Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:06 AM
Robert Hinden
Robert Hinden
Connect Directly

What IT Can Teach Utilities About Cybersecurity & Smart Grids

Protecting smart grids from cyber attack is a popular conversation in information security circles. But the threats are far worse than generally believed.

There is a perception within IT circles that cybersecurity threats against critical infrastructure like smart grids are a problem waiting to happen -- but not right away. The reality is much more dire. Last year alone, there were a number of sophisticated attacks, and they should offer a wakeup call for the power industry.

According to figures from Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team (ICS-CERT), 41% of incidents reported and investigated by the agency last year were related to the energy industry.

Smart grids refer to the new IP networks being installed in the power grid, including substations, distribution and transmission networks, and smart meters. Utilities see a lot of advantages to smart grids, such as real-time measurement of power consumption, a better understanding of use patterns, and the ability to add and disconnect customers remotely. These improvements will generate electrical power more efficiently and in a way that better matches demand.

If the vulnerabilities and security concerns are not addressed, the consequences will be terrible. An attack against a corporation would be inconvenient for the company, and online identity theft can be troublesome to the victim, but a smart grid attack would impact more victims and have far-ranging effects. If a city lost power, hospitals would have to scramble to keep life-support systems on, traffic jams and accidents would occur because the traffic lights are out, and residents would be trapped in the dark.

A worldwide problem
Smart grids also represent the biggest upgrade to the electrical power infrastructure in many years. In the US alone, $3.4 billion of federal stimulus funds have already been for electric grid projects. The shift to these new networks is also a worldwide trend, making cyberattacks a global problem.

Smart Grid
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.

The attackers are already knocking. Last year a denial of service attack knocked the internal communications system of a German power utility specializing in renewable energy offline. The supply of electricity to customers was unaffected, but it reportedly took a few days to repair and bring back the email server and other communications platforms.

The traditional thinking is that smart grids are isolated networks separated from the Internet (protected with a firewall or two) and require a VPN for remote access. But this kind of perimeter security, with a hard exterior and soft interior, is not close to being sufficient anymore.

The Internet is a big source of threats, but the ever-dependable USB stick is turning out to be a very common attack vector. Remember that Stuxnet, the cyberweapon that disabled the centrifuges at Iran's Natanz nuclear facility, was initially spread via infected USB sticks.

In fact, toward the end of 2012, ICS-CERT reported that the industrial control systems at a power generation facility (which it did not name) had been infected with "both common and sophisticated malware" by a tainted USB drive. ICS-CERT investigated another malware infection at a power company in October 2012, this time in the turbine control system. This infection was also caused by a USB drive. It impacted about 10 computers on the control system network and delayed the plant's reopening by three weeks.

That being said, completely isolating a smart grid network from the Internet is not sufficient to truly protect it.

Blame it on passwords
Not surprisingly, default passwords are also a problem for smart grid equipment. So long as the local administrator doesn't disable the default account or change the hard-coded default passwords, attackers have a backdoor into the system. The problem is widespread across vendors. Power equipment vendors have not learned the lessons learned elsewhere.

RuggedCom's Rugged Operating System, used in many industrial control systems, has a hard-coded RSA SSL private key. The Magnum MNS-6K Management Software from GarrettCom has an undocumented hard-coded password. Siemens, the undisputed giant in this space, shipped its Synco OZW devices with a default password protecting administrative functions.

No one really knows the extent of the current problem; there haven't been a lot of incidents of this nature reported to ICS-CERT. Energy companies and electrical equipment vendors are not security experts. They don't know how to deal with the kind of sophisticated threats and attacks enterprise IT teams routinely face.

Still, there are many lessons the power industry can learn from enterprise IT, including the value of implementing layers of security (such as antivirus, anti-malware, and anti-bot software) on each device and control system. Though prevailing opinion says critical power systems should never be on the Internet, putting these systems online is actually a good security step. The software can be automatically updated whenever new signatures or versions are available. Running old, outdated security software is not adequate.

Current approaches are not adequate
Most enterprises standardize across a handful of operating systems. In the energy industry, it's not unheard of for Windows 95 machines to run critical systems. IT administrators need to make a business case to replace these older, more vulnerable, and harder-to-remediate network and systems. Staff members needs to be trained to improve their security capabilities.

There are already a number of smart grid standards, such as NERC-CIP, a federal regulation to protect critical infrastructure; IEC 61850, which covers how to network infrastructure; and IEEE 1613, which outlines environmental requirements for IT equipment in substations. These standards identify areas where utilities need to improve.

Securing the smart grid is essential, but it won't be easy. The good news is the tools and resources are available for utilities to get the job done. Just ask a colleague in IT.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
5/26/2016 | 3:36:15 AM
Great post awesome info 
User Rank: Apprentice
12/10/2013 | 6:39:22 PM
RBAC part of the solution
When it comes to default passwords, the asset owners need to pay more attention to specifying requirements for Role Based Access Control using Standards such as IEEE 1686.

As far as Ruggedcom is concerened I believe that default password cyber security issues were addressed quite some time ago (12 months + ?) which seems to be a responsible approach.  Not sure what benefit there is in raising an old resolved issue against a select vendor - FUD??

Once decent RBAC is implemeneted by the asset owner, it is then about how do they manage that access to the devices with large numbers of users and large numbers of devices so solutions like the Siemens Ruggedcom Crossbow system comes into play controlling and recording all activity.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 1:53:18 PM
Re: IoT & Smart Grids
Kristopher Ardis, executive director of Energy Solutions for Maxim Integrated, offers some additional perspective in a recent article in SmartGrid News, Smart grid, the Internet of Things and Security, an inside look . Focusing on the similarities between smart grids and IoT, Ardis says smart grid deployments offer several reasons why "security must be designed in from the start" of any IoT deployment, among them:
  • A multitude of remote, distributed sensors and control devices are deployed Iin IoT where they will not be supervised. Unlike an ATM with a security camera nearby, there is no oversight on a smart meter. This makes it easy for an attacker to acquire devices for study.
  • There are risks with machine-to-machine communication. When devices are communicating with each other with little human interaction, tampering may be difficult to detect until something catastrophic happens.

Interesting analogy and food for thought! Anyone agree or disagree?




[email protected],
User Rank: Apprentice
12/6/2013 | 12:19:51 AM
Re: Win 95
Why is Windows ANYTHING running these systems???
User Rank: Strategist
12/4/2013 | 2:00:03 PM
Win 95
I'm not shocked to hear utilities using Windows 95 in critical grid machinery. I was discussing Internet of things strategy with a manufacturing CIO, and he said this is one thing that holds them back -- they have Windows versions much older than 95 running machines, and they don't dare put those on a network.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 9:19:13 AM
Re: A frightening thought!
Totally agree, Stratusician, that these power grid vulnerabilities are really scary. One of the most frightening revelations in the article was that Windows 95 machines still run many critical systems.
User Rank: Moderator
12/2/2013 | 7:35:59 PM
A frightening thought!
What a great wake-up call to one of the lesser known, yet potentially more critical, threats due to the age of cloud and internet.  As the Internet of Things and the push to connect infrastructure to the cloud increases, it's frightening to think of the risk of devastation it brings.  In the worst case, when you consider electronic warfare, these systems could have devastating outcomes.  After all, to think that all nuclear missle launch codes were set to 00000 for the longest time, and the weakness of password security, this is truly a recipe for disaster.  Unfortunately, only a forced revamp of security controls for these systems will help reduce the risks from these threats.
User Rank: Apprentice
11/27/2013 | 3:37:10 PM
External Threats
I found this to be a very insightful article and there is a lot to take away from it. It seems more and more utilities are moving to offline air gaped enviornments to avoid any interaction with the oustide world. Still, the question remains, how do you validate the integrity of files that would enter such a utility via USB from a contractor/vendor/employee, etc?

I would encourage you to read how OPSWAT Security Applications allow you to design security controls which dictate which and what kinds of media and file types are allowed into critical infrastrucute.
Chuck Brooks
Chuck Brooks,
User Rank: Apprentice
11/27/2013 | 10:36:54 AM
Thanks Robert for an excellent article. Our utilities and smart grids are indeed vulnerable and are under attacked more than we are aware. Thankfully, DHS, NIST, and the not-for-profit Council on Cybersecurity have identified this issue of critical infrastrucutre protection as an urgent priority.
Susan Fogarty
Susan Fogarty,
User Rank: Apprentice
11/27/2013 | 9:22:29 AM
Re: Another security threat to keep us up at night
Marilyn, I agree. This is one of those topics that I am surprised doesn't get more attention. Especially now that energy companies are using remote monitoring to measure customer consumption, their networks have become very dispersed. Bob, do you see utilities making moves to hire more people with IT and security backgrounds to help beef up their security postures?
Page 1 / 2   >   >>
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...