PHOENIX – Amid the furor over intelligence reports that Russian hackers tried to influence the U.S. presidential election, a cybersecurity scare at a public power utility in Vermont ratcheted up concerns over the vulnerability of the nation's electric grid.
Jumpstarting a discussion of how damage from a cyberattack could have a material effect on electric utilities – and their outstanding bonds – was the revelation late last month that the Burlington, Vt. Electric Department had detected that one of its laptops was communicating with an internet protocol address that federal officials warned could be associated with malicious activity. There remains no evidence that a "hack" took place or that the electrical grid was ever threatened. The situation was quickly contained and reported to federal authorities. But the scare was still notable to some analysts.
"Although the breached computer was not connected to the electric transmission grid, the attack is an example of the utility sector's vulnerability and its attractiveness to those seeking to disrupt the national electrical grid," Moody's Investors Service said in a Jan. 9 commentary. "BED's up-to-date malware definitions and its responsiveness in immediately reporting its findings to federal authorities are credit positive, but cyberattacks are credit negative for all utilities because of the growing risk and the material costs that would result if key infrastructure assets were damaged."
The potential costs of an attack could be enormous. The August 2003 Northeast Blackout, which stemmed from an overload blamed at least partially on a glitch in early warning software, resulted in a loss of power for about 50 million people and took days to fully restore. The Electricity Consumers Resource Council estimated that the event cost between $4.5 and $8.2 billion, including more than $1 billion cost to the affected utilities. Markets operated on backup generators.
"As the number and sophistication of attacks grow, the probability of a successful cyberattack that would cause a material disruption to a utility is growing and the financial and reputational implications could be significant," the Moody's comment continued.
Moody's said it views cyberattacks as a form of event risk similar to severe weather events, with the likelihood of federal aid in a catastrophic event being fairly high, as has been seen for some utilities affected by hurricanes.
A Court Street Group Research outlook authored by George Friedlander and Joseph Krist also remarked on the potential implications of a cyberattack on utilities.
"Such efforts have been a long-term fear of industry professionals and antiterrorism professionals for the crippling impact on national life that an attack on America's highly computer dependent and connected national utility grids could have," Court Street said.
U.S. officials already believe that a 2014 attack might have compromised a handful of public utilities, Court Street said. At the time, the Department of Homeland Security said an unnamed utility had been breached by an unnamed "sophisticated" hacking group. DHS, which doesn't ordinarily disclose every breach it detects, said it had worked with the affected utility to ensure that its systems weren't affected by the unauthorized access.
"It makes sense that such efforts would start on a small scale," Court Street said. "The limited scope of this event provides some comfort but not much in the grand scheme of things. It supports our view of the potential negative impact on smaller municipal operations."
Tom Schuette, a partner and co-head of investment research and strategy at Gurtin Municipal Bond Management acknowledged the risk cyberattacks pose to utilities, but said he didn't expect that to become a major part of investment calculus yet.
"I don't think municipal investors are concerned at this point about cyber-attacks," Schuette said. "While it is a very legitimate concern for utilities and will likely be an ongoing expense to deal with for the foreseeable future, factoring it into investing decisions is akin to factoring in natural disaster risk. It is very tough as an investor to properly weigh the risk of events that are largely out of a utility's control. We would expect that most utilities are attempting to defend themselves from hacking but are not going to publicize those efforts in offering documents – nor should they."
Electric utilities are far from the only utilities facing the challenge of cyber threats, and the Vermont incident was a good example of how the precautions utilities have in place worked successfully, said Sue Kelly, chief executive officer of the American Public Power Association. Kelly said electric utilities work collectively and with federal authorities to improve their readiness.
"We all face these issues and we're all working on them together," Kelly said. "This is just a fact of modern life. Anyone who goes through an airport faces increased risks that they didn't 15 years ago. We're all having to go through an increasingly unfriendly world together."