Leave the Lights On: Four Cyber Threats that should keep Utility Operators and Cyber Defenders up at Night

The modernization of Industrial Control Systems (ICS) in the electric power industry will render the industry vulnerable to increased cyber security risks. The network of power plants and power lines that connect homes and businesses is among the world’s most critical infrastructures – and developments in technology have increased the utility’s “attack surface.” The once clear dividing lines between the grid’s physical systems and its technological systems have been blurred. According to a Deloitte report, an attack on technology can be an attack on the power grid itself—disrupting financial communications, transportation, water and sewer networks, and on and on. If that were to happen, the population would be left “in the dark” and “vulnerable.”

The U.S. electricity industry is undergoing a rapid change in its operations and controls. In the report titled “Supply Chain Risks of SCADA/Industrial Control Systems in the Electricity Sector: Recognizing Risks and Recommended Mitigation Actions,” the authors note that changes in the industry are being driven by “developing technologies, the convergence of information technology (IT) and operations technology (OT), and new business models.” In the report, the authors highlight how Supervisory Control and Data Acquisition (SCADA) systems are at the intersection of the industry’s transformation. SCADA systems, they write, “are increasingly under attack, from both a cyber and operational perspective, illustrating a growing vulnerability in the electricity grid.” As a result, it is imperative to our national security that organizations anticipate changes, understand risks, and take proactive measures to mitigate and protect against such dangers.

Listed below are your four areas of increased risk—threats to the utility industry and to the nation itself that should keep operators and cyber defenders awake at night.

1. Blurred Lines between Cyber-Attacks & Physical Attacks: The modernization of the electric power industry’s Industrial Control Systems (ICS) has resulted in the convergence of Information Technology (IT), Operational Technology (OT), and the physical equipment-oriented technologies and systems that run the plants (ICS)—leaving physical utilities increasingly vulnerable to cyber attacks. Previously, attackers primarily targeted utilities’ IT systems, which were separate from the physical equipment itself. Now, technology is part of the physical equipment. Due to that technological interconnectivity, ICS “can be an entry point into the organization’s other IT systems.” A cyber attack can be a physical attack as well. As Deloitte reports, cyber attackers are increasingly targeting ICS, “laying the groundwork to do physical damage to the grid.” While previous attacks “targeted utilities’ IT systems to steal data launch ransomware for financial gain,” the threat is growing, becoming a wide-scale threat to infrastructure, “with reports of hackers tied to nation-states and organized crime trying to burrow their way into utility ICS, seeking to learn how systems operate, and positioning themselves to control critical physical assets, such as power plants, substations, transmission, and distribution networks, and to potentially disrupt or destroy them.”
2. Nation States Attempting to Penetrate the Grid: The blurring of the lines between cyberattacks and physical attacks has prompted national security concerns in countries around the globe. In March 2018, the Department of Homeland Security issued Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. The Alert provided “information on Russian government actions targeting U.S. Government entities” in addition to organizations “in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” Nation-states are suspected of carrying out attacks to further political goals—and this activity is on the rise. In “Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector,” a report prepared by Mission Support Center and Idaho National Laboratory, the authors write, “Threat actors on multiple fronts continue to seek to exploit cyber vulnerabilities in the U.S. electrical grid. Nation-states like Russia, China, and Iran and non-state actors, including foreign terrorist and hacktivist groups, pose varying threats to the power grid.” The report continues, “A determined, well-funded, capable threat actor with the appropriate attack vector can succeed to varying levels depending on what defenses are in place.”
3. Difficulty Finding and Retaining Top Cyber Security Talent: In “Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector,” the authors note that “Utilities often lack full scope perspective of their cyber security posture.” Total awareness of all vulnerabilities and all threats at all times is impossible, “but without enough cyber security staff and/or resources utilities often lack the capabilities to identify cyber assets and fully comprehend system and network architectures necessary for conducting cyber security assessments, monitoring, and upgrades.” In CYRIN’S February Newsletter, we highlighted the growing cybersecurity talent gap and the ways this gap might leave the electric grid—America’s first line of defense—vulnerable. “If a mass power outage were to result from a successful cyberattack on the electric grid, national security and economic stability would be threatened,” Constance Douris writes in Forbes. “This is because hospitals, banks, factories, pipelines, financial networks, water systems, telecommunications and military bases would simply not function without electricity.” Two systems comprise the electric grid in the U.S.: the distribution system and the bulk power system. “One vulnerability of the U.S. grid is that cybersecurity standards do not exist for the distribution system,” Douris writes. But in reality, that means both systems are vulnerable—because the bulk power system is linked to the distribution system. “A successful cyberattack on one or two utilities could create a ripple effect, destabilizing electricity in large areas.” It is imperative to increase the skills of the cyber security talent pool, grow its numbers, and retain the top talent to protect our grid.
4. Connected Customers and the Internet of Things (IoT): In “Supply Chain Risks of SCADA/Industrial Control Systems in the Electricity Sector: Recognizing Risks and Recommended Mitigation Actions,” the authors write, “The traditional one-way electricity grid that produces electricity at generating stations, delivers via transmission and distribution networks, and measures consumption is transforming into a multi-directional network. Smart grid technologies are increasingly used to monitor, automate, and remotely operate the American power sector.” The advent of IoT in utilities has led to great improvements in the industry. Smart meters, smart power grids, energy conservation, regulatory compliance, predictive maintenance, safety, supply chain management—all these innovations help improve efficiency, generate revenue, and conserve resources. They also, however, leave utilities vulnerable to attack. In the same way that the modernization of the electric power industry’s ICS has resulted in the convergence of IT and OT, connected customers and the IoT also increase vulnerability. “The two systems have been converging as companies digitize and build the power sector’s version of the industrial internet of things, including the ‘smart grid,’” Deloitte reports. “As challenging as it may be for power companies to identify their own critical assets and protect them, the challenge seems to be expanding exponentially, since today’s interconnected world also requires them to secure vast, far-flung, and increasingly complex global supply chains.”

CYBER TRAINING

How do you combat these risks? One way to do it is by training. Training equals preparedness. As we do for the military, we can do for you. CYRIN offers unlimited on-demand training opportunities for you and your team with three levels of training including 35+ cyber labs, multiple training exercises and now several attack vectors on SCADA/Industrial networks for the utility industry.

What is CYRIN? CYRIN^® is a business unit of Architecture Technology Corporation, headquartered at their ATC-NY cyber security division in Ithaca, NY. We train you in all things CYBER, from potentially leaky Web Applications to Denial of Service attacks to Forensics Investigations. We think the best way to train is to actually do it.

Let Go of the Physical. It's Time to get Digital.

CYRIN lets you use real tools, real attacks, and real scenarios to hone your skills in a virtual environment. CYRIN training supports the current generation of cybersecurity professionals while developing the next generation of cybersecurity leaders—and even more importantly, can help save your organization from a disastrous cyberattack. CYRIN trains you in the next-generation of cybersecurity skills from your own desktop. With virtual cyber-security training in a real-world environment, CYRIN lets you test your cybersecurity skills on your own schedule with no custom software or travel necessary.

One way to combat the shortage of cyber security professionals is to invest in training. CYRIN offers unlimited on-demand training opportunities for you and your team with three levels of training including 30+ cyber labs, multiple training exercises and now several attack vectors on SCADA/Industrial networks for the utility industry. Come see for yourself. Our site is always open.

< Read other CYRIN Newsletters