This post is also available in: heעברית (Hebrew)

Not only Russia poses risks to power grid cybersecurity. Small- to mid-size energy companies are facing a variety of threats, says a new report from the Institute for Critical Infrastructure Technology (ICIT).

“There’s a lot of hype surrounding the cybersecurity of the energy grid,” said James Scott, co-author of the The Energy Sector Hacker Report and a senior fellow at ICIT, a non-profit cybersecurity think tank that provides research and other programs related to cybersecurity.

The biggest threat, he told, is to small- and medium- sized energy providers that don’t take important steps to keep their systems safe from the very real potential for cyber attacks.

The Russians have been “parasitically woven through our grid” for many years, said Scott. “They’re very creative and stealthy. You discover them — and the Chinese, Iranians and other nation state actors after they’ve been there.” This should be taken seriously, he said.

However, actors like North Korea, lone wolves and militant “hacktivists” are most likely to initiate an attack on the grid with the intention of a blackout, he said.

Countries like North Korea are most likely to hire lone wolves to hack into the grid, he added.

Their most vulnerable targets are small- to mid-sized energy providers, he said. “It’s the small- and medium-sized providers who don’t have cyber hygiene that are most prone to attacks,” Scott said. Employees can put energy information at risk by doing things as simple as checking their Twitter account from company computers or using laptops in the field, he said. Hired hackers can also gain access to an energy provider’s system via a vulnerability in the billing or other systems.

What’s needed for these energy providers are at least three lines of defense, said Scott.

First, energy providers need to replace their hardware, servers and software with newer systems. Second, companies need to create “red teams” that aggressively seek out vulnerabilities in the company’s systems. These teams should ensure that the energy providers only purchase packages, software, for example — that have security built into them. Third, energy providers should purchase hardware and software that includes a guarantee of cyber hygiene. This means that if a vulnerability is discovered in the energy provider’s system, the company could purchase what’s called a “patch” to ensure security.

The U.S. Dept. of Energy (DoE) is taking these threats seriously, Scott said. “The DoE is trying really hard to come up with solutions and standards without stifling the sector’s innovation,” he said. “I was in New Jersey during a blackout. Psychologically that’s where all the fear started about the potential for a national blackout”.