Endpoint

8/2/2018
02:30 PM
Cameron Camp
Cameron Camp
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Power Grid Security: How Safe Are We?

Experiencing a power outage? It could have been caused by a hacker ... or just a squirrel chewing through some equipment. And that's a problem.

As I type this, parts of the Pacific Northwest are recovering from a power outage cascading across multiple towns. The cause? A contractor with a piece of heavy equipment severed a buried copper power line. The contractor is very sorry (and poorer), and we all now understand how secure we are against bulk power outages — digital or otherwise.

Digital technology is new for the power grid. Whereas in the computer security world, we focus on things such as system integrity or confidentiality as our primary goal, those are far from the top driver for the power grid folks. Here, the focus is system availability, where typical system uptimes are measured in decades. No one calls the power company to report that the grid is running smoothly, but have an outage and a flood of complaints pours in within seconds. This dynamic drives the lack of appetite for potentially vulnerable digital systems that could affect uptime.

It makes a certain kind of sense. After all, what if your computer was designed before the Internet existed, had to run for decades, cost millions, arrived on a train car, and required a crane to install? Would you upgrade when a new app came out because some guy in IT thought doing so "might" be a good idea? Not likely.

What about the personnel running the grid: Should they be anxious to install remote management software they don't totally understand because it "might" be better in some way? Again, not likely.

The amazing part is that the grid actually works, and for very long periods of time. But enter a new threat: foreign (or domestic) actors bent on crippling commerce, the ability to run hospitals, and provide transportation; and now you can understand the temptation to meddle digitally with the power grid, and the need to defend it all. And digital attacks are on the rise, as we recently investigated.

When we observe the progression of attacks against critical infrastructure, they start with large-scale reconnaissance, where would-be attackers assess the attack surface and build dossiers of weaknesses. While there may be some specific attacks against high-value targets, think of it largely as weapons stockpiling based on gathered intelligence.

In the few actual attacks seen to date, the hackers' next step has been to attempt some low-level attacks to judge the readiness of the adversary to detect and respond to an attack and the response time. After that, the more sophisticated attacks ramp up.

However, because potential attackers have their own goals and targets in mind, there's no such thing as a one-size-fits-all attack. But the security goal from the defenders' mindset is the same — to protect what matters.

I recently interviewed a security staff member working in the power sector, and he related a close call in which attackers almost succeeded in crippling a large power transformer supplying a major tech metropolitan area. The attack: taking out a critical bottleneck, unfortunately located right next to a major freeway — providing easy access, anonymity, and ease of egress.

The attack didn't succeed, but not for reasons you might expect. The attackers damaged a link from the transformer to the bulk transmission lines but didn't use quite enough force. The company's response was to replace parts and get the system back up and running, not necessarily to assess what other potentially crippling attack vectors might exist or to perform a comprehensive post-mortem investigation. If the attacker been more successful, it might have taken a month to replace some of the more specialized parts, had they failed.

Steps Forward
Recently, at a summit on Capitol Hill, I spoke during a collaborative event for private, public, legislative, and military personnel to discuss the way forward. While no single piece of that puzzle is a silver bullet, direction and budget from the Department of Energy, the National Institute of Standards and Technology, and others, along with industry technology can help.

Initiatives aimed at information sharing among electrical grid players are a positive step forward but are still hampered by barriers created by security clearance requirements. Also, participants need safe harbor initiatives to encourage sharing without fear of retribution. Technology solutions, however, such as supply chain integrity testing and multifactor authentication, are slowly moving forward.

Still, underlying it all is a people problem. The most senior folks (nearing retirement) — the ones with the experience to keep the power grid running — are reluctant to embrace digital security. After all, they're not going to get raises if they learn this new-fangled digital security thing (since they're at or near the top of the pay scale anyway), and they stand a chance of being punished for potential missteps.

Until digital natives who also have mastered the art of keeping the grid humming can begin to view the problems through a security lens, we will continue to see low-level hacks against important systems.

This is why the scammers don't even need elite technologists and zero-day exploits when they can gain access through ancient operating systems and operators who don't feel all that comfortable with technology.

Meanwhile, some grid equipment still runs Windows NT, where no security patches are even available. These systems have little or no authentication and run on horribly insecure protocols like Modbus. But the incentives to upgrade a $5 million generator to increase communication security are low.

As I finish typing this, the media is reporting an outage in Louisiana caused by a squirrel chewing through some electrical equipment, leaving thousands without power. While the squirrel wasn't part of an international cadre of elite hackers, the result was similar — the lights went out. And in the end, that's the part that everyone cares about, whether caused by rodents of unusual skill level or rogue hackers from across the globe.

We have a lot of work to do.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Cameron Camp is a researcher for global security provider ESET, and has played a critical role in growing the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.