, known as Cyber Guard 16, is the latest annual war game involving scores of military personnel and civilians at the Fort Meade-based command. Other players will include officials from the Pentagon, FBI, Homeland Security Department, and private industry.
“Cyber Guard offers a fascinating, realistic (but not predictive) scenario of a cyber attack of significant consequence on U.S. critical infrastructure,” Maj. Gen. Paul Nakasone, head of the command’s National Mission Force, said last week.
Nakasone, whose mission team is tasked with defending military networks, also is in charge of the military unit that would be called in to counter and respond to a cyber attack on elements of critical infrastructure.
The month-long exercise is an example of both interagency security cooperation as well as working with private sector stakeholders in dealing with cyber threats, he told Federal News Radio in an online chat.
A command spokesman declined to provide details on the Cyber Guard exercise and referred questions to a fact sheet produce for last year’s version. The exercise ends June 29. Last year, 100 organizations from government, academia, industry, and allied nations took part at the Joint Staff Suffolk Complex, a high-security war-gaming facility in Suffolk, Va.
The command’s cyber warfare game comes amid concerns that the federal government is not doing enough to protect the electrical grid, arguably the most critical of the 16 different elements of critical infrastructure, as most other elements require electricity to operate.
Currently, the federal government is relying on a private consortium of companies that appears to be playing down threats to the power grid from cyber and other attacks.
The non-profit North American Electric Reliability Corporation is the official organization designated by the federal government to be in charge of setting security standards for electrical networks. It is responsible for making sure electrical owners and operators of the bulk power system are taking the steps needed to protect the lattice of power companies stretching throughout the United States, Canada, and Baja California, Mexico.
The private regulatory authority was given the task of setting grid security standards by the Federal Energy Regulatory Commission, or FERC. Testimony before the commission last week reveals that current industry standards for reporting cyber security incidents are allowing power companies to game the system to underreport potential attacks.
In 2014, for example, the non-profit corporation reported only three cyber security incidents, and a draft of the forthcoming annual reliability report is said to report zero incidents.
The consortium’s low numbers conflict sharply with those of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Readiness Team that monitors infrastructure cyber incidents.
According to the DHS group, 46 cyber security incidents were reported in 2015, and 79 were reported the year before that. The department did not differentiate which energy sectors were involved in the cyber incidents but it is likely electric companies were among the targets in the numerous incidents.
Incidents involving electricity companies have included hacks into smart meters to steal power, failure in control systems that forced power plants to shut down, and malicious software that disabled safety monitoring systems.
“Clearly there is a gap in [North American Electric Reliability Corporation] cyber security incident reporting; this gap should be addressed by more stringent FERC-mandated reporting standards,” said Tom Popik with the Foundation for Resilient Society, a group that advocates for better grid security.
In April, Cybercom commander Adm. Mike Rogers voiced doubts about whether the command could help the country from multiple cyber attacks against the electrical power grid.
The danger was highlighted by the first known successful cyber attack against a nation’s power grid in December. Following the attack, which targeted Ukraine, the FBI in March began briefing American electric power companies on the threat to the U.S. power grid.
“We have the skills. The challenge for us at the moment is one of capacity,” Rogers said, noting a current shortage of skilled people could hamper efforts “if we had multiple events simultaneously.”
Rogers noted that the electrical power industry and a couple of others in charge of critical infrastructure are resisting efforts to bolster cyber defenses since doing so would require rate increases.
That seems to be one factor motivating the North American Electric Reliability Corporation to undercount in its reporting of cyber incidents.
A congressional General Accountability Office report states that since 2011 the Federal Energy Regulatory Commission has not been checking private electric companies to ensure they are complying with voluntary cyber security standards. The report recommended that the commission begin conducting periodic evaluations of security compliance. “However, FERC has not implemented this recommendation,” the GAO said in November.
“As they become increasingly reliant on computerized technologies, the electricity industry’s systems and networks are susceptible to an evolving array of cyber-based threats,” the report said.
The problem is not simply potential increased costs for cyber security by electric companies. Opposition within private industry to tightening cyber security of electric grid control networks also is the result of concerns over the large operational costs involved in shutting down power systems to hunt for and remove malicious software.
The dangers to the nation’s electric security are too great and protecting the most critical of infrastructures is too important. The Federal Energy Regulatory Commission should require power companies to invest in better cyber security—before a major cyber attack turns out the lights.
June 6, 2016