It’s not only the Russians who pose risks to power grid cybersecurity. While they do pose some risks, there are more serious threats, especially to unprotected small- to mid-size energy companies, says a new report from the Institute for Critical Infrastructure Technology (ICIT).
“There’s a lot of hype surrounding the cybersecurity of the energy grid,” said James Scott, co-author of the The Energy Sector Hacker Report and a senior fellow at ICIT, a non-profit, non-partisan cybersecurity think tank that provides research and other programs related to cybersecurity.
“Now, more than ever, it is critical to understand the true threats that exist while simultaneously being cautious not to perpetuate the ‘It’s the Russians!’ Cold War rhetoric,” he said.
The biggest threat, he said, is to small- and medium- sized energy providers that don’t take important steps to keep their systems safe from the very real potential for cyber attacks.
Microgrids can keep the power flowing to these companies’ customers if the utility loses power due to a cyberattack. But how do we do to avoid a cyberattack in the first place?’
The Russians have been “parasitically woven through our grid” for many years, said Scott. “They’re very creative and stealthy. You discover them — and the Chinese, Iranians and other nation state actors after they’ve been there.”
This should be taken seriously, he said.
However, actors like North Korea, lone wolves, militant “hacktivists” and activists are most likely to initiate an attack on the grid with the intention of a blackout, he said. Countries like North Korea are most likely to hire lone wolves to hack into the grid, he added.
Their most vulnerable targets are small- to mid-sized energy providers, he said.
“It’s the small- and medium-sized providers who don’t have cyber hygiene that are most prone to attacks,” Scott said. Employees can put energy information at risk by doing things as simple as checking their Twitter account from company computers or using laptops in the field, he said.
Hired hackers can also gain access to an energy provider’s system via a vulnerability in the billing or other systems, for example. The hacker can then do things like gain control of power plant operations while making it look like everything is fine.
Grid cybersecurity requires three lines of defense
What’s needed for these energy providers are at least three lines of defense, said Scott.
First, energy providers need to replace their legacy systems — hardware, servers and software — with newer systems. Second, companies need to create “red teams” that aggressively seek out vulnerabilities in the company’s systems. This task can be outsourced, Scott noted. These red teams should ensure that the energy providers only purchase packages — software, for example — that have security built into them.
What’s more, small- and mid-sized energy companies don’t have a dedicated security manager. They have IT managers, who aren’t necessarily trained to focus on security, Scott said.
Third, energy providers should purchase hardware and software that includes a guarantee of cyber hygiene. This means that if a vulnerability is discovered in the energy provider’s system, the company could purchase what’s called a “patch” to ensure security.
Nozomi Neworks, a company that provides cybersecurity solutions, backs up Scott’s claims, saying more and more unprotected devices are in operational networks.
“With ransomware, hacktivism and nation state attacks on the rise, owners of critical infrastructure can no longer afford to gamble with weaknesses in ICS security,” said the company in a press release.
Scott noted that energy grid hackers aren’t motivated by money. Their motivations tend to be “bad.”
A possible scenario: The Manhattan financial district gets hit with a cyber blackout attack, and the nation’s financial systems are compromised. “What happens to our financial systems then? That’s the kind of thing we worry about. It’s very serious. We don’t worry so much about Wisconsin,” he said.
The U.S. Dept. of Energy is taking these threats very seriously, Scott said.
“The DOE is trying really hard to come up with solutions and standards without stifling the sector’s innovation,” he said.
When the worry began
“I was in New Jersey during the blackout. It was weird and creepy,” said Scott. “Psychologically that’s where all the gloom and doom started about the potential for a national blackout.”
Stoking the worries was Ted Koppel’s book, released in 2015, “Lights Out,” he added.
“In October 2015 Ted Koppel’s book ‘Lights Out’ renewed attention to power grid vulnerabilities and the possibility of impending terror attack. Koppel’s book focused on the potential consequences of an extended power outage and on his opinion that ‘The Department of Homeland Security has no plans beyond those designed to deal with the aftermath of natural disasters,'” says the report. It stoked worries that outages could last for months or years, the report says.
“Koppel’s book is not the most realistic depiction of the American energy sector; however, it received a great deal of acclaim in the months following its release, due in part to media attention on the BlackEnergy malware attack that caused brief blackouts in the Ukrainian power grid,” says the report.
But a simple malware campaign can’t entirely bring down the grid, says the report.
“The interwoven networks of utility companies, transmission networks, distribution hubs, and other facets, are too complex for any one attacker to wholly dismantle…Nevertheless, the energy sector is more vulnerable than most are willing to admit. Many of the legacy systems on which the nation depends lack sufficient backup and redundancy measures.”
Track news about microgrids and grid cybersecurity. Subscribe to the Microgrid Knowledge newsletter. It’s free.
