Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/26/2013
08:06 AM
Robert Hinden
Robert Hinden
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

What IT Can Teach Utilities About Cybersecurity & Smart Grids

Protecting smart grids from cyber attack is a popular conversation in information security circles. But the threats are far worse than generally believed.

There is a perception within IT circles that cybersecurity threats against critical infrastructure like smart grids are a problem waiting to happen -- but not right away. The reality is much more dire. Last year alone, there were a number of sophisticated attacks, and they should offer a wakeup call for the power industry.

According to figures from Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team (ICS-CERT), 41% of incidents reported and investigated by the agency last year were related to the energy industry.

Smart grids refer to the new IP networks being installed in the power grid, including substations, distribution and transmission networks, and smart meters. Utilities see a lot of advantages to smart grids, such as real-time measurement of power consumption, a better understanding of use patterns, and the ability to add and disconnect customers remotely. These improvements will generate electrical power more efficiently and in a way that better matches demand.

If the vulnerabilities and security concerns are not addressed, the consequences will be terrible. An attack against a corporation would be inconvenient for the company, and online identity theft can be troublesome to the victim, but a smart grid attack would impact more victims and have far-ranging effects. If a city lost power, hospitals would have to scramble to keep life-support systems on, traffic jams and accidents would occur because the traffic lights are out, and residents would be trapped in the dark.

A worldwide problem
Smart grids also represent the biggest upgrade to the electrical power infrastructure in many years. In the US alone, $3.4 billion of federal stimulus funds have already been for electric grid projects. The shift to these new networks is also a worldwide trend, making cyberattacks a global problem.

Smart Grid
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.

The attackers are already knocking. Last year a denial of service attack knocked the internal communications system of a German power utility specializing in renewable energy offline. The supply of electricity to customers was unaffected, but it reportedly took a few days to repair and bring back the email server and other communications platforms.

The traditional thinking is that smart grids are isolated networks separated from the Internet (protected with a firewall or two) and require a VPN for remote access. But this kind of perimeter security, with a hard exterior and soft interior, is not close to being sufficient anymore.

The Internet is a big source of threats, but the ever-dependable USB stick is turning out to be a very common attack vector. Remember that Stuxnet, the cyberweapon that disabled the centrifuges at Iran's Natanz nuclear facility, was initially spread via infected USB sticks.

In fact, toward the end of 2012, ICS-CERT reported that the industrial control systems at a power generation facility (which it did not name) had been infected with "both common and sophisticated malware" by a tainted USB drive. ICS-CERT investigated another malware infection at a power company in October 2012, this time in the turbine control system. This infection was also caused by a USB drive. It impacted about 10 computers on the control system network and delayed the plant's reopening by three weeks.

That being said, completely isolating a smart grid network from the Internet is not sufficient to truly protect it.

Blame it on passwords
Not surprisingly, default passwords are also a problem for smart grid equipment. So long as the local administrator doesn't disable the default account or change the hard-coded default passwords, attackers have a backdoor into the system. The problem is widespread across vendors. Power equipment vendors have not learned the lessons learned elsewhere.

RuggedCom's Rugged Operating System, used in many industrial control systems, has a hard-coded RSA SSL private key. The Magnum MNS-6K Management Software from GarrettCom has an undocumented hard-coded password. Siemens, the undisputed giant in this space, shipped its Synco OZW devices with a default password protecting administrative functions.

No one really knows the extent of the current problem; there haven't been a lot of incidents of this nature reported to ICS-CERT. Energy companies and electrical equipment vendors are not security experts. They don't know how to deal with the kind of sophisticated threats and attacks enterprise IT teams routinely face.

Still, there are many lessons the power industry can learn from enterprise IT, including the value of implementing layers of security (such as antivirus, anti-malware, and anti-bot software) on each device and control system. Though prevailing opinion says critical power systems should never be on the Internet, putting these systems online is actually a good security step. The software can be automatically updated whenever new signatures or versions are available. Running old, outdated security software is not adequate.

Current approaches are not adequate
Most enterprises standardize across a handful of operating systems. In the energy industry, it's not unheard of for Windows 95 machines to run critical systems. IT administrators need to make a business case to replace these older, more vulnerable, and harder-to-remediate network and systems. Staff members needs to be trained to improve their security capabilities.

There are already a number of smart grid standards, such as NERC-CIP, a federal regulation to protect critical infrastructure; IEC 61850, which covers how to network infrastructure; and IEEE 1613, which outlines environmental requirements for IT equipment in substations. These standards identify areas where utilities need to improve.

Securing the smart grid is essential, but it won't be easy. The good news is the tools and resources are available for utilities to get the job done. Just ask a colleague in IT.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/26/2013 | 3:31:50 PM
Another security threat to keep us up at night
This is a fascinating article that opens up a whole new set of security concerns. Your example of the denial of service attack last year that knocked out the internal communications system of a German power utility is striking example about how vulnerable industrial control and eneergy systems are. As the Internet of Things expands, it's only going to get worse. Thanks for raising the red flag, Bob. 
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
11/27/2013 | 9:22:29 AM
Re: Another security threat to keep us up at night
Marilyn, I agree. This is one of those topics that I am surprised doesn't get more attention. Especially now that energy companies are using remote monitoring to measure customer consumption, their networks have become very dispersed. Bob, do you see utilities making moves to hire more people with IT and security backgrounds to help beef up their security postures?
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
11/27/2013 | 10:36:54 AM
Cybersecurity/smartgrids
Thanks Robert for an excellent article. Our utilities and smart grids are indeed vulnerable and are under attacked more than we are aware. Thankfully, DHS, NIST, and the not-for-profit Council on Cybersecurity have identified this issue of critical infrastrucutre protection as an urgent priority.
Bswarthout49
50%
50%
Bswarthout49,
User Rank: Apprentice
11/27/2013 | 3:37:10 PM
External Threats
I found this to be a very insightful article and there is a lot to take away from it. It seems more and more utilities are moving to offline air gaped enviornments to avoid any interaction with the oustide world. Still, the question remains, how do you validate the integrity of files that would enter such a utility via USB from a contractor/vendor/employee, etc?

I would encourage you to read how OPSWAT Security Applications allow you to design security controls which dictate which and what kinds of media and file types are allowed into critical infrastrucute.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/2/2013 | 7:35:59 PM
A frightening thought!
What a great wake-up call to one of the lesser known, yet potentially more critical, threats due to the age of cloud and internet.  As the Internet of Things and the push to connect infrastructure to the cloud increases, it's frightening to think of the risk of devastation it brings.  In the worst case, when you consider electronic warfare, these systems could have devastating outcomes.  After all, to think that all nuclear missle launch codes were set to 00000 for the longest time, and the weakness of password security, this is truly a recipe for disaster.  Unfortunately, only a forced revamp of security controls for these systems will help reduce the risks from these threats.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 9:19:13 AM
Re: A frightening thought!
Totally agree, Stratusician, that these power grid vulnerabilities are really scary. One of the most frightening revelations in the article was that Windows 95 machines still run many critical systems.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Strategist
12/4/2013 | 2:00:03 PM
Win 95
I'm not shocked to hear utilities using Windows 95 in critical grid machinery. I was discussing Internet of things strategy with a manufacturing CIO, and he said this is one thing that holds them back -- they have Windows versions much older than 95 running machines, and they don't dare put those on a network.
davidjwilson@rogers.com
50%
50%
[email protected],
User Rank: Apprentice
12/6/2013 | 12:19:51 AM
Re: Win 95
Why is Windows ANYTHING running these systems???
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 1:53:18 PM
Re: IoT & Smart Grids
Kristopher Ardis, executive director of Energy Solutions for Maxim Integrated, offers some additional perspective in a recent article in SmartGrid News, Smart grid, the Internet of Things and Security, an inside look . Focusing on the similarities between smart grids and IoT, Ardis says smart grid deployments offer several reasons why "security must be designed in from the start" of any IoT deployment, among them:
  • A multitude of remote, distributed sensors and control devices are deployed Iin IoT where they will not be supervised. Unlike an ATM with a security camera nearby, there is no oversight on a smart meter. This makes it easy for an attacker to acquire devices for study.
  • There are risks with machine-to-machine communication. When devices are communicating with each other with little human interaction, tampering may be difficult to detect until something catastrophic happens.


Interesting analogy and food for thought! Anyone agree or disagree?

 

 

 

RodneyH403
50%
50%
RodneyH403,
User Rank: Apprentice
12/10/2013 | 6:39:22 PM
RBAC part of the solution
When it comes to default passwords, the asset owners need to pay more attention to specifying requirements for Role Based Access Control using Standards such as IEEE 1686.

As far as Ruggedcom is concerened I believe that default password cyber security issues were addressed quite some time ago (12 months + ?) which seems to be a responsible approach.  Not sure what benefit there is in raising an old resolved issue against a select vendor - FUD??

Once decent RBAC is implemeneted by the asset owner, it is then about how do they manage that access to the devices with large numbers of users and large numbers of devices so solutions like the Siemens Ruggedcom Crossbow system comes into play controlling and recording all activity.
Page 1 / 2   >   >>
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...