Power grids are a tantalizing target for sophisticated attackers. In the U.S., every major economic sector relies heavily on electricity. That dependence includes the military as well. Given the rising threat levels, it isn’t surprising that there are calls for the Department of Defense to ends its reliance on the power grid for key military installations.

The Potential Cost of a Power Grid Breach

The economic cost of a successful power grid breach in the U.S. could be monumental. A major insurance underwriter estimated that the potential economic impact of a hypothetical attack on the U.S. Eastern Interconnection, which serves nearly 100 million people, could reach $250 billion.

In addition, the attack and subsequent wide-scale blackout would result in a rise in death rates due to failures in health and safety systems. Whether or not such a large-scale attack is feasible is a subject of debate, as is the question of whether the attackers could be positively identified.

In 2015 and 2016, cybercriminals successfully attacked the Ukrainian power grid. In the first attack, cybercriminals stole an internal user’s credentials and wiped certain control systems clean at five major distribution points on the grid. Operators were forced to resort to 100 percent manual controls as they slowly restored power.

A year later, a second cyberattack targeted the transmission side of the grid, tripping a series of circuit breakers that resulted in an even wider blackout impact. Could this second attack have been a test to see just how far the attackers could go toward attacking a broader grid? The Ukrainian national critical infrastructures are preparing for a repeat.

Far-Reaching Impact

Last year threat actors hit the Board of Water and Light in Lansing, Michigan. While only the corporate network was affected and electrical power delivery was uninterrupted, the utility did shell out $25,000 in ransom to regain access to mission-critical email and accounting servers.

The U.S. power grid is extremely complex, comprised of some 3,300 different utility companies and 5.5 million miles of power distribution lines. There are three principal elements of the grid: power generation, power transmission and power distribution, any of which could become attack targets.

Many of the industrial control systems within this vast grid rely on legacy computers that were not necessarily designed with the kind of security needed in today’s threat environment. They are also very hard to upgrade for better security, so these systems cannot undertake security basics such as authenticating administrators and maintaining activity logs.

Included in this vast U.S. grid are hundreds of smaller electric producers and distributors, such as local municipal power companies and small co-ops. For attackers, these can represent soft targets because they typically lack the kinds of military-grade risk mitigation security needed today.

Attacking just one of them would seem to have limited impact. However, the grid, by definition, is highly interconnected. If one or more of these soft targets were attacked, the grid would sense various supply imbalances that could potentially trip several circuit breakers to avoid damage to sensitive equipment. That is what happened in the second Ukrainian attack. This could set off a cascading effect and result in a broad-scale power outage. In fact, the previously mentioned hypothetical attack on the Eastern Interconnect could be triggered with an attack on just nine transformers.

How to Stop a Power Grid Breach in Its Tracks

The threats to the power grid are real. Below are six steps security professionals can implement to help thwart them.

1. Assign Unique User IDs

User behavior analytics can be very useful in ferreting out qualified users — or those who may have compromised their credentials — whose behavior may be suspicious, such as an engineer looking at credit card payment data, HR files or possibly rooting around control systems that have little do to with their job. To make this possible, utilities must first be using unique user IDs. While this is common in most other industries, it isn’t prevalent in electric utilities today for control systems.

2. Use a Password Manager

Follow the basics of good password hygiene. Consider using a comprehensive password manager that auto-generates lengthy passwords users don’t need to remember. The new NIST password guidelines specify that a longer password — say, 10 letters long — is stronger than an 8-digit, multicharacter password. These password managers also give administrators visibility into password practices without revealing users’ actual passwords.

3. Conduct Phishing Training

As part of ongoing employee education and training, conduct simulated phishing attacks. Also, encourage employees to report suspicious emails, phone calls and even suspicious visitors.

4. Consult a Security Testing Specialist

Consider using a trusted third party to assist in various aspects of security testing. They can be invaluable in helping you develop and maintain an integrated security strategy across several technology and business areas within the utilities industry.

5. Regularly Review Privileged Accounts

Constantly re-examine privileged user accounts. People often change jobs and functions within the energy and utilities industry, and their system access may need to change accordingly.

6. Develop an Incident Response Plan

Develop and implement — again, perhaps via a trusted third party — a comprehensive incident response plan so that a successful breach doesn’t catch you flat-footed.

Incentivizing Cybersecurity

Ultimately, something needs to be done to replace the aging legacy systems at many energy and utilities companies, a difficult task in a relatively low-margin business. The Department of Energy recently offered an award to developers who produce next-generation cybersecurity tools and technologies capable of protecting the energy sector from cyberthreats. These types of incentives could be just what the doctor ordered to address these growing cyber risks.

Read the X-Force Research Report: Energy and Utility Companies — Targeted on all sides

More from Energy & Utility

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom.…