The US is very close to improving power grid security by mandating the use of "retro" (analog, manual) technologies on US power grids as a defensive measure against foreign cyber-attacks that could bring down power distribution as a result.
The idea is to use "retro" technology to isolate the grid's most important control systems, to limit the reach of a catastrophic outage.
"Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators," said US Senators Angus King (I-Maine) and Jim Risch (R-Idaho), who introduced the bill on the Senate floor in 2016.
The bill now needs approval from the US House of Representatives, where SEIA had been introduced as part of the National Defense Authorization Act for Fiscal Year 2020.
If approved, the SEIA bill would establish a two-year pilot program with the National Laboratories to study power grid operators and identify new vulnerabilities, but also develop new analog devices that could be used to isolate the most critical systems of covered entities from cyber-attacks; and establish a working group to test the newly developed analog devices.
SEIA bill inspired by 2015 attack on Ukraine's power grid
Senators King and Risch said SEIA was inspired and set in motion by the 2015 cyber-attack on Ukraine's power grid, where suspected Russian hackers crashed a portion of the country's power grid and led to more than 225,000 Ukrainians going without power on Christmas Eve.
The attack only impacted the power grid in Ukraine's western region, near capital Kyiv.
"The attack could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid," Senators King and Risch said.
Through SEIA, they are now trying to limit the damage of any cyber-attack on the US power grid, in a similar way the attack had been contained in Ukraine.
Increased cyber-activity targeting the US energy sector
The bill's approval comes after US cyber-security firm Symantec reported in 2017 that a known Russian-linked hacker group known to go after power grid operators had expanded its targeting to include the US.
All of these signs point to an increasing focus from both western and eastern cyber threat actors on power grids, and rising tension in the respective governments.
"There are definitely concerns in the western electric sector with multiple, concerning adversaries at least working to satisfy the prerequisites necessary to engage in future disruptive events," Joe Slowik, Principal Adversary Hunter at Dragos, Inc., a cyber-security firm specialized on industrial control systems, told ZDNet today in an interview.
"However, short of conflict, a CrashOverride event [Ukraine power grid attack] in the US seems highly unlikely," Slowik added.
Prevention and investment
Both Slowik and fellow Dragos employees have been ardent in recent years about not overhyping the dangers posed to the US energy sector in the media and pushing government officials towards helping organizations shore up defenses.
In a 2018 Senate hearing, Dragos Inc. CEO and Founder Robert M. Lee, argued that US officials should refrain from passing new regulation targeting the industrial sector so that organizations could catch up to current standards and regulations.
Using SEIA to isolate and segment portions of the US power grid in the case of an attack is a good start, but Slowik, just like Lee, argues for a different approach.
"Regulation is good to force people to do things but is often backward looking and not nuanced enough to capture real problems," Slowik said. "In the case of US electric, I think - based on my own experience - companies are already taking threats seriously and are working to improve.
"A better approach, in my opinion, would be providing support and resources to smaller municipalities and co-op utilities that can't afford to invest in security," the Dragos researcher said.