Electricity grids are at risk from cyberattack. Here's how we can keep them running 

On Aug. 14, 2003, a software bug contributed to a blackout that left 50 million people across nine U.S. northeastern states and a Canadian province without power. The outage lasted for as long as four days, with rolling blackouts in some areas for days after that.

That event wasn’t caused by an attacker, but many of the recommendations of the final incident report focused on cybersecurity. Fifteen years later, the stakes of a long-term outage are even higher, as American business and society are even more dependent on electronic devices. Scholars around the country are studying the problem of protecting the grid from cyberattacks and software flaws. Several of them have written about their work for The Conversation:

1. Attacks could be hard to detect

Though the software error that amplified the blackout was not the result of a cyberattack, power grid scholar Michael McElfresh at Santa Clara University explains that a clever attacker could disguise the intrusion “as something as simple as a large number of apparent customers lowering their thermostat settings in a short period on a peak hot day.”

2. Grid targets are tempting

Iowa State University’s Manimaran Govindarasu and Washington State University’s Adam Hahn, both grid security scholars, noted that the grid is an attractive target for hackers, who could shut off power to large numbers of people: “It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too.”

3. What to do now?

In another article, Govindarasu and Hahn went on to describe the level to which “Russians had penetrated the computers of multiple U.S. electric utilities and were able to gain … privileges that were sufficient to cause power outages.”

The response, they wrote, involves extending federal grid-security regulations to “all utility companies – even the smallest,” having “all companies that are part of the grid participate in coordinated grid exercises to improve cybersecurity preparedness and share best practices” and – crucially – insisting that power utilities “ensure the hardware and software they use are from trustworthy sources and have not been tampered with or modified to allow unauthorized users in.”

Those steps won’t prevent software bugs, but they could reduce the likelihood of attackers exploiting computer systems’ vulnerabilities to shut off the lights.

4. Restructuring the grid itself

To protect against all types of threats to the grid – including natural and human-caused ones – engineering professor Joshua M. Pearce at Michigan Technological University suggests generating energy at many locations around the country, rather than in centralized power plants. He reports that his research has found that connecting those smaller power producers together with nearby electricity users would make supply more reliable, less vulnerable and cheaper. In fact, he found the U.S. military “could generate all of its electricity from distributed renewable sources by 2025 using … microgrids.”

At least that way a small problem with the grid would be less likely to spread and become a major problem for tens of millions of people, like the Northeast Blackout of 2003 was.