Power grids are a tantalizing target for sophisticated attackers. In the U.S., every major economic sector relies heavily on electricity. That dependence includes the military as well. Given the rising threat levels, it isn’t surprising that there are calls for the Department of Defense to ends its reliance on the power grid for key military installations.
The Potential Cost of a Power Grid Breach
The economic cost of a successful power grid breach in the U.S. could be monumental. A major insurance underwriter estimated that the potential economic impact of a hypothetical attack on the U.S. Eastern Interconnection, which serves nearly 100 million people, could reach $250 billion.
In addition, the attack and subsequent wide-scale blackout would result in a rise in death rates due to failures in health and safety systems. Whether or not such a large-scale attack is feasible is a subject of debate, as is the question of whether the attackers could be positively identified.
In 2015 and 2016, cybercriminals successfully attacked the Ukrainian power grid. In the first attack, cybercriminals stole an internal user’s credentials and wiped certain control systems clean at five major distribution points on the grid. Operators were forced to resort to 100 percent manual controls as they slowly restored power.
A year later, a second cyberattack targeted the transmission side of the grid, tripping a series of circuit breakers that resulted in an even wider blackout impact. Could this second attack have been a test to see just how far the attackers could go toward attacking a broader grid? The Ukrainian national critical infrastructures are preparing for a repeat.
Far-Reaching Impact
Last year threat actors hit the Board of Water and Light in Lansing, Michigan. While only the corporate network was affected and electrical power delivery was uninterrupted, the utility did shell out $25,000 in ransom to regain access to mission-critical email and accounting servers.
The U.S. power grid is extremely complex, comprised of some 3,300 different utility companies and 5.5 million miles of power distribution lines. There are three principal elements of the grid: power generation, power transmission and power distribution, any of which could become attack targets.
Many of the industrial control systems within this vast grid rely on legacy computers that were not necessarily designed with the kind of security needed in today’s threat environment. They are also very hard to upgrade for better security, so these systems cannot undertake security basics such as authenticating administrators and maintaining activity logs.
Included in this vast U.S. grid are hundreds of smaller electric producers and distributors, such as local municipal power companies and small co-ops. For attackers, these can represent soft targets because they typically lack the kinds of military-grade risk mitigation security needed today.
Attacking just one of them would seem to have limited impact. However, the grid, by definition, is highly interconnected. If one or more of these soft targets were attacked, the grid would sense various supply imbalances that could potentially trip several circuit breakers to avoid damage to sensitive equipment. That is what happened in the second Ukrainian attack. This could set off a cascading effect and result in a broad-scale power outage. In fact, the previously mentioned hypothetical attack on the Eastern Interconnect could be triggered with an attack on just nine transformers.
How to Stop a Power Grid Breach in Its Tracks
The threats to the power grid are real. Below are six steps security professionals can implement to help thwart them.
1. Assign Unique User IDs
User behavior analytics can be very useful in ferreting out qualified users — or those who may have compromised their credentials — whose behavior may be suspicious, such as an engineer looking at credit card payment data, HR files or possibly rooting around control systems that have little do to with their job. To make this possible, utilities must first be using unique user IDs. While this is common in most other industries, it isn’t prevalent in electric utilities today for control systems.
2. Use a Password Manager
Follow the basics of good password hygiene. Consider using a comprehensive password manager that auto-generates lengthy passwords users don’t need to remember. The new NIST password guidelines specify that a longer password — say, 10 letters long — is stronger than an 8-digit, multicharacter password. These password managers also give administrators visibility into password practices without revealing users’ actual passwords.
3. Conduct Phishing Training
As part of ongoing employee education and training, conduct simulated phishing attacks. Also, encourage employees to report suspicious emails, phone calls and even suspicious visitors.
4. Consult a Security Testing Specialist
Consider using a trusted third party to assist in various aspects of security testing. They can be invaluable in helping you develop and maintain an integrated security strategy across several technology and business areas within the utilities industry.
5. Regularly Review Privileged Accounts
Constantly re-examine privileged user accounts. People often change jobs and functions within the energy and utilities industry, and their system access may need to change accordingly.
6. Develop an Incident Response Plan
Develop and implement — again, perhaps via a trusted third party — a comprehensive incident response plan so that a successful breach doesn’t catch you flat-footed.
Incentivizing Cybersecurity
Ultimately, something needs to be done to replace the aging legacy systems at many energy and utilities companies, a difficult task in a relatively low-margin business. The Department of Energy recently offered an award to developers who produce next-generation cybersecurity tools and technologies capable of protecting the energy sector from cyberthreats. These types of incentives could be just what the doctor ordered to address these growing cyber risks.
Read the X-Force Research Report: Energy and Utility Companies — Targeted on all sides
Associate Partner, Security Strategy Risk & Compliance, IBM