Electricity isn't exactly a growth business, so Xcel Energy's employee head count doesn't budge much from year to year. One department is an exception: cybersecurity.
Xcel employs more than 100 highly trained security analysts, compared with a handful just two years ago. Threats from hackers are intensifying and, with them, the specter of blackouts.
"We have put considerable effort into it, and I think our cyber-defenses have gotten better. But the bad guys' cyber-offense has gotten better, too," said Ben Fowke, Xcel's CEO. "Our sophistication needs to improve."
Hackers last year broke into the IT systems of a Kansas nuclear power plant, though no damage was done. They have shut down parts of Ukraine's power grid twice in the last two years. And their attacks are becoming more refined.
"There has always been a constant stream of incidents," said Robert Lee, CEO of Dragos, a Maryland-based cybersecurity company. "What struck me this past year is the aggressiveness of hackers targeting infrastructure."
The nation's critical infrastructure ranges from oil pipelines to communications networks to the financial system, and at the heart of it all is the electricity grid.
"The reliability of the electricity system underpins virtually every sector of the modern U.S. economy," said the most recent Quadrennial Energy Review from the U.S. Department of Energy.
The report went on to say the U.S. grid is in "imminent danger from cyberattacks," and that such attacks could undermine much of the economy and the nation's "critical defense infrastructure."
The good news is that hackers have never shut down power in the United States, or much of the world. But two cyberattacks in Ukraine — believed to be the handiwork of Russia — caused regional blackouts.
"The cyberattack on three power companies in Ukraine on Dec. 23, 2015, marked a revolutionary event for grid operators," according to a 2017 report by Dragos. Hackers disconnected substations from the grid, leaving more than 225,000 people without power for up to six hours.
The second Ukraine cyberattack, in December 2016, shut down 20 percent of Kiev's power grid for about an hour. The malware used by hackers, dubbed "Crash Override," was more sophisticated, an advancement in hackers' ability to disrupt industrial operations, according to Dragos.
The U.S. power grid is more complex than Ukraine's, so a blackout attack would be more demanding here, Lee said. Plus, taking down multiple power systems — say, along the whole West Coast — for any length of time would be very difficult.
"But it's not impossible," Lee said.
Computer systems at power companies in the U.S. and Europe have been breached several times in recent years. Xcel would not comment on if it had been hacked.
Suspected Russian hackers pried into multiple power plants, including nuclear generation sites, according to several news reports last summer. One target was publicly disclosed: Wolf Creek nuclear plant near Burlington, Kan.
The hackers only accessed the plants' business IT networks, not the operational technology (OT) systems that control power generation and distribution.
In September, Silicon Valley-based computer security firm Symantec revealed a separate series of intrusions into energy and industrial companies. Dubbed "Dragonfly 2.0," the hacking campaign began late in 2015 and ramped up in 2017. Symantec believes the attacks originated in Eastern Europe.
Symantec has evidence of attackers who have breached corporate IT systems and moved into OT systems of U.S. power plants, Vikram Thakur, Symantec technical director, wrote in an e-mail interview. But so far, none have parlayed their access into destructive acts.
Such intrusions are likely "reconnaissance" missions, according to Thakur and other analysts.
"Attackers in this space need to learn a lot before 'flipping the switch,' " Thakur wrote. For instance, the initial breach that led to the December 2015 Ukrainian blackout was launched in the spring of that year.
"It's not happening in one day like in the movies," said Scott Aaronson, executive director of security and preparedness at the Edison Electric Institute, an association for investor-owned utilities. "You have to get a toehold in a network and move laterally."
Cybermanipulation of power systems is more difficult than hacking into corporate databases and stealing customer information, Aaronson said. Utilities' industrial control systems are complex and highly customized. "Part of our defense is the complicated system we operate," he said.
Since 2011, the U.S. utility industry has undertaken biennial drills that simulate cyber and physical attacks. Many companies have developed cybersecurity standards that go "well beyond" those established by federal grid reliability regulators, said Dragos' Lee.
And electricity providers are seen as having a robust network for sharing information about grid security and cyberthreats.
"We spend significant time, effort and resources in preventing an attack and significant time and resources making sure we could recover from an attack," said Xcel's Fowke. "We do that within the company and with our colleague utilities on a national level, coordinating with federal agencies."
Still, there are weaknesses, including information sharing between the federal government and industry. "I don't want to give the impression the government isn't doing its job, but quite often we get our [security threat] information from our own commercial sources," Fowke said.
Expediting the security clearance process for the nation's "most critical cyber assets" was a top recommendation of a report released in August by the National Infrastructure Advisory Council. Fowke is a member of the council, which works through the Department of Homeland Security.
"Too few of the right individuals in private companies have clearances at the right level to receive timely cyber threat information and act on it," the report said. The government's inability to rapidly declassify and share "less-sensitive" threat information "leaves private companies in the dark for too long."
Other weak points pointed out by the National Infrastructure Advisory Council:
• Managers often do not fully understand the magnitude or the complexity of the risks they face, or to what extent their computer systems have been comprised.
• Supply-chain risks remain a struggle; critical infrastructure companies lack a "trusted method" to fully verify the security of components they purchase.
• There's a shortfall of qualified cyberexperts, which is forecast to reach 1.8 million unfilled positions by 2022.
"We in academia and corporate America have been talking about this for years — the huge gap in the lack of trained people," said Michael Johnson, graduate studies director for the University of Minnesota's security technologies program.
"It's basically zero percent unemployment in cybersecurity," he said.
