DHS walks back utility cyber warnings as Southern CEO says no grid emergency

Dive Brief:

Hackers targeting the U.S. electric system do not have the ability today to cause widespread power outages, a senior Department of Homeland Security official said Tuesday, tempering an announcement from the agency a week ago that said cyber criminals have the ability to "throw switches" on the grid and cause large power disruptions.
Cyberattacks on the grid are a constant, DHS Undersecretary Christopher Krebs told reporters on the sidelines of a security summit, but the only power asset that hackers have successfully accessed was a renewable energy generator that "would not disrupt the grid" if it were taken offline.
The cybersecurity threat to the grid does not constitute an "emergency" that demands federal intervention to save coal and nuclear plants from retirement, Southern Co. CEO Tom Fanning told reporters at the same conference. Krebs declined to say whether he considers the threat an emergency, as did Secretary of Energy Rick Perry, whose agency is crafting a bailout plan for coal and nuclear generators on the grounds of national security.

Dive Insight:

The U.S. electricity grid and other critical infrastructure assets face nearly continuous cyberattacks from both state-sponsored and independent adversaries. Last week, DHS announced during a public webinar that hackers have infiltrated multiple utility control rooms, gaining the ability to "throw switches" on the grid and cause blackouts.

Some cybersecurity experts, however, said the DHS statements may have overstated the threat. The agency said the cyberattacks have claimed "hundreds" of victims, more than the dozens it previously disclosed, but analysts said the hackers still do not have the ability to cause widespread outages.

"I think they're right," Krebs said Tuesday on the sidelines of the National Cybersecurity Summit, hosted by DHS in New York.

"In the initial webinar I think there was some context that was lacking," he told reporters. "The important thing to recognize is that was a very targeted threat at the electricity subsector. For the most part the system worked."

Hackers were able to access a "non-baseload generation facility," Krebs said.

"That is not a nuclear plant, that is not a coal plant, that is not a gas plant," he said. "That is a renewable source of energy that would not disrupt the grid."

Southern CEO Fanning echoed Krebs's comments about the webinar in a separate conversation with Utility Dive.

"I think [the hackers] got into one or two wind turbines," said Fanning, head of the Electricity Subsector Coordinating Committee, a cybersecurity liaison group between industry and the federal government. "It was very limited. They never got the ability to interface with the broad electric infrastructure."

Attackers may be able to cause localized outages, Fanning said, but "not anything broad."

DHS's new characterization of the cybersecurity threat comes as the subject takes on special importance as justification for the Trump administration's broader energy policy. In March, President Trump ordered the Department of Energy to create a plan to save coal and nuclear plants from retirement, saying threats to natural gas pipelines would constitute a grid emergency if the large generators were to go offline.

Fanning, however, disagreed, answering simply "no" when asked if the generator retirements constitute a grid emergency. More important than individual plants, he said, is protecting the internal software systems that operate them.

"Some of [Southern's] crown jewels from a cyber protection standpoint really deal with the nerve center of being able to deliver electricity, not necessarily fuel stock that generates electricity," he said. "That would be our energy management systems."

The federal government should take a broad approach to cyberprotections, Fanning said, focusing not just on prevention, but also resilience — the ability to bounce back from disruptions.

"Resilience takes the form of fuel diversity, technology diversity, supply chain security, a whole host of different issues," he said.

The Federal Energy Regulatory Commission is currently considering changes to wholesale market rules to reward plants that demonstrate resilience capabilities. Fanning, whose utilities do not operate in the organized markets FERC regulates, declined to weigh in on that debate.

"How resilience is manifested in these markets is up to other people, not me," he said.

Fanning's perspective on threats to the power system aligns with findings from the nation's grid operators, FERC, federal reliability coordinators and many of his utility peers, like the CEO of Exelon, the largest nuclear generator in the country — all of whom say there is no grid emergency.

DOE, however, has declined to comment on its perception of the grid threat since February, when Assistant Secretary Bruce Walker told Utility Dive entities like FERC "may not have the visibility" to identify national security threats to the grid.

That silence continued at the cybersecurity summit, despite the presence of senior agency officials. Secretary of Energy Rick Perry did not mention coal and nuclear plants during an hour-long panel discussion on cybersecurity Tuesday morning, and both he and Undersecretary Mark Menezes declined to comment when reached by Utility Dive after the discussion.

DHS, despite walking back its cybersecurity warning, also declined to comment on whether the threat constitutes an emergency.

"That is a question that we need to take a closer look at," Krebs said.