Attacks/Breaches
11/26/2013
08:06 AM
Robert Hinden
Robert Hinden
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

What IT Can Teach Utilities About Cybersecurity & Smart Grids

Protecting smart grids from cyber attack is a popular conversation in information security circles. But the threats are far worse than generally believed.

There is a perception within IT circles that cybersecurity threats against critical infrastructure like smart grids are a problem waiting to happen -- but not right away. The reality is much more dire. Last year alone, there were a number of sophisticated attacks, and they should offer a wakeup call for the power industry.

According to figures from Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team (ICS-CERT), 41% of incidents reported and investigated by the agency last year were related to the energy industry.

Smart grids refer to the new IP networks being installed in the power grid, including substations, distribution and transmission networks, and smart meters. Utilities see a lot of advantages to smart grids, such as real-time measurement of power consumption, a better understanding of use patterns, and the ability to add and disconnect customers remotely. These improvements will generate electrical power more efficiently and in a way that better matches demand.

If the vulnerabilities and security concerns are not addressed, the consequences will be terrible. An attack against a corporation would be inconvenient for the company, and online identity theft can be troublesome to the victim, but a smart grid attack would impact more victims and have far-ranging effects. If a city lost power, hospitals would have to scramble to keep life-support systems on, traffic jams and accidents would occur because the traffic lights are out, and residents would be trapped in the dark.

A worldwide problem
Smart grids also represent the biggest upgrade to the electrical power infrastructure in many years. In the US alone, $3.4 billion of federal stimulus funds have already been for electric grid projects. The shift to these new networks is also a worldwide trend, making cyberattacks a global problem.

Smart Grid
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.

The attackers are already knocking. Last year a denial of service attack knocked the internal communications system of a German power utility specializing in renewable energy offline. The supply of electricity to customers was unaffected, but it reportedly took a few days to repair and bring back the email server and other communications platforms.

The traditional thinking is that smart grids are isolated networks separated from the Internet (protected with a firewall or two) and require a VPN for remote access. But this kind of perimeter security, with a hard exterior and soft interior, is not close to being sufficient anymore.

The Internet is a big source of threats, but the ever-dependable USB stick is turning out to be a very common attack vector. Remember that Stuxnet, the cyberweapon that disabled the centrifuges at Iran's Natanz nuclear facility, was initially spread via infected USB sticks.

In fact, toward the end of 2012, ICS-CERT reported that the industrial control systems at a power generation facility (which it did not name) had been infected with "both common and sophisticated malware" by a tainted USB drive. ICS-CERT investigated another malware infection at a power company in October 2012, this time in the turbine control system. This infection was also caused by a USB drive. It impacted about 10 computers on the control system network and delayed the plant's reopening by three weeks.

That being said, completely isolating a smart grid network from the Internet is not sufficient to truly protect it.

Blame it on passwords
Not surprisingly, default passwords are also a problem for smart grid equipment. So long as the local administrator doesn't disable the default account or change the hard-coded default passwords, attackers have a backdoor into the system. The problem is widespread across vendors. Power equipment vendors have not learned the lessons learned elsewhere.

RuggedCom's Rugged Operating System, used in many industrial control systems, has a hard-coded RSA SSL private key. The Magnum MNS-6K Management Software from GarrettCom has an undocumented hard-coded password. Siemens, the undisputed giant in this space, shipped its Synco OZW devices with a default password protecting administrative functions.

No one really knows the extent of the current problem; there haven't been a lot of incidents of this nature reported to ICS-CERT. Energy companies and electrical equipment vendors are not security experts. They don't know how to deal with the kind of sophisticated threats and attacks enterprise IT teams routinely face.

Still, there are many lessons the power industry can learn from enterprise IT, including the value of implementing layers of security (such as antivirus, anti-malware, and anti-bot software) on each device and control system. Though prevailing opinion says critical power systems should never be on the Internet, putting these systems online is actually a good security step. The software can be automatically updated whenever new signatures or versions are available. Running old, outdated security software is not adequate.

Current approaches are not adequate
Most enterprises standardize across a handful of operating systems. In the energy industry, it's not unheard of for Windows 95 machines to run critical systems. IT administrators need to make a business case to replace these older, more vulnerable, and harder-to-remediate network and systems. Staff members needs to be trained to improve their security capabilities.

There are already a number of smart grid standards, such as NERC-CIP, a federal regulation to protect critical infrastructure; IEC 61850, which covers how to network infrastructure; and IEEE 1613, which outlines environmental requirements for IT equipment in substations. These standards identify areas where utilities need to improve.

Securing the smart grid is essential, but it won't be easy. The good news is the tools and resources are available for utilities to get the job done. Just ask a colleague in IT.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RodneyH403
50%
50%
RodneyH403,
User Rank: Apprentice
12/10/2013 | 6:39:22 PM
RBAC part of the solution
When it comes to default passwords, the asset owners need to pay more attention to specifying requirements for Role Based Access Control using Standards such as IEEE 1686.

As far as Ruggedcom is concerened I believe that default password cyber security issues were addressed quite some time ago (12 months + ?) which seems to be a responsible approach.  Not sure what benefit there is in raising an old resolved issue against a select vendor - FUD??

Once decent RBAC is implemeneted by the asset owner, it is then about how do they manage that access to the devices with large numbers of users and large numbers of devices so solutions like the Siemens Ruggedcom Crossbow system comes into play controlling and recording all activity.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 1:53:18 PM
Re: IoT & Smart Grids
Kristopher Ardis, executive director of Energy Solutions for Maxim Integrated, offers some additional perspective in a recent article in SmartGrid News, Smart grid, the Internet of Things and Security, an inside look . Focusing on the similarities between smart grids and IoT, Ardis says smart grid deployments offer several reasons why "security must be designed in from the start" of any IoT deployment, among them:
  • A multitude of remote, distributed sensors and control devices are deployed Iin IoT where they will not be supervised. Unlike an ATM with a security camera nearby, there is no oversight on a smart meter. This makes it easy for an attacker to acquire devices for study.
  • There are risks with machine-to-machine communication. When devices are communicating with each other with little human interaction, tampering may be difficult to detect until something catastrophic happens.


Interesting analogy and food for thought! Anyone agree or disagree?

 

 

 

davidjwilson@rogers.com
50%
50%
davidjwilson@rogers.com,
User Rank: Apprentice
12/6/2013 | 12:19:51 AM
Re: Win 95
Why is Windows ANYTHING running these systems???
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Apprentice
12/4/2013 | 2:00:03 PM
Win 95
I'm not shocked to hear utilities using Windows 95 in critical grid machinery. I was discussing Internet of things strategy with a manufacturing CIO, and he said this is one thing that holds them back -- they have Windows versions much older than 95 running machines, and they don't dare put those on a network.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 9:19:13 AM
Re: A frightening thought!
Totally agree, Stratusician, that these power grid vulnerabilities are really scary. One of the most frightening revelations in the article was that Windows 95 machines still run many critical systems.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/2/2013 | 7:35:59 PM
A frightening thought!
What a great wake-up call to one of the lesser known, yet potentially more critical, threats due to the age of cloud and internet.  As the Internet of Things and the push to connect infrastructure to the cloud increases, it's frightening to think of the risk of devastation it brings.  In the worst case, when you consider electronic warfare, these systems could have devastating outcomes.  After all, to think that all nuclear missle launch codes were set to 00000 for the longest time, and the weakness of password security, this is truly a recipe for disaster.  Unfortunately, only a forced revamp of security controls for these systems will help reduce the risks from these threats.
Bswarthout49
50%
50%
Bswarthout49,
User Rank: Apprentice
11/27/2013 | 3:37:10 PM
External Threats
I found this to be a very insightful article and there is a lot to take away from it. It seems more and more utilities are moving to offline air gaped enviornments to avoid any interaction with the oustide world. Still, the question remains, how do you validate the integrity of files that would enter such a utility via USB from a contractor/vendor/employee, etc?

I would encourage you to read how OPSWAT Security Applications allow you to design security controls which dictate which and what kinds of media and file types are allowed into critical infrastrucute.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
11/27/2013 | 10:36:54 AM
Cybersecurity/smartgrids
Thanks Robert for an excellent article. Our utilities and smart grids are indeed vulnerable and are under attacked more than we are aware. Thankfully, DHS, NIST, and the not-for-profit Council on Cybersecurity have identified this issue of critical infrastrucutre protection as an urgent priority.
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
11/27/2013 | 9:22:29 AM
Re: Another security threat to keep us up at night
Marilyn, I agree. This is one of those topics that I am surprised doesn't get more attention. Especially now that energy companies are using remote monitoring to measure customer consumption, their networks have become very dispersed. Bob, do you see utilities making moves to hire more people with IT and security backgrounds to help beef up their security postures?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/26/2013 | 3:31:50 PM
Another security threat to keep us up at night
This is a fascinating article that opens up a whole new set of security concerns. Your example of the denial of service attack last year that knocked out the internal communications system of a German power utility is striking example about how vulnerable industrial control and eneergy systems are. As the Internet of Things expands, it's only going to get worse. Thanks for raising the red flag, Bob. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?