Recent headlines have again raised the public awareness of cyber threats to critical infrastructure. Much has been written about the threat of CrashOveride or Industroyer malware that was used to take down power in the Ukraine. The US Department of Homeland Security, Computer Emergency Response Team (DHS/CERT) has published a thorough brief on this threat here https://www.us-cert.gov/ncas/alerts/TA17-163A.

Rather than pile on to the CrashOveride hype cycle, this post explores the particular cyber threat challenges power generation and distribution plants pose and what can be done about it.

Power generation and distribution plants do present substantial cyber security and national security concerns affecting homeland security, physical plant safety, environment, and our entire way of life. These threats left unaddressed will become tomorrow’s cyber-attack targets.

Electric Power Regulations

Government agencies and private organizations are involved in various aspects of power generation and distribution security, including the Federal Energy Regulatory Commission (FERC), the North American Reliability Corporation (NERC), Critical Infrastructure Protections (CIP), and the Industrial Control System Computer Emergency Response Team (ICS-CERT).

Federal Energy Regulatory Commission

The FERC regulates the transmission of electricity and its wholesale in interstate commerce. It also licenses and inspects hydropower facilities.

While the FERC doesn’t have any regulations on the books that speak directly to power generation and distribution plant vulnerabilities, it is responsible for granting the NERC its designation as an Electric Reliability Organization (ERO).

North American Reliability Corporation

The NERC is responsible for reliable, adequate bulk power transmission throughout the North American electric power grid.

Part of the NERC responsibilities includes operating the Electricity Information Sharing and Analysis Center (CRISP) which provides security services to North American power system owners and operators. CRISP information includes cyber security threat intelligence, physical security threat intelligence, and other cyber security knowledge.

CRISP also works with power system owners and operators to assess real-time cyber threats and physical threats to power systems.

There are plenty of regulatory and security-related organizations at work, but our power generation and distribution plants are still vulnerable.

This is due less to the bureaucratic leanings of multiple agencies and organizations; rather, it is due to a combination of inadequate resources and lack of skilled technicians combined with the huge expense of building new power generation and distribution plants that are designed with today’s cyber and physical security threats in mind.

Bayshore recently published a helpful white paper: Four Considerations  for Securing Operational Technology in the Energy Industry

Access your copy >>

Technology

Electric power generation and distribution is a mostly automated process controlled by Supervisory Control and Data Acquisition systems (SCADA). The control system architecture utilizes networks, and computers for supervisory process management.

Programmable Logic Controllers (PLCs) and Proportional-integrative-derivative (PID) controllers provide interfaces to power plant processes and machines. Some operations are managed through the supervisory interface, while other processes are managed using real-time control logic or networked modules that pull data from sensors and actuators, perform calculations, then send them to a controller.

SCADA has been slow to catch up to the advances in sophisticated cyberattacks and malware, leaving power generation and distribution plants vulnerable to attack via internet-connected devices and vulnerable computer hardware for the Master Terminal Unit platforms (MTUs) and Remote Terminal Unit platforms (RTUs).

While the FERC is on record instructing various companies and utilities to improve cybersecurity, the lack of capital resources and a shortage of skilled technicians continue to impede upgrades to legacy systems that would enable the development of much more robust security and defense measures, both from cyberattacks and physical vulnerabilities.

 Security Attack Vectors

 Automated processes that are connected to the internet provide an attack vector that is particularly difficult to secure. Power generation and distribution plants need to continually monitor and adjust the electrical load to ensure smooth, reliable delivery of electricity to businesses and homes.

Legacy MTUs and STUs use computer hardware that can be exploited, while legacy supervisory computers can be hacked by exploiting known vulnerabilities in older operating systems, such as Windows XP.

Older networked sensors and actuators also pose a threat; first and second generation Industrial Internet of Things (IIoT) devices were manufactured with zero security measures, making it possible for malicious code to be injected into IIoT device memory and executed.

Newer IIoT devices are addressing this vulnerability through engineering hardware that has been hardened against network attacks, but the need to upgrade legacy sensors and actuators remains.

Vulnerabilities

 Power generation and distribution plant vulnerabilities fall into four basic categories:

  • Physical
  • Plant infrastructure
  • Exposure to the internet
  • IT infrastructure and networks
  • Physical Vulnerabilities

While power plants have boosted physical security measures, it is still possible for unauthorized individuals to gain access to critical systems and components. Sophisticated malware can be stored on a thumb drive and quickly uploaded to a vulnerable computer.

Once on the host machine, the malware can quickly infect other computers and devices, compromising the network and potentially causing system failures that could lead to a plant going offline.

Depending upon the type and extent of damage, a power plant might be down for up to several days or weeks while damages are assessed and repairs are made.

Plant Infrastructure

Multiple systems and processes work together to generate and distribute electrical power. One compromised system can lead to infrastructure failure within the plant and knock it offline.

Plant infrastructure and systems need to be updated to provide adequate protection against actors seeking to disrupt plant operations.

Bayshore recently published a helpful white paper: Four Considerations  for Securing Operational Technology in the Energy Industry

Access your copy >>

Exposure to the Internet

Plants that are upgrading their infrastructure, systems, and processes are also adopting technologies that were designed to be used over the internet. Special care must be taken with these new technologies to protect them from cyberattacks that can cripple power generation and distribution.

As new technologies and tools are introduced, plant personnel need to be trained in plant security and safeguarding of systems and what to do if and when unauthorized activity or access is observed.

IT Infrastructure and Networks

Legacy IT infrastructure and networks lack the security measures that have been built into new computer hardware such as servers and switches. Vulnerability in old IT infrastructure leaves legacy networks exposed to hackers who can exploit weaknesses in older hardware to gain access to systems and processes.

IT systems and networks should be updated and upgraded, integrating new hardware and network components that were designed with cyber security in mind. IT personnel should be trained in cyber security best practices for power generation and distribution plants, and implement security protocols to protect IT infrastructure.

Conclusion

Inadequate capital resources, lack of personnel with proper technical and security training, and the prohibitive expense of building new power plants that integrate state-of-the-art cyber security technology have delivered a perfect storm of vulnerabilities waiting to be exploited.

To mitigate these vulnerabilities and risks, it is important to update/upgrade legacy systems and infrastructure to improve security monitoring and reporting. Power plants need to develop and implement a multi-layer security strategy that addresses all attack vectors, backed up by an incidence response plan to quickly assess damage and restore operations as quickly as possible.

Kirby Wadsworth

As Chief Marketing Officer at Bayshore Networks, Kirby is on a mission to educate and inspire leaders to act now to protect our industrial infrastructure - and our way of life - from cyber threats. Bringing more than two decades of executive leadership in both public enterprises and emerging startups, Kirby is a published author, keynote speaker, teacher, and frequent contributor to over 20,000 online followers.