The ransomware attack that shut down a key fuel pipeline and created shortages of gasoline in the Southeast last week didn’t have a lot of impact on our far-flung islands.
But what would happen if cybercriminals put a target on Hawaii and its electrical grid? The loss of power could create havoc, hardship and far-reaching financial loss with ripple effects on the water supply, transportation and other infrastructure, as well as some important military installations.
Hawaiian Electric, the company that provides power to 95% of the state, insists it is prepared for a such a cyberattack and is constantly searching for ways to be better prepared.
Jason Benn, the company’s vice president of information technology and chief information officer, said Hawaii’s largest power company is no more or no less vulnerable than any other utility that operates in the U.S.
But Hawaiian Electric has unique challenges, he said, including maintaining five different island energy grids and serving a number of critical military defense facilities.
The company sees itself as a potential target for both nation-state bad actors and cybercriminals, and, according to Benn, the utility repels thousands of attacks and probes every day.
“Our systems are constantly under attack,” Benn said. “We’re on the front line of a different domain of warfare.”
The company spends millions each year on cybersecurity, he said, and each year the bill increases about 20%.
“We continue to assess and make improvements and try to limit exposure while practicing response and recovery,” he said.
The first line of defense is prevention and reducing weakness and areas of exposure, while the second line of defense is isolating and segmenting the various parts of the system from each other and from the internet to minimize the potential damage from any one attack.
“We don’t rely on one layer of security,” he said.
The company is plugged into all kinds of cyberintelligence services, Benn said, from local to federal networks that have their feelers out for suspicious activity and bad actors who are on the prowl.
For example, in 2015
Hawaiian Electric signed an agreement with the Hawaii State Fusion Center to collaborate on safety and security measures aimed at safeguarding the state’s essential infrastructure and assets such as the utility grid. The agreement allows both organizations to share information about cybercriminal activity, terrorism and natural or human-caused disasters.
The Fusion Center takes in, analyzes and shares intelligence from federal, state, local and private-sector partners, including Hawaiian Electric.
Another example of preparedness occurred nearly two years ago, when Hawaiian Electric and the state Energy Office participated in a two-day energy security
exercise that simulated a
cyberattack and physical attack on the state’s power grid. Hawaii joined Colorado, Idaho and Maryland in the biennial GridEx event to help assess how the state would respond to a major power outage caused by either cyberattack or some other event, such as a natural disaster.
Frank Pace, administrator of the state Office of Homeland Security, said President Joe Biden’s recent executive order following the Colonial Pipeline incident to improve the nation’s cybersecurity will help to upgrade the state’s own public-private information-sharing efforts.
He said his office, in collaboration with the Office of Enterprise Technology Services, is preparing to publish the state’s first Cyber Incident Response Plan and has recently launched a statewide planning effort to develop a response plan for incidents beyond the state government information technology enterprise.
Pace said recent high-profile cybersecurity incidents, including at SolarWinds,
Microsoft and the Colonial Pipeline, are a reminder that malicious cyberactivity not only can disrupt lives, but threaten national security.
“While the state of Hawaii has escaped the serious harm caused by these most recent, as well as previous incidents, we are not immune,” he said.
As far as the power grid is concerned, Pace said Hawaiian Electric seems to be on top of its game when it comes to its cyberdefense. That’s important, he said, because if the electrical grid were to fail, there would be no neighboring state utilities to serve as a backup.
“As a state thousands of miles in the middle of the Pacific, we’ve got to be resilient,” Pace said.
Benn said that even if the worst-case scenario were to happen and the whole electrical grid was taken down, the company would still be able to operate manually — with personnel literally going out into the field to operate substation circuit breakers and switches.
“We would not operate as efficiently, but we could keep the lights on,” he said.
Malicious cyberactivity cost the U.S. economy between $57 billion and
$109 billion in 2016, and those numbers continue to go up yearly, according to a 2018 report by the president’s Council of Economic Advisers.
“The threats keep rising,” Benn said. “The threats from nation-states are becoming increasingly bold and increasingly sophisticated. It’s a real problem. But we think we have a robust program that is under continual improvement.”
