We sat down with Steve Burns, USAID’s lead energy and infrastructure specialist in the Bureau for Europe and Eurasia, to learn how the Agency is working to combat cyber attacks on energy systems in countries bordering the Black Sea.
Most of us connect cyber security with concerns about identity theft or hacking. What does cyber security have to do with the energy sector?
Like other industries, from media to health care, modern energy systems are increasingly operated by computer networks, which can create vulnerabilities to being hacked. One method of attack is identity theft, phishing schemes and other tricks that make it easy for hackers to outright steal or install keystroke loggers to steal passwords. Once the hacker has access to your work system, it’s easy to plant malware and over time, to access more sensitive parts of a company’s network. In extreme cases, hackers can reach operational systems and shut down or damage critical components that can put portions of a system out of operation for months or longer.
Who are these hackers attacking energy systems? What do they hope to gain? What is the impact of their attacks?
Hackers can include anyone from state-sponsored actors seeking to undermine regional rivals to those with personal or commercial interests. In Ukraine, for example, the conflict motivates hackers seeking to disrupt public services and undermine the stability of local and national governments.
The energy sector is major economic driver in the Black Sea region and a significant vulnerability for many countries, making it an attractive target for physical and/or political manipulation. The loss of electricity can reduce availability of essential public services such as water and sanitation (for example due to pumps being offline) as well as heating in the winter. Longer term outages can have significant economic impacts as industry and other businesses don’t have power to operate.
How does USAID help prevent cyber attacks of energy systems overseas? And how do you know if your programs are working?
USAID’s approach in the region focuses on improving energy security, ranging from diversifying energy supply to reducing corruption. For cybersecurity, our approach is to improve best practices in corporate management and energy sector operations. That not only helps energy companies address cyber threats, but it improves reliability system-wide.
Our program works with utilities and energy sector regulators in four Black Sea countries — Armenia, Georgia, Moldova and Ukraine — to provide training for increasing energy sector cyber security.
Cyber threats are constantly changing, so we don’t provide a single analysis or piece of equipment. We also can’t use the number of successful attacks as a gauge for our success. We do know our programs are working, though, because we’re starting to see a culture change. Two years ago, most utilities in the region weren’t aware of the threats they face, but now we are seeing dedicated efforts being made to improve security. That is a huge first step.
I understand that Iowa State University is a USAID partner in cybersecurity trainings. How do they help?
Experts at Iowa State provide invaluable guidance to the energy industry professionals USAID works with overseas. The university’s cyber security program has developed a research lab to train industry professionals and educate students on how to protect power grids through real-world simulations — such as the power grid attack in Ukraine two years ago. The “test bed” they have developed — called PowerCyber — generates case study scenarios designed to help energy regulators and utilities learn how to ward off cyber attacks. This fall, Iowa State hosted a group of Black Sea utility and regulatory personnel as part of a cyber security study tour arranged by USAID.
This effort focuses on four Black Sea countries, but cybersecurity is an issue around the globe. Could USAID programs overseas help here at home?
Yes! It’s easiest to explain how if we first think about one way blackouts spread. Electricity cannot yet be stored in large quantities, so the amount produced and consumed must be constantly balanced. Electricity also flows to areas of need (think of water flowing downhill). If a power shortage occurs in one area due to a power plant going offline or a downed power line, electricity from other areas will flow through available power lines to that area to “fill the gap.”
In large power systems, additional power plants can quickly start-up and electricity is automatically rerouted — something that is largely unnoticed by the consumer except for an occasional flickering of their lights as the local power grid rebalances. However, if a shortage becomes too severe, electricity will continue to flow to the blacked-out area, leaving more and more areas without power. Power grids have automatic switches that can keep electricity from flowing to blacked out areas, effectively isolating these areas and keeping the remainder of the power grid stable until the problem can be fixed (another analogy — think about isolating a flooding compartment on a ship — you sacrifice that area until the leak can be fixed, thus saving the entire ship).
In an advanced attack, a hacker could simultaneously shut down power plants and prevent automatic switches from isolating affected areas of the power grid, leading to regional blackouts. Planning to address such a scenario is where our work benefits the homeland.
Cyber attacks in the Black Sea region are growing in complexity and are a potential testing ground for future attacks in Western Europe and here in the United States. Our program brings together experts from the U.S., Europe and the Black Sea region to collaboratively identify and address these vulnerabilities for our mutual benefit. In fact, the group has already developed a framework for assessing utility preparedness for cyber attacks. By working with the utilities and regulators throughout the region, we better understand energy sector vulnerabilities and are applying those lessons learned at home.
About the Author: Leisha McParland is a Communications Advisor in USAID’s Europe and Eurasia Bureau.
Editor's Note: This entry originally appeared in USAID's 2030: Ending Extreme Poverty in this Generation publication on Medium.