Imagine sitting in your dining room eating your dinner and the lights go out. You quickly realize it’s not just the lights, it’s all the power in your home. Now imagine thousands of miles away, someone is sitting in front of a computer, typing and clicking away, dropping power to thousands of other homes around you. It’s happened. In 2015 a cyberattack took down power to over 230,000 homes in Ukraine. It is considered the first successful cyberattack against an electrical grid.
The power stations around you are controlled by computers that are connected to each other, and the main power station in your area, which is also controlled by computers. Those computers are controlled by people. The problem is, once given an instruction by an authenticated user, the computer is going to do what you tell it to. That might be rerouting power around a power station, or completely off-lining a group of power stations to cause a black out. Infrastructure engineers have to plan for this.
This isn’t limited to the electrical grid. The US Department of Homeland Security has defined 16 critical infrastructure sectors. An infrastructure engineer in any one of these must design their systems with cyber-attacks in mind. To assist them in the process, there are numerous regulations and laws they must adhere to, as well as a large set of industry standards.
The NERC requires detailed plans prior to infrastructure build outs, changes, or expansions. Ensuring these plans offer protection from cyber risk helps ensure that all assets an engineer, or more likely a large team of engineers, plan to use to support the infrastructure are both safe and reliable. NERC and other regulatory bodies also do periodic site inspections to ensure the regulations have remained in place and remain effective.