On Dec. 23, 2015, substations on the Ukrainian power grid were systematically disconnected for three hours. Although not immediately known, the failures were later attributed to be the result of a coordinated, sophisticated cyber attack by a state actor with considerable technological resources. According to a report on the Ukraine incident published by the Electricity Information Sharing and Analysis Center (E-ISAC), the attackers demonstrated a variety of techniques to penetrate the Ukrainian power grid information technology network, including spear phishing emails, malware, and the manipulation of Microsoft Office document macros. Additionally, the attack included an on-site human element that was able to harvest credentials, map network connected infrastructure, and gain insight into the supervisory control system. While an attempt to attack infrastructure in North America in a similar manner to the Ukraine attack is possible, there are key differences between the two systems. The North American electricity sector is subject to mandatory, enforceable reliability standards designed to prevent such an attack and also is larger and more diverse in the design and configuration of its equipment, including industrial control systems. As part of the industry’s best practices, North American systems also run on licensed software and are routinely screened for potential threats including malware. This event shows the need for enhancing infrastructure security and resiliency, which requires a strong commitment to best practices -- including the ability to rapidly convene federal, state, and local emergency management personnel as needed after a cyber or physical attack.
The Office of the Program Manager for the Information Sharing Environment (PM-ISE) is working with the National Fusion Center Association (NFCA) and the E-ISAC to consider using the National Fusion Center network as a way to convene electrical infrastructure subject matter experts (SMEs) who need rapid access to classified data or communications systems in the event of an emergency situation. Fusion centers are localized information sharing hubs that bring together federal, state, local, tribal, and territorial (FSLTT) partners. They collaborate with the Department of Homeland Security (DHS) to coordinate the homeland security and intelligence efforts of the FSLTT partners. This structure is ideal to hosting SMEs who, depending on the scale and complexity of an incident, need access to classified data in order to inform their recommendations. This effort also has the potential to develop into a long-term information exchange relationship between the energy sector and fusion centers to provide situational awareness of threats and vulnerabilities in their areas of responsibility. It represents an incremental, collaborative approach to facilitating a lasting relationship, while also offering the benefit of a well-organized, rapid, and secure distributed communications network.