A look into cyber threats in the energy industry with a focus on electric utilities.
A peek into Cybersecurity for electric utilities
Last year this time on Dec. 23, 2015, three regional Ukrainian electricity distribution companies – Kyivoblenergo, Prykarpattyaoblenergo and Chernivtsioblenergo (oblenergos is a term used to describe an energy company) – suffered power outages due to a cyber attack. 225,000 customers were affected for 1 to 6 hours. But more than two months after the attack, the control centers were still not fully operational and some equipment needed to be controlled manually.
Ukrainian sources reported finding the BlackEnergy3 malware within the utilities’ systems. Responders also found a wiper module called killdisk that was used to disable both control and non-control systems computers. At the same time, the attackers overwhelmed utility call centers with automated telephone calls, impacting the utilities’ ability to receive outage reports from customers and frustrating the response effort.
The anatomy of the attack was covered by many reporters and analysts and here is one snapshot of the kill chain.
Attacks on Industrial Control Systems (ICS) have been rising and Energy sector is the 2nd most targeted as per stats from ICS-CERT.
Why is it so easy to hack into an ICS System?
Standardization: Due to standardization of Industrial Controls and prolonged life of OT systems, information about how to program (break into) legacy OT technology and vulnerabilities are widely available on the internet.
Convergence of OT/IT: In an effort to increase visibility and optimize operations, OT systems are being connected to enterprise IT networks resulting in increased threat vectors and incidents.
Increased attack surface: Smart grid technologies such as AMI, intelligent edge devices, and distributed generation increase the attack surface
Embedded vulnerabilities: Many of the key protocols used in controlling devices were developed with a focus on availability and control, not security. Vulnerabilities that are intrinsic to the protocols make it difficult to protect them
Unpatched systems and devices: Some legacy devices on the power grid are decades old, with limited computational resources and communications bandwidth to support latest cyber security protections. Devices and system are not frequently patched because operators are worried that it may cause a reboot or shutoff resulting in an outage.
Lack of cryptographic protection: OT systems control real time operations in the millisecond range. Security mechanisms, such as cryptography, cause unacceptable overhead on the communication. Therefore, systems with real-time requirements often cannot adopt novel security controls.
Physical Protection: Grid assets and substations in remote locations make it difficult to physically protect them. Shooting at critical equipment such as transformers or tampering or sabotaging edge devices can cause extensive damage to utility operations.
What are some ways hackers gain access to ICS?
Get direct physical access to the ICS (such as via a malicious employee or contractor or an infected hardware device).
Find an open Internet facing port on a control system device using the Shodan search engine or a specialized scanning tool.
Steal an employee’s credentials or password to a web application, which is used to access the ICS.
Bypass the security configuration of the above mentioned web application to get access to the control system without a password.
Install specialized malware on the energy company’s network that is capable of spreading to the control system.
Hackers use techniques such as cross-site scripting, drive-by downloads, watering holes, and wrappers/packers to bypass security defenses and gain access to ICS.
How are electric utilities in North America dealing with cyber risk?
Utilities in North America have to comply with NERC CIP (Critical Infrastructure Protection) Standards. In 2006, the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by NERC, making the CIP Cyber Security Standards mandatory and enforceable across all users, owners and operators of bulk-power systems. After going into effect in June 2006, initial compliance auditing began in June 2007.
NERC-CIP Version 5 was released on November 22, 2013. It categorizes systems based on their impact to Bulk Electric System (BES) cyber assets, helping organizations identify risks to their infrastructure and prioritize mitigating efforts. High and medium-impact BES cyber systems must adhere to NERC-CIP V5 by April 1, 2016, while low-impact BES cyber systems can wait until April 1, 2017. There are fines for non-compliance that can potentially reach $1 million a day for each violation under CIP standards.
CIPv6 has also been approved this January which includes updates to seven standards and have a compliance date of July 1, 2016.
Looking at the CIP requirements one could quickly conclude that there is no one single solution to strengthen security. Utilities need a combination of tools to implement defense-in-depth strategy and secure critical infrastructure. Solution should include prediction, prevention, detection, and response capabilities. However adoption of cybersecurity solutions varies across Utilities. Large Utilities such as IOUs have budgets and personnel to implement and manage sophisticated security solutions from leading vendors. Smaller utilities such as Co-ops and Munis do not have budgets and adequate security staff to deploy security solutions.
Cyber threats are continuously increasing and attackers are patiently architecting elaborate attacks that can take down multiple critical assets at a time. In the Ukrainian grid attack, attackers started gathering information from 6 months prior to the actual attack and learned how to operate the control systems. Latest cybersecurity technologies are using machine learning and artificial intelligence to analyze data from multiple sources and predict when an attack might happen. Can Utilities keep up with these fast technology innovation cycles and keep upgrading their cybersecurity solutions? Do their procurement cycles even allow for yearly assessment? Should they look for a ‘one stop solution’ from a Managed Security Service Provider (MSSP)? Even though the cybersecurity market is overcrowded there are only a limited number of startups that focus exclusively on industrial control systems and critical infrastructure such as electric utilities – a segment that is one of the most targeted. So, what’s the solution?