The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

How and Why Power Grid Cyberattacks are Becoming Terrorists' Go-To

image credit: image source: https://safety4sea.com/wp-content/uploads/2018/05/cyber-resilience-concept-image-1280x640.jpg

Threats to the cybersecurity landscape have become more abundant and dangerous than ever before. With the number of attacks on the rise, it seems like no one can be truly safe. The energy industry is not an exception.

Something that used to sound like a sci-fi plot not so long ago has now, sadly, become a reality. Cyberattacks on power grids have the potential to be incredibly devastating to millions of people and hundreds of businesses, disrupting the very flow of our lives and endangering us in many ways. What is worse, it looks like they are going to become a staple in cyber warfare.

Recent examples of power grid attacks

Cyberattacks on electric grids are the invention of the last decade. The first documented case occurred in 2015 and affected several electricity providers in Ukraine. More than 230,000 people were left without power for several hours during the winter.

The perpetrators were able to gain unauthorized access to the system thanks to having obtained credentials of several workers on the hacked plants. Sadly, it was done because of employees’ mistakes: malicious software that gave the hackers an ability to break into the system of the power distribution companies was installed because several workers fell for a fake email.

According to the North American Electric Reliability Corporation (NERC), another type of cyberattack on power grids involves exploiting vulnerabilities in firewall firmware. Such an attack happened in 2019 and caused communication outages between the control center and generation sites. The report specifies that the disruption occurred due to an outside party rebooting the company’s firewalls. Although each communication failure took less than five minutes, the entire attack lasted for around ten hours.

Why power grid attacks become more prevalent

There is a motivation behind each cybercrime. Usually, it involves monetary gain acquired by extorting a ransom for unblocking the affected entity’s systems or by selling information gathered during a data breach.

However, there is an additional reason why hackers choose to attack electric grids. It has less to do with profits and more with politics.

Unfortunately, cyberattacks on power grids are very useful in cyber warfare between states. Modern societies run on electricity and if it can’t be delivered to the customer, the scale of the consequences can be extremely large. Heating systems, law enforcement, hospitals, etc. depend on power and when it is cut off, a real collapse can happen, leading potentially to a loss of many lives.

It’s easy to understand why this type of attack is so tempting to state-employed hackers. The more devastating the effects are, the better to terrorists, and that is exactly what these hackers are.

Another major cause of cyberattacks on grids is that they often lack proper cybersecurity defenses. It is especially true when the grid uses Internet of Things devices and applications. Unfortunately, using smart grids can make a provider an easier target for criminals.

Since an IoT environment implies that all the devices are connected to one another, hacking just one of them can be enough to gain access to more important parts of the system.

Despite the projected growth of the IoT in the industry, these smart devices are notorious for putting functionality and ease of use first and security second. Besides any vulnerabilities they may have, there is also an ever-present risk of the support of a particular device incorporated into the grid being discontinued by the manufacturer. And the more obsolete its last patch becomes, the more exploits the device can have.

So, to summarize: attacks on electric grids take place because of several main factors: their destructive potential and the indispensability of power generation and delivery systems to any state, making intrusions into them a viable cyber warfare tactic. An additional cause is the vulnerability of smart power grids that makes them easier to hack into.

How the danger can be mitigated

In its report, NERC provided several recommendations aimed at increasing cybersecurity of the energy grid. While not an exhaustive list of measures, it still gives a good idea of what can be done to make it harder for any malicious parties to disrupt the work of the industry.

To prevent dangers coming from the interconnected nature of devices used in the industry, it is advisable to implement a VPN solution. A VPN, or a virtual private network, is software that secures the connection between devices and the network by encrypting it. Thus, no third party can access it.

In regards to firmware patches, the lack of which made the attack possible, the Corporation gives the following advice. The release of such patches to firewalls must be monitored by a company to ensure that the newest and most up-to-date versions are applied. Before applying them, however, it is recommended to test their performance in a controlled environment.

The use of screening routers is also encouraged. Such routers operate based on predetermined sets of rules and prevent inbound or outbound traffic under certain conditions.

Dean Chester's picture

Thank Dean for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Jan 14, 2020 5:55 pm GMT

This context is so important and greatly appreciated-- thanks Dean!

Unfortunately, cyberattacks on power grids are very useful in cyber warfare between states. Modern societies run on electricity and if it can’t be delivered to the customer, the scale of the consequences can be extremely large. Heating systems, law enforcement, hospitals, etc. depend on power and when it is cut off, a real collapse can happen, leading potentially to a loss of many lives.

This is a great point-- directly attacking civilians is a no go in most contexts (thankfully), but this represents a way to put on the squeeze on a nation's populace without directly attacking. Couldn't be a more important area to stay focused on. 

You note how the danger can be mitigated-- but do you think overall enough is being done? In the cat and mouse game, are utilities ahead or behind of these adversaries? 

Dean Chester's picture
Dean Chester on Jan 16, 2020 11:26 am GMT

Hi Matt, and thanks for your question!

You are very right to call the whole situation a cat and mouse game. As of now, though, it is still in a pretty nascent stage and it’s hard to tell who will have the upper hand – especially since we don’t know what bad actors are up to exactly before they strike.

So far, it’s been reported that the US grid can become more vulnerable to attacks. However, the government doesn’t sit idle: the Securing Energy Infrastructure Act is expected to be passed this year. It involves the energy sector companies collaborating with the Department of Energy to find out vulnerabilities and work out solutions. You can look it up on congress.gov to review its whole text.

This bill proposes that manufacturers of critical components of power grids should also participate and I see it as a good sign because it should logically involve IoT device manufacturers. Hopefully, we’ll see major improvements to the cybersecurity of those.

Matt Chester's picture
Matt Chester on Jan 16, 2020 12:48 pm GMT

 especially since we don’t know what bad actors are up to exactly before they strike

A very good, and also pretty nerve-wracking, point. Thanks, Dean!

David Svarrer's picture
David Svarrer on Jan 22, 2020 8:26 pm GMT

Dear Dean, 

I would like a thorough response from a professional like yourself, why these already very well known methods which I have listed above (there are more, but, ... we cannot write a teaching book here, now can we?), have not been implemented? 

These methods are boring. They are basic. They are secure. They are tested. They are oooooooooooooollllldd school.

But.. They work.

And no: No more "Over The Air" updates or Network Updates. The obese administrators will now need to move their bodies to go and pick up a physical, new, burned circuit (ROM) - and mount it in their computer-systems - for updates. 

Another question: WHY ON EARTH do you guys accept this dorsile idea that "Operating systems must be updated all the time" ? 

There is a good latin, saying: "Does it work? Yes? Then don't touch". 

This updating everything fever is sick, and unnecessary. It reminds me about when I flew to Amsterdam some years ago, and I had a chat with another businessman next to me, and we discussed mobile phones - he laughed and said that the youth are "verbally incontinent". He himself did not have a mobile phone - he had his PA to do all calls etc. - he could not afford having all his time interrupted by these devices. 

Sufficient to say that during a management conference in Denmark in 2018, lots of the CEO's etc. did not use mobile phones anymore, and had dropped lots of these otherwise so hailed "Social Networks" including Linked In - as these were merely time wasters - and many of them said that they had not seen any use of them. 

Back to the point: I'd love to hear your comments on the use of military methods - ROM based startup - locked disks etc., these two for locking down permanent memory - and Watch dog timers (hardware) linked to the software watch dog software - such that any ailment would be detected instantly - and forcing restart of the computer (after which it is de facto clean - as no memory is available anywhere for any malware to hook on to, if that was not clear in the previous message).

Well. 

Looking forward to hearing from you!

David Svarrer

David Svarrer's picture
David Svarrer on Jan 22, 2020 7:48 pm GMT

Hi Dean, 

A very insightful article. However. Now to some news which no CSIO would like that I write. 

All these issues about hackers and so on - can be very simplistically solved, by a range of means, which - for some reason beyond my comprehension - nobody are willing to take on!

1. Isolate the entire network, from outside. If any of your staff really can convince you that they NEEEEED to be online - then give them a laptop or similar which is on the "grid" (internet). Pull fibre optics via your high voltage lines if you need your power stations connected.

2. Provide ROM-based startups on all key computers. No flash disks. No Harddrives - purely ROM-based startups. These cannot be corrupted. Don't block the USB drives. Unmount them, or at least cut the cables to them, physically. Or put a snitch-USB-plug, if you absolutely need to update the machines via their USB from time to time.

3. Buy or get created for yourself, a hardware based watch-dog system, which will restart computers which do not behave as they should according to the watch-dog. 

4. Put the computers on software which works real time. 

5. Drop (!!!!!!!) any and all Windows based software in the control of anything critical mission. Windows NEVER was an operating system. It does not have Ring-0 security, it never had HW-locked memory management. I am not writing this out of malice - this is a technical statement. I have no flavours or friends or foes in regards to "Windows", "Linux" etc. - I write what I professionally find correct.

6. Employ BSD Linux or similar secure and hard core Linux installs for the system. This can indeed cost you some sweat - redevelopment of packages which are on Windows - connectivity etc. etc.

7. Remove systems tools which are not necessary, from the disk. You will be surprised how few of the tools you need. You can also keep them physically on another disk, which you - when you do not do system maintenance - simply keep disconnected inside of the computer. A simple UNPLUG of the disk is enough :-)

8. Get hard-key locked harddrives for the softwares on the Linux machines. (these cannot be written to, unless a physical key is inserted and turned).

9. Now fire your CSIO for not having done this here, long time ago. He or she may indeed be very very qualified - but who ever it is - he/she has no integrity. 

10. Meanwhile you are getting the above done, pray. 

Questions are welcome. 

Sincerely

Rational Intuitive IVS

David T. Svarrer

 

(PS: I am currently implementing 100% secure ROM based IOT-circuits for use in renewable energy - and to the dismay and utter surprise, no hacker whom we have had to try to hack the devices have (naturally) had any success - we removed system tools from the platform, locked the harddisk for writing, (physically via wiring), and replaced the Flash-boot with a ROM. That's it.)

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »