It’s pretty easy to sensationalize the kind of havoc that a cyber attack could potentially inflict on an electric grid—images of a city, state or whole country brought to its knees by a malware attack; people dying from the cold or heat; communications brought to a halt. This level of mayhem is unlikely with the U.S. power grid simply because of the complexity of the network. But there’s still reason to be concerned.
“The interwoven networks of utility companies, transmission networks, distribution hubs and other facets are too complex for any one attacker to wholly dismantle,” says a new report from the Institute for Critical Infrastructure Technology (ICIT). “The grid depends on multiple parties who all operate different infrastructure that is configured differently. Redundancy systems and physical failsafes protect the grid from catastrophe.”
And yet the energy sector is plenty vulnerable nonetheless, according to ICIT’s James Scott, senior fellow, and Drew Spaniel, researcher, who authored “The Energy Sector Hacker Report” to provide details on the threats and vulnerabilities.
“Following the cyber attack on the Ukraine power grid [in December 2015], there were reports that pointed out that an important vulnerability within the U.S. is that, unlike Ukraine, our power grid typically does not have manual backup functionality,” Juan Espinosa, ICIT fellow and senior project manager, Parsons, is quoted as saying. “This means that if automated systems controlling our utility power grid were to be attacked, it would take much longer for the response teams to restore power.” The failsafes cannot prevent disruptions, which could affect homes and businesses, and even impede law enforcement and security.
As the report points out, the American electric grid was built to be reliable, flexible and economically competitive. It was not designed for cybersecurity. The industry certainly did not envision then an electric grid that would use the Internet to ease the management and maintenance of critical systems.
Many utilities rely on legacy industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems that are well beyond their intended lives and were certainly not designed with cybersecurity in mind. Although new technologies have been combined with the legacy systems, the report’s authors note, “the security added to the preexisting systems is often mismanaged or inadequate to the task of securing the underlying critical infrastructure systems.”
Part of what makes the U.S. power grid vulnerable is its reliance on only about 2,000 high-voltage and extra high-voltage (EVH) transformers, which are large, expensive, and difficult to replace. A cyber attack could strategically target one or more transformers, causing months of outages and hundreds of billions of dollars in damages. “Depending on the duration of the outage, lives could be at risk,” the report says. “While modern critical infrastructure, such as hospitals, have backup generators or micro-grids, average households likely lack the alternate means to refrigerate food, heat or cool homes, or otherwise comfortably survive. The longer an outage lasts, the greater the crime rate and the greater the burden on emergency response services.”
Of course, many of the EHV transformers are monitored or directly controlled by ICSs. And if malware, ransomware or other cyber threats target those systems, the resulting damages could be as severe as a solar storm. “The least extreme prediction of damage from a CME solar storm leaves 15 million people without power for up to six months and results in $217 billion in direct economic damages, $202 billion in indirect damages, and $474 billion in damages worldwide,” the authors note, later pointing out, “Unlike a theoretical CME storm, which might occur once every century, targeted cyber attacks can occur multiple times every second.”
Although cyber attacks against energy infrastructure are often categorized as low risk, severe impacts, the ICIT report contends that the control systems—ICS, SCADA, HMI, etc.—are much more vulnerable and at risk than is commonly supposed. Organizations often believe that they are air gapped from broader networks, but that is easier said than done. At this year’s Def Con Hacking Conference, researchers from Trend Micro’s Zero Day Initiative showed that ICSs and SCADA systems are rarely as isolated as operators believe. Unsecure credential management—such as a lack of encryption or the use of default passwords—is a common problem, as is default settings in systems that were never designed to be secure.
“When adversaries such as Hail Mary threat actors begin targeting energy systems with intent, easy-to-achieve, severe consequences will inevitably follow,” the ICIT experts note, also adding, “Critical energy systems are too vulnerable and the exploit lifecycle is too long. Even with a reliance on analog failsafes and manual backup systems, the potential impact or loss of efficiency is too great for energy organizations to ignore. Security and resiliency should be assured before systems are connected to networks or openly accessible devices.”
ICIT experts will present their findings Aug. 24 in Washington, D.C., and identify solutions to protect the nation’s critical infrastructures. Find more information and register here.