This is the first in a series of blogs on the topic of smart grid cyber security issues and how to overcome them. Stay tuned for future posts on security objectives, strategies, and tools for building a more secure grid.
Cyber threats to our critical infrastructure are nothing new. Since the early 1980’s hackers, vandals and government agencies have exploited the sensitive systems at the heart of oil pipelines, power plants, dams, etc., and done so with varying degrees of success.
Although these attacks were rare, they were highly targeted and exposed serious flaws in the security of the Industrial Control Systems (ICS) on which the utilities rely.
Revealed in 2010, Stuxnet was one of the most devastating cyber-attacks in history, and is considered a game changer in how the world viewed the security of industrial systems.
A highly sophisticated, state-sponsored cyber weapon designed to attack industrial control systems, Stuxnet made headlines as it wreaked havoc on the Iranian nuclear program, leading to serious accidents and even loss of life at an Iranian nuclear power plant.
In the years following Stuxnet, utilities have come under attack more frequently, with some public power providers indicating that they were under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems,” as documented in the Electric Grid Vulnerability report created by U.S. Congressmen Edward J. Markey and Henry A. Waxman.
In one extreme example a “utility reported that it was the target of approximately 10,000 attempted cyberattacks each month.”
On December 23, 2015, the Ukrainian Kyivoblenergo, an electricity distribution company in Ukraine experienced a power outage as the result of a sophisticated cyber-attack. The attack was notable, because it was the first attack against a public utility that was designed to disrupt the distribution of electricity.
The attack highlighted the flaw in five commonly held smart grid cyber security myths, namely:
- Industrial Control Systems are isolated. The electricity industry is comprised of a highly complex ecosystem of players, from generation, transmission, distribution operations, and markets. All of these different links in the chain must be connected to some degree. Further, modern industrial control systems rely on more connectivity than ever before. “Isolation” is often achieved with a series of firewalls designed to prevent outside intrusion into sensitive systems. These systems can be bypassed, as was the case of the 2003 Davis-Besse4 power plant attack in which an attacker penetrated the network of an unnamed Davis-Besse contractor, and navigating its way to the Davis-Besse network to introduce malware that would have otherwise been caught by their firewall. Isolation in a utility environment involves more than just connectivity to the larger internet. Removable media, USB tokens, and even laptops are relied on for maintenance at different points of the infrastructure. All of these tools could be used to introduce malware and other security vulnerabilities.
- Nobody will want to attack us. To be sure, the majority of hackers choose targets that present some opportunity for monetary gain, and very few of these adversaries would wish to cause physical harm to people or property. However, we live in a time where vandals, disgruntled employees, terrorist organizations, and even nation states have interest in attacking our critical infrastructure. These attacks occur all too frequently, and threaten to increase as our adversaries become more skilled and our systems more open.
- Utilities only use obscure protocols/systems. In the past this may have been true, but today utilities rely on a multitude of commercial technologies. From communication protocols, operating systems like Microsoft and Linux, to common databases, utilities have turned to common software and hardware tools to save money and create efficiencies. Unfortunately these systems are often well understood by hackers, and provide an easier target of entry than a truly proprietary system.
- Social engineering is not an issue. People are more aware of social engineering than in the past, and utilities certainly train their personnel to spot such threats, but the threat is still significant. All it takes is one employee to click on the wrong link, or open an attachment in an absence of judgement to introduce malware. Such was the case in the Ukrainian Kyivoblenergo attack.
- It’s Encrypted: It’s protected. Encryption and cryptography are essential tools of protection for utilities, and used for data security, integrity, and non-repudiation. Cryptography essentially removes risk from the data and systems and places it on the sensitive cryptographic keys used to sign, encrypt, decrypt, etc. This means the security of cryptographic keys is of utmost importance. Failure to secure these keys means they could be used against the utility, either to decrypt sensitive data, or to sign malware to make it look as if it should be trusted.
In the second blog post in this series, we’ll talk about how utilities can establish security objectives around availability, integrity, confidentiality, and accountability to build trust into their smart grid deployments. [Update: That post, Smart Grid Security Issues: Address Threats to Seize Benefits, is now available!]
Want to learn more? Check out our on demand webinar, Building the Trusted Smart Grid: Threats, Challenges, and Compliance!