Cyber threats to utilities, and what to do about them
There was a time that physical attacks by one country on another occurred only during open war. In the past few decades, however, cyber attacks on critical infrastructure continue to increase in number and sophistication. The main threats come from nation states and criminal gangs, although there is considerable crossover between them. Governments both maintain their own cyber warfare capabilities and contract with criminal gangs. There are others, of course — cyberterrorists, disgruntled employees or ex-employees, competitors, hacktivists and the like — but the majority of attacks seem to be coming from state or state-sponsored actors.
The paths by which malware enters are well-known. Direct hacking of Internet-connected systems gets the most publicity, perhaps, but, human error — falling for spear-fishing attacks, watering-hole attacks, social engineering scams and using thumb drives from unknown sources — is a much bigger problem.
This article will look at cyber threats to two vital parts of our infrastructure: electric and water utilities.
Threats to the electric grid
Accenture’s Digitally Enabled Grid survey reveals that distribution business executives cite interruptions to supply [57percent] as their greatest cyber attack-related concern, closely followed by potential impacts on customer and employee safety. Accenture distinguishes between the main grid and distribution networks: ”A typical distribution grid has neither the size of a transmission network nor the same risks of cascading failure. However, distribution grids have the same vulnerabilities and, as a potentially softer target, could be increasingly subject to attack. Breaches by a wide range of potential attackers could have devastating impacts along the entire electricity value chain, from generation through to consumers. A successful attack could erode public trust in the utility and raise questions about the security of all devices along the value chain. Developing effective strategies to secure smart grids against potential cyber breaches is therefore both an imperative and urgently required.”
Perhaps the scariest threat to the electric grid is Crash Override (aka Industroyer), which took down a chunk of the electric grid in Kiev, the Ukrainian capital, in 2016. Cybersecurity firm Dragos Inc. reports that its origins can be traced to the Russian Sandworm team.
This malware is a new type of cyberweapon designed specifically to attack electric grids. According to the National Cybersecurity and Communications Integration Center (NCCIC), which operates under DHS, “CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors.” And while it does not presently target the U.S., “it is important to recognize that the general TTPs [tactics, techniques, and procedures] used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined.”
Scott Dicus, Dave Mayers, David Price and Nathan Ives suggest that while efforts by federal regulators and the industry itself to improve the security of the electric grid are having some effect, water utilities “are far less centralized and, thus, more vulnerable.” In a January, 2017 WaterWorld article, Andrew Williams points out that attacks on water utilities can range from takeover of treatment plants and dams — which has happened: a 2011 attack on an Illinois water treatment plant (variously attributed to Syria or Russia) and a 2016 Iranian attack on a dam north of New York City — to risk to reputation.
Much of the vulnerability of water utilities can be attributed to the large installed base of outdated equipment — specifically, SCADA systems that were built and installed long before cyber threats came along and consequently have little or no protection. The cost of replacing all this equipment is a major hurdle.
Signs of progress
Pushed by government support, “along with an ever growing list of utilities that have been hacked,” utilities are not ignoring the threat,” says a report from ets Insights, which predicts that the market for smart grid cybersecurity systems will reach $7.25 billion by 2020. The North American Electric Reliability Corporation (NERC), says Ed Finkel in an April 2018 article in Security magazine, “has developed industry-wide Critical Infrastructure Protection (CIP) standards for utilities and others in the critical infrastructure sector to follow.” More and more investments are being made in education, Finkel continues, and more and more electric utilities have hired chief security officers who are paying ever-increasing attention to cybersecurity. Utilities are adopting cybersecurity best practices, learning to encrypt all their devices, and enforcing “cyber hygiene.”
A few words of caution
Yet despite all the technological advances of the past few years, the rule still applies: If it’s connected to the Internet, it can be penetrated. And even air-gapped systems are vulnerable. The Stuxnet virus was reportedly delivered through infected thumb drives. Remember what US-CERT says: “There is no set of defensive techniques or programs that will completely avert all attacks, however, layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the likelihood of detection. This layered mitigation approach is known as defense-in-depth.”
The bottom line: cybersecurity costs money, and utilities must bite the bullet and spend the money; a successful attack can cost much more.