How to identify and eliminate electric grid cyber threats
"If a well-coordinated cyberattack on the nation's power grid were to occur today, the time it would take to restore power would pose daunting national security challenges"
-- John Everett, DARPA Program Manager
Electricity is the lifeblood of the US economy. Without it, even the most basic services would be unavailable, putting personal safety and national security at risk. Many of the things we take for granted would no longer be available, such as water, communications, and public safety.
The recently published, Cyber Threat and Vulnerability Analysis of the US Electric Sector, identified key vulnerabilities in electricity generation, distribution, and management. In this report, the Idaho National Laboratory states “Among the greatest challenges is a lack of knowledge or strategy to mitigate new risks that emerge because of an exponential rise in complexity of modern control systems.”
The Defense Science Board, in a Task Force on Cyber Defense report earlier this year darkly concluded, “The unfortunate reality is that, for at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.”
A key recommendation of the report states, “as first priority, spur and evaluate innovative technologies aimed at breakthrough improvements in cyber security and the cyber resilience of the U.S. military. The relevant technologies should then be carefully shared with owners of critical infrastructure, through existing interagency processes. Cyber-resilient electrical power, water, waste-water and communications systems should be particular priorities.”
Key Electric Utility Vulnerabilities
“The energy industry is one of the sectors with the highest number of cyber-attacks.”
--Pierluigi Paganini, Founder ENISA ETL GroupInternet
The sophisticated, complex electrical power transmission systems of today rely on the internet for the fast, real-time exchange of data to manage electricity generation and distribution. Every system that connects directly or indirectly to the internet is vulnerable to manipulation or attack.
It is imperative to create a security strategy that protects the IT/OT networks from these attacks by reducing the attack surface of each system through implementing security practices that allow automated systems to communicate only via secure protocols. It is also imperative to limit human access of critical systems to only those individuals who need it to carry out job-related duties.
Physical and remote access
A key to security for any electrical utility is managing access. Physical access must only be granted to employees who need to perform tasks in each part of the grid. That access must identify the reason for the employee needing access along with approval for that employee to access the area to begin work.
Once the employee has completed work and leaves the area, access is revoked to prevent unauthorized access to that area. Remote access must also be managed in a way that limits access only to those who have authorization to access the system, and limits what actions users can and cannot perform remotely.
Access should only be granted for the time necessary to complete the task. Once the work is complete, access is revoked, preventing someone else from accessing the network.
The weakest part of security in any enterprise is the human element. Human error and malicious intent are the biggest threats to electric utility security.
It is important to create and implement best practices that help employees stay alert and focused while performing routine tasks, greatly reducing the risk of a critical human error disabling or crippling part of the electrical grid. Employees must also be trained to identify and appropriately respond to suspicious actions performed by co-workers, especially disgruntled employees who may be looking for ways to get back at the company.
C-level executives need to educate themselves in industrial cyber protection. The sophistication and complexity of today’s IT technology requires C-level experts who have a background in IT security to effectively lead initiatives to improve the security and safety of the electrical grid.
Many companies already have Chief Security Officers (CSOs) or Chief Information Security Officers (CISOs) filling similar roles with the primary goal of keeping their employees and customers safe.
Ongoing risk management
Electric utilities need to understand that keeping the electrical grid secure is an ongoing challenge. Security should be looked at as risk management, and as such, should be integrated into every aspect of the utility’s operations.
Threat actors on multiple fronts
Malicious hacking continues to grow as how-to guides on hacking proliferate online, along with readily available, pre-made cyber weaponry that can be used to launch sophisticated attacks against the grid. Complex, easy-to-access network connections offer hackers unlimited access to the internet using tools that can help hide their presence online.
Lack of awareness of security posture
Electric utilities need to gain a detailed awareness of their security posture if they are to effectively prevent and mitigate cyber-attacks against the grid. This involves infrastructure, IT/OT systems, portable and mobile devices, portable memory, and human elements.
Lack of knowledge about how to secure the electric grid
"While some U.S. utilities might block attempts by an adversary to gain initial access or might be able to detect an adversary in their systems, many might not have the necessary tools in place to detect and respond.”
-- Robert K. Knake, Whitney Shepardson Senior Fellow
The transformation of legacy electrical infrastructure into today’s smart grid has created new challenges to securing it. The multiple networks and access points in the smart grid provide opportunities for hackers to gain access and exploit those systems for the purposes of committing fraud, stealing electricity, and causing power outages.
Utilities that lack the knowledge required to secure the grid will inadvertently leave their part of the whole more vulnerable to attack.
Security risk management is more difficult than other types of operational risk management. Traditional business and performance metrics are woefully inadequate for measuring the effectiveness of a security strategy.
Security management metrics are still evolving, making the whole cyber security process frustrating and uncertain.
Confusing and varied regulatory standards
There are a dizzying array of industry and governmental regulations that aim to help with electrical grid security.
Organizations, such as the North American Electric Reliability Corporation--Critical Infrastructure Protection (NERC-CIP), have been developed to help utilities to become compliant.
Policy-making bodies are working to meet the challenges, with interest in the integration of IT and OT networks, the exposure of IT/OT networks to the internet, mitigation of IT/OT system threats using mobile devices, USB flash memory, and social media, internal threats from disgruntled employees and human error, and the countering of cyber threats to OT systems.
Compliance reporting is another area that is getting a lot more attention.
Increased compliance audits by the Federal Energy Regulatory Commission (FERC), the NERC, and the DOE means that electric utilities must be highly proactive, developing strategies that not only help attain but maintain compliance over time.
Security as a Key Operational Area
The development of complex networks and systems for managing power generation and distribution, increased grid vulnerabilities, and the quickly changing threat landscape have made it important for electric utilities to see that security is just as important as employee safety and reliable delivery of electricity to customers.
A proactive, adaptive approach to security is the only way to effectively manage security risks to the grid.
Electrical Grid Security Begins at the Top
Organization and enterprise leaders must actively participate in the creation and implementation of a comprehensive security strategy.
By setting an example at the top, it is easier to motivate everyone else to participate in education, training, and best practices to ensure that the electrical grid is as secure as possible while preserving employee safety and delivering reliable electricity to consumers.
Integrate security into every aspect of the utility
Securing the grid isn’t just about securing electrical power infrastructure -- it’s also about proactively integrating security into every area of business activity. Some of the greatest vulnerabilities in a utility can originate with unsecured email and messaging where sensitive information may be shared with employees or others who may not be authorized to view it.
Internal communications apps like Slack may own all information shared through their platform, creating a data security nightmare when an employee leaves the company. In many cases, that employee still has access and can share that information with anyone he wants to.
Furthermore, platforms that own all shared data represent a serious security risk. If a data security compliance audit is conducted and it is found that sensitive data was shared with unauthorized individuals or entities, a utility may be subject to fines and a formal set of corrective actions that must be taken within a limited timeframe in order become compliant.
These fines and compliance actions can be costly and time-consuming.
Security aligned with business goals and regulatory compliance
In terms of alignment with business goals, fully integrated security helps to prevent security breaches that can lead to stolen data and unauthorized access to the power grid, saving money and time that would otherwise have been spent trying to recover from a security breach.
“Politically motivated cyber-attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile. In addition, those conducting cyber espionage are targeting U.S. government, military, and commercial networks on a daily basis.”-James Clapper, Director of National Intelligence
Electrical grid security is rapidly evolving as utility operators and various organizations develop metrics that deliver meaningful data in real time, empowering utilities to quickly spot suspicious activity and act instead of waiting until after they have been hacked to begin dealing with it.
“United States cannot avoid significant vulnerabilities to other major powers, but can harden the most vital U.S. infrastructure (e.g., electric grid) to increase work factor (and likely ability to attribute for attacks.)” – Defense Science Board
Like this blog, and want to stay up to date with all Bayshore updates? Subscribe at the top of this page, so you don't miss a beat.
As Chief Marketing Officer at Bayshore Networks, Kirby is on a mission to educate and inspire leaders to act now to protect our industrial infrastructure - and our way of life - from cyber threats. Bringing more than two decades of executive leadership in both public enterprises and emerging startups, Kirby is a published author, keynote speaker, teacher, and frequent contributor to over 20,000 online followers.