Recent Entergy Arkansas attacks further thrust cyber, physical security of grid into spotlight

Cyber security continues to be an area of concern within the United States energy industry, and the issue gets further thrust into the spotlight when incidents such as the recent physical attacks on Entergy Arkansas facilities, which included the ominous statement, “You should have expected U.S.,” take place.

More recently, Cheryl LaFleur, acting FERC chairman, told a congressional panel on Dec. 5 that she is reluctant to publicly reveal many specifics about an April attack on a transmission substation in California for fear that it might yield “copycat” attacks.

LaFleur would be willing, however, to have FERC provide a private briefing for lawmakers. She was responding to questions from Rep. Henry Waxman (D-Calif.) during a hearing before the House Energy & Commerce Committee’s Subcommittee on Energy and Power.

Waxman had pointed to the April attack on a Pacific Gas and Electric (PG&E) substation as evidence of the growing threat to the grid from cyber and physical attacks.

“The FBI and others are investigating this attack,” which involved “military-style” weapons and affected the power flow in California, Waxman said.

LaFleur said she shares the FBI’s concern about disclosure, noting, “There is a potential about copycat attacks if too much is disclosed.”

PG&E is a subsidiary of PG&E Corporation (NYSE:PCG).

Utilities including Entergy (NYSE:ETR), Pepco Holdings (NYSE:POM) and Southern Company (NYSE:SO), remain committed to physical and cyber security initiatives in order to keep the grid safe and reliable, officials told TransmissionHub.

While there are various initiatives across the country working on such issues, including efforts by the National Institute of Standards and Technology, as Kelly Ziegler, senior specialist, Environment, Health & Safety with Consolidated Edison’s (NYSE:ED) Consolidated Edison Company of New York, said during TransmissionHub’s recently held TransForum East, attackers will always be one step ahead.

“There will always be vulnerabilities that we haven’t been able to mitigate because we didn’t know they were there,” she said in October.

Following the Entergy Arkansas attacks, S.Y. Lee, spokesperson for the U.S. Department of Homeland Security (DHS) told TransmissionHub that protecting critical infrastructure against growing and evolving cyber threats requires a layered approach.

DHS “actively collaborates with public and private sector partners every day, which includes the [U.S.] Department of Energy [(DOE)] and owners and operators of critical infrastructure in the energy sector, to help secure the key systems upon which Americans rely,” Lee said.

Rohyt Belani, CEO of the anti-phishing training firm, PhishMe, told TransmissionHub that one mechanism threat actors use is to use social media to research one or two employees at an energy company, understand what their roles entail, then use that information to attempt to gain access to the utility’s systems using an approach known as “spear-fishing.”

“They craft … very targeted phishing e-mails to try and trick these people [SCADA system operators] into clicking a link in an e-mail or opening a file that’s attached to it,” Belani said. “Sometimes it’s [as] simple as giving up a username and password on a form that looks very real; it looks like the company’s Outlook web access or VPN page.”

Essentially, Belani said, their goal is to try to gain a foothold on the employee’s work station and, once that is accomplished, they can probe the internal network, through which it is often easier to reach the utilities’ SCADA systems.

“A lot of people get rattled when they talk about SCADA systems and hackers getting close to them,” Belani said. “SCADA systems are like retrofitting security into old technology. The fortunate part is that a lot of them are not accessible directly via the Internet, [so] hackers have to find a way into the internal networks of energy companies before they can make their way to these SCADA systems.”

Spear-phishing, Belani said, is “representative of what I’d say is quite a trend” about which companies need to educate, particularly their non-technical personnel.

“When we think of large organizations with tens of thousands of non-technology employees, the challenge is, ‘How do you continually refresh their knowledge on e-mail and that it’s an attack vector, and you are a target?’” Belani added. “These are lessons they really don’t know.”

Entergy Arkansas incidents result in arrest of Jacksonville, Ark., man

The U.S. Department of Justice United States Attorney Eastern District of Arkansas said on Oct. 12 that Jason Woodring, 37, of Jacksonville, Ark., was arrested on a criminal complaint charging him with destruction of an energy facility.

The affidavit filed with the complaint alleges that Woodring is responsible for multiple acts of sabotage to the power grid in central Arkansas.

On Oct. 11, Lonoke County (Ark.) Sheriff’s Office deputies received multiple calls regarding an explosion on John Shelton Road in Jacksonville, Ark., the FBI added, noting that deputies and Entergy employees determined the explosion occurred under power lines near Woodring’s residence. Agents from the FBI and Joint Terrorism Task Force called to the scene observed a type of blue hose similar to evidence found at another power grid sabotage scene, the FBI said.

“The power grid attacks had the potential to put many lives at risk,” Christopher Thyer, United States Attorney for the Eastern District of Arkansas, said in the statement. “When we depend on electrical power not only for comfort and convenience, but also for safety, security and life-sustaining equipment, not knowing where the next attack would occur held the public hostage to an unknown attacker.”

On Oct. 15, an Entergy spokesperson told TransmissionHub that while the company cannot share details on additional security measures, it has taken appropriate steps to enhance the security at some of its facilities.

As to the incidents themselves, in August, Randall Coleman, special agent in charge of the Federal Bureau of Investigation (FBI) for Arkansas, announced that the FBI is seeking information to the Aug. 21 incident involving Entergy Arkansas officials reporting a downed high-voltage transmission line on Arkansas Highway 321 east of Cabot, Ark., where the highway crosses a Union Pacific railroad track.

Inspection of the line indicated that it was intentionally cut, and it is believed that the person(s) responsible climbed the 100-foot tower, severed the line with a saw or similar object, and removed several bolts at the base of the tower. While no injuries resulted from the incident, the FBI added, the act created a potential danger to the community.

In an Aug. 22 statement, the FBI said it is offering a reward of up to $20,000 for information leading to the arrest of the person(s) responsible for the incident.

In October, the FBI announced a reward of up to $25,000 for information leading to the arrest of the person(s) responsible for other incidents, including one on Sept. 29 in which Entergy Arkansas officials reported a fire at the company’s Keo substation located on Arkansas Highway 165 between Scott and England in Lonoke County, Ark.

There were no injuries and no reported power outages, the FBI said, adding that the fire, which the investigation determined was intentionally set, consumed the control house at the substation.

The person or persons responsible for that incident inscribed a message on a metal control panel outside the substation that read, “You should have expected U.S.,” the FBI said.

On Oct. 6, the FBI said in the statement, First Electric Cooperative officials reported that two of the cooperative’s power poles located near the 1400 block of Robin Road, behind the McBride subdivision in Lonoke County, were intentionally cut, resulting in a power outage that affected about 9,000 customers in the Cabot area.

The FBI, ATF, Lonoke County Sheriff’s Office and Cabot Police Department, in coordination with Energy Arkansas and First Electric Cooperative, are investigating those incidents, including the possibility that they are related, and that they are related to the intentionally downed high-voltage transmission line in Cabot on Aug. 21, the FBI said.

‘The electric power industry takes these threats very seriously’

Maintaining the reliability and the security of the computers, control systems and other cyber assets that help utilities operate the electric grid is a top priority for Southern and within the industry’s overall reliability effort, Jeannice Hall, media relations for Southern, told TransmissionHub.

“Cybersecurity is an ongoing effort because the threat continues to evolve,” Hall said. “We continually adapt our defenses to changing threats and leverage actionable intelligence from state and federal agencies to understand the threats facing our company, our industry and the private sector at large.”

Southern is constantly working to strengthen and improve the operation and security of its multiple layers of defenses and to identify and address vulnerabilities, she said.

“We work closely with NERC, DHS and other federal agencies to ensure we meet the cybersecurity standards set for the nation’s electrical grid,” Hall said.

According to its website, Southern has 4.4 million customers and almost 46,000 MW of generating capacity.

Another company with ongoing cyber security initiatives is Pepco, which, as Courtney Nogas, regional communications director for Pepco, told TransmissionHub, invests extensive time and resources to secure its critical assets, provide the greatest level of assurance and reliability and comply with NERC cyber and physical security standards.

“Pepco takes appropriate, multi-layered, ‘defense in depth’ steps to address cyber threats,” she added.

Cyber security is a national issue as cyber threats continue to grow and become more sophisticated, Nogas said.

“The electric power industry takes these threats very seriously,” she said. “Protecting our nation’s electric grid and ensuring a reliable supply of power is the electric power industry’s top priority. The electric industry has a strong record of working together and with government partners to identify, assess and respond to cyber threats.”

According to its website, Pepco serves about 2 million customers in Delaware, the District of Columbia, Maryland and New Jersey.

PPL (NYSE:PPL) also lists physical and cyber security as ongoing priorities for all its companies, whose service territories are in Pennsylvania, Kentucky, Montana and the United Kingdom, according to Joe Nixon with PPL corporate communications.

NERC administers FERC-approved cyber security standards, which PPL is required to adhere to, Nixon told TransmissionHub. “We utilize security best practices and collaborate with industry peers and government agencies,” he said.

PPL cannot go into specifics on physical or cyber security improvements at any of its facilities, but it complies with applicable standards in each area.

“Both physical and cyber security are integral to protecting not only the reliability of the grid, but everything from power plants to power distribution, customer and employee information, financial files and more,” Nixon said.

According to the company’s website, PPL controls or owns about 19,000 MW of generating capacity in the U.S., sells energy in key U.S. markets and delivers electricity and natural gas to about 10 million customers in the U.S. and the United Kingdom.

National Grid USA, which, according to its website delivers electricity to about 3.3 million customers in Massachusetts, New York and Rhode Island, and serves about 3.4 million natural gas customers in those states, also has efforts underway on cyber and physical security.

“While we don’t discuss details of the preparation work we make for things like this, I can tell you [that] our emergency response plan that we are required to file with regulators every year addresses all sorts of attacks, not just [for] restoring power, or what happens when we lose power, [but] if there were cyber attacks [and] physical attacks; we have an emergency plan,” Fred Kuebler, director of U.S. media relations with National Grid, told TransmissionHub.

The company also participates in a number of drills throughout the year and works with outside agencies – which include local, state and federal – to continue monitoring and assessing any threats that may be out there and how to address those threats, he said.

“The same goes for any possible physical attack and any cyber attack,” Kuebler said. “We make use of the latest technology. We drill for cyber attacks and work with outside agencies that deal in that area.”

National Grid continues to monitor its system on the physical and cyber side to address any attack that could come along, he said, adding that the company works with agencies and industry partners.

National Grid is a subsidiary of National Grid plc, which, according to its website, owns and maintains the high-voltage electricity transmission network in England and Wales – Scotland has its own network. Also, the company’s UK distribution networks deliver natural gas to around 10.9 million consumers.

Farther north on the East Coast, in Vermont, Green Mountain Power (GMP) has a number of different technologies in various locations in relation to cyber security, Dorothy Schnure, GMP corporate spokesperson, told TransmissionHub.

In some places, GMP has security cameras with remote monitoring, she said. The company also has motion detection security lighting, fence monitoring technology that detects when a fence is being compromised – if a fence is being climbed – as well as door/gate activation sensors.

“We’ve got some monitoring on our fiber optic network and we encrypt the data,” Schnure said.

“In terms of cyber security, when we implemented our smart grid technology, we submitted a cyber security plan to the DOE, in conjunction with Sandia Labs,” she said, referencing Sandia National Laboratories, which is operated and managed by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation. “The DOE has approved that plan, which we are now implementing. While it can never be 100% secure, we are diligent and are always on the lookout for problems.”

GMP does not have any suspected physical or cyber attack, other than minor theft of copper, but that is not considered an attack, Schnure said.

According to the company, which serves more than 250,000 customers, GMP generates, transmits, distributes and sells electricity in Vermont.

Iberdrola USA, a subsidiary of Iberdrola S.A., also has initiatives in place to address cyber security.

As a part of Iberdrola’s worldwide operations, Iberdrola USA has been working for the past three years to put in place common security standards and technology across its organization, Bob Kump, president and CEO of Iberdrola USA, said in a statement provided to TransmissionHub.

Some examples include technology for managing physical access to the company’s facilities and the deployment of state-of-the-art surveillance and video analytics to protect remote facilities. In addition to better security, features such as thermal imaging technology also provide safety and operational benefits, he added.

“Iberdrola USA is taking a holistic approach to managing the security of our physical, information and cyber assets,” Kump said. “This year we united all security operations under a Chief Security Officer who reports directly to me. Keeping our assets and operations secure is one of the biggest challenges we face, and we’re developing strategies, organizational capabilities and technology to achieve best-in-class performance.”

Iberdrola USA is working with several global leaders in the security and intelligence industry on a top-to-bottom review of the company’s security policies and practices. They are developing a comprehensive security framework and compliance program to ensure the security of the company’s physical, information and cyber assets, Kump added.

Iberdrola USA is not aware of any incidents of physical or cyber attack against its facilities. Kump also said that like most companies, Iberdrola USA has real experience with the complexity and difficulty of ensuring the privacy and security of its data, but it has not reported attempts to damage or control its critical systems.

Regarding physical security, Iberdrola USA companies have reported cases of copper thefts from substations and operating facilities, but Iberdrola USA’s security improvements have contributed to the successful prosecution of copper thieves in some recent cases and the successful prevention of theft and damage, Kump added.

According to the company’s website, Iberdrola USA Networks operates from New York to New Hampshire to Maine, delivering natural gas and electricity to almost 3 million customers through its five operating companies: Central Maine Power, New York State Electric & Gas, Rochester Gas and Electric, Maine Natural Gas and New Hampshire Gas.

TransmissionHub Chief Analyst Rosy Lum contributed to this article.

About Corina Rivera-Linares 3286 Articles
Corina Rivera-Linares was TransmissionHub’s chief editor until August 2021, as well as part of the team that established TransmissionHub in 2011. Before joining TransmissionHub, Corina covered renewable energy and environmental issues, as well as transmission, generation, regulation, legislation and ISO/RTO matters at SNL Financial from 2005 to 2011. She has also covered such topics as health, politics, and education for weekly newspapers and national magazines.