Three of Ukraine’s regional electricity distribution companies experienced simultaneous cyber-attacks on their computer and control systems, precipitating the disconnection of multiple electricity substations. The resulting outages caused approximately 225,000 customers in three different distribution-level service territories to lose power for hours. The Crash Override malware (also known as Industroyer) that was used in Ukraine attacks is capable of directly controlling electricity substation switches and circuit breakers. It uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure. The potential impact may range from simply turning off power distribution – which will trigger a cascade of failures, to more serious damage to equipment. Generally, the payloads first map the network, and then figure out commands that will work with the specific industrial control devices.
Another clear warning call to the US was the Grizzly Steppe incident at a Vermont electric utility. In December 2016, Burlington Electric found this Russian malware on a laptop that was not connected to the grid.
Is the US power grid really vulnerable to the threat of attack?
The U.S. grid faces imminent, substantial danger from cyberattacks. Cyber threats to the electricity system are on the rise. Moreover, they are increasing in sophistication and magnitude, as well as in their frequency.
As far back as 2002, 70% of energy and power companies experienced some kind of severe cyber-attack to computing or energy management systems.
The industrial control systems in use at facilities across the country are especially vulnerable to exploits, because they often use computers with older versions of Windows and are vulnerable to security flaws. Many utilities facilities do not upgrade their hardware or software aggressively, and may get behind in installing patches.
The 2013 Markey Grid Report study showed that fewer than 25% of surveyed electric grid utility operators complied with the voluntary cybersecurity standards put into place by the Federal Energy Regulatory Commission or the North American Electric Reliability Corporation.
A Technology Triad of Trouble: The pervasive weaknesses of US public utilities stems from three factors: 1) the difficulties inherent in addressing vulnerabilities in operational systems and technologies that cannot easily be taken offline for upgrades; 2) the continued use of vulnerable legacy systems; and 3) the continued use of components that lack the computing resources to incorporate new security fixes.
Another set of factors is equally troubling: the weaknesses in our human (as well as our technical) systems: 1) there is inadequate information sharing between government and industry; and 2) there are jurisdictional complications because the distribution system is not federally regulated. As a result, each state government does cybersecurity differently.
A large number of operators either don’t have cybersecurity expertise or they simply cannot disconnect critical equipment to patch software holes.
And the breach risk is increasing with the expanding attack surface. The shift to a smart grid means utilities will add thousands of connected devices to their operations including new sensors, controllers, relays, meters.
And remember too that while a utility’s control systems may not be on the Internet, tangentially connected devices and networks or those network elements with a peripheral in common may provide points of entry into the control system’s network.
Remote access, mobile devices, vendors, and supply chains are among the likely potential vectors of attack on electric utilities. And a well-coordinated cyberattack on utilities operations could result in large scale power outages, disruption of critical defense infrastructure, and an impact on much of the US economy. It would also endanger the health and safety of millions of citizens.
An 8-Step Approach for Protecting the US Power Grid
- Recognition: It’s time for all – the industry, officials and citizens – to recognize that US Government involvement is crucial to the protection effort.
- Consistent, Effective Standards: That Governmental involvement should begin with the mandated adoption of broadly applicable cybersecurity standards across the entire industry – much the way the State of New York is imposing cybersecurity standards and regulations on all entities transacting or interacting with financial services institutions and organizations across the state.|
- Facilities Preparation: The Federal Government must develop, hone, and continually test and update preparation and response capabilities that will ensure it is able protect critical infrastructure in the event of a security emergency.
- Agency/Industry Cooperation: Government should involve cybersecurity businesses and private sector cybersecurity expert citizens in the preparation, planning and incident response process.
- Improved Intelligence Gathering: Government should increase collection of data about online breaches from utilities.
- Improved Intelligence Sharing and Cooperation: Government needs to acknowledge the hacks that happen and share information about them to properly guard the nation
- Execution of State-of-the-Art Cyber Defenses: Utilities should deploy intrusion detection and network monitoring tools in place, and have regular cybersecurity drills.
- Realistic Expectations and Ongoing Crisis and Recovery Readiness: Utilities must actually expect to get breached and be ready to respond to and recover quickly from successful attacks.