How Secure Is The United States Power Grid?
is generated, the electricity travels from the power plant to transmission substations, which convert
it to a very high voltage so that it can travel long distances. From there, the electricity travels along power lines to another transformer, which again converts the power, this time to a lower voltage, before it goes
into our homes and businesses.Often people think of the power grid as “the grid.” It’s really not. It’s a quilt made up of 3,000 or so power companies that are owned by investor-owned utilities. But most of them are rural electric associations, or maybe a few owned by the government. But generally it’s a mixture. This ownership disparity also means that utilities are
regulated differently. The focus of the regulation is to prevent the bulk electric system from suffering a widespread outage. So it may not affect the smaller companies that are serving smaller cities or rural areas. On one hand, smaller power companies in the United States may not be as juicy of a target because they have
a small amount of customers, say 25,000. But on the other hand, they may be more susceptible to cyberattacks
because they don’t have a big as security team or a big as security budget to focus on protecting their critical systems.
That’s where a company like Sistrunk comes in. As a consultant for cybersecurity firm, FireEye, part of Sistrunk’s job involves teaching a digital forensics class for people who want to learn how to defend the control systems running our power plants. And to learn how to defend against an attack, you first have to learn to hack. This is a
small PLC, programmable logic controller. This particular device is made by Phoenix Contact and it’s basically easy to for an attacker to get into. There’s a lot of vulnerabilities in it. Sistrunk demonstrated how a hacker may alter the functions of “stop” and “go” buttons that in a power facility may control something like a motor or a pump. This is a web page of this PLC and it’s been hacked. You can see whenever I try to click on the red stop button, the green start button comes on. So an attacker can go download the software and change things if they wanted to.
In a conventional warfare attack, the first thing that is hit is the infrastructure, the refineries, the electrical
systems, the chemical plants, those things that fuel the war machine. You can simply do the same thing remotely with cyberweapons. It seems like attackers have crossed the Rubicon or they’ve crossed the red line in the sand. You know, that they are going after control systems, whereas once no one cared. Today, there are more than
9,700 power plants in the US. Many of them were built decades ago when operating a plant required a lot of manual labor and cybersecurity was not a consideration. But that’s changing. Starting in the mid ’80s and early 2000s, the industry started connecting these control systems through the enterprise networks to the internet, for the benefit of remote access, information sharing, etc.. Fantastic for productivity improvement and business enhancements, but that exposed us to cybersecurity threats.
The heart of a power plant is what is known as a SCADA system. SCADA stands for supervisory control and
data acquisition. These systems are made up of a combination of software and hardware that allow operators to monitor and control plant processes in one central location. Besides power generation plants, SCADA systems are
ubiquitous in the manufacturing, telecommunications and transportation sectors, among others. Today, a typical SCADA system is made up of thousands of components and runs on several different kinds of operating systems. Because of this wide spread of operating systems, it creates a very complex surface that security experts have to understand before they can defend against the many different types of exploits used against those specific operating systems. Since 2010, the number of attacks have increased exponentially. The reason for it is that it’s a lucrative business for ransom attackers as well as for nation states. A 2015 risk report put out by the University of Cambridge and Lloyd’s, a large insurance company, posed a hypothetical scenario in which a cyberattack plunged
15 U.S. states into darkness, leaving 93 million people without power. The report estimated that the loss to the U.S. economy would range between $243 billion to $1 trillion.
There is a belief that every system could be compromised, especially these control systems, since they were not originally designed for cybersecurity, unlike computers that we use at home and at work that are regularly patched and protected from cyberattacks. As reported in this “60 Minutes” episode on CNBC from December 2014, the first cyberweapon to cause physical damage was used in Iran in 2010. We begin with the story of Stuxnet, a computer virus considered to be the world’s first destructive cyberweapon. It was launched several years ago against an Iranian nuclear facility, almost certainly with some U.S. involvement. Stuxnet infected SCADA systems that were running Windows and Siemens software within the nuclear facility. It was used to spin centrifuges too fast until they basically destroyed themselves.
This was the first time a virus of this type was used to physically destroy something within a power facility. In December 2015, hackers cut power to around 225,000 people in Ukraine. The incident became the first successful hack on utilities. It was believed to have been done through a tactic called spearphishing, where hackers sent emails with malicious attachments to I.T. staff and system administrators that helped to steal the recipients’ credentials. Almost exactly a year later, hackers again shut off power to a large part of the Ukrainian capital. Some have blamed the attacks on Russia. While the attacks were short lived, it showed the world that Russia had the
will and the ability to conduct cyberwarfare in this way. Another attack shook the cybersecurity world in 2017, this time in the Middle East.
In the past year, researchers have spotted a new family of industrial control malware. It’s called Triton. Triton
was a really alarming piece of malware. It affected facilities in the Middle East. And what was most alarming about it was that it disabled what essentially was the kill switch for a catastrophic disaster. The metaphor I use here
is relying on the police to come help you out when your house is broken into. But the police is asleep in his police car. That is a metaphor of that safety system being bypassed. Though there’s not been a cyberattack in the U.S. that has shut off power to the grid, hackers have still gone after utility companies. In 2016, an electric
power and water utility company paid $25,000 in bitcoin ransom after hackers locked the utility out of its computer systems.
In 2018, the Department of Homeland Security and the FBI issued a joint alert, warning that Russian cyberactors had been targeting U.S. government entities and critical infrastructure sectors since 2016. And in 2017, the Department
of Energy disclosed a hack at an electric utility in the western U.S. Though the hack did not cause outages, it did show that our power grid was vulnerable. Most countries that the United States has an adversarial relationship with
don’t actually want to go to war with the United States. It makes more sense for them to conduct reconnaissance missions against our electrical grid. For that reason, it’s more realistic that the types of attacks we see
are in the name of gathering information or opening back doors, then some sort of catastrophic attack or an attack similar to the one that we saw in Ukraine.
Protecting our energy grid is essential to our national security. But there are a few reasons why it is difficult to do. For one, it’s hard to even gauge how many cyber attacks there are. The reason we don’t have good numbers round how many cyber attacks there are against utilities is that most of these companies simply don’t report them. There’s not much of an incentive for utilities or the companies that provide them with equipment to tell the public about every cyberattack they’ve had. They would risk panicking the public and they might also even open themselves up to further attacks if attackers know what’s working against them.
That’s changing. In early 2019, the Federal Energy Regulatory Commission updated cybersecurity standards for electric grids. The new standards require electric companies to report any incidents that either compromise or attempt to compromise electronic security perimeters, electronic access control or monitoring systems and
physical security perimeters associated with cyber systems. The new reliability standard also encompasses disruptions or attempts to disrupt the operation of a bulk electric system or cyber system. Like with Stuxnet, hackers may try to subvert security measures by targeting suppliers as opposed to going after the big utility companies. Companies are becoming very careful about checking the software that comes from their suppliers. In fact, they have a test environment whereby the updates for the software is tested to make sure that the software they’re getting from their automation vendor is not infested with malware. Another best practice is what is known as PEN or penetration testing. PEN testing is a process through which you intentionally attack your own system, whether with your own people or bring people from the outside to see how well your defenses are. But finding someone to perform this test is often difficult.
There is a shortage of over 1.5 to 2 million cybersecurity experts in our industry, and that is something that’s going to harm us if we don’t address it more proactively. Despite these obstacles, experts stress that there are steps we can take to mitigate the risk of cyberthreats. Knowing what you have is the very first thing you must do, and that’s become more and more accepted as the first thing you do, which is gain a complete inventory of your control systems. The second thing that you do is understand your vulnerabilities and address them. Those are the holes in your system. And the best way to do that is do some PEN testing or vulnerability assessment. And the third thing that we advocate is understanding the configuration of these systems, the brains, the genealogy of the data in your environment and controlling that.
So when they are changed, you know. And the last thing that we advocate, very strongly, is assume you’ve been attacked. What are you doing for recovery purposes? Do you have the latest version of that configuration of your system to bring the system back up in the unfortunate occurrence of losing the system? Adopting new technology is part of competitive advantage. You have to continue to automate. You have to continue to take on new technologies to make your business competitive. Otherwise you get left behind. While the threat of cyberattacks against the grid is a real threat, and we have to be proactive about it, and we have to prepare for it, it’s also important not to
panic and to not sensationalize. We experience reconnaissance missions and attacks against electrical companies every day. The majority of them are not successful.