Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/26/2013
08:06 AM
Robert Hinden
Robert Hinden
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

What IT Can Teach Utilities About Cybersecurity & Smart Grids

Protecting smart grids from cyber attack is a popular conversation in information security circles. But the threats are far worse than generally believed.

There is a perception within IT circles that cybersecurity threats against critical infrastructure like smart grids are a problem waiting to happen -- but not right away. The reality is much more dire. Last year alone, there were a number of sophisticated attacks, and they should offer a wakeup call for the power industry.

According to figures from Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team (ICS-CERT), 41% of incidents reported and investigated by the agency last year were related to the energy industry.

Smart grids refer to the new IP networks being installed in the power grid, including substations, distribution and transmission networks, and smart meters. Utilities see a lot of advantages to smart grids, such as real-time measurement of power consumption, a better understanding of use patterns, and the ability to add and disconnect customers remotely. These improvements will generate electrical power more efficiently and in a way that better matches demand.

If the vulnerabilities and security concerns are not addressed, the consequences will be terrible. An attack against a corporation would be inconvenient for the company, and online identity theft can be troublesome to the victim, but a smart grid attack would impact more victims and have far-ranging effects. If a city lost power, hospitals would have to scramble to keep life-support systems on, traffic jams and accidents would occur because the traffic lights are out, and residents would be trapped in the dark.

A worldwide problem
Smart grids also represent the biggest upgrade to the electrical power infrastructure in many years. In the US alone, $3.4 billion of federal stimulus funds have already been for electric grid projects. The shift to these new networks is also a worldwide trend, making cyberattacks a global problem.

Smart Grid
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.
Most enterprises standardize across operating systems, but with smart grids, it's not unusual to find Windows 95 machines running critical systems.

The attackers are already knocking. Last year a denial of service attack knocked the internal communications system of a German power utility specializing in renewable energy offline. The supply of electricity to customers was unaffected, but it reportedly took a few days to repair and bring back the email server and other communications platforms.

The traditional thinking is that smart grids are isolated networks separated from the Internet (protected with a firewall or two) and require a VPN for remote access. But this kind of perimeter security, with a hard exterior and soft interior, is not close to being sufficient anymore.

The Internet is a big source of threats, but the ever-dependable USB stick is turning out to be a very common attack vector. Remember that Stuxnet, the cyberweapon that disabled the centrifuges at Iran's Natanz nuclear facility, was initially spread via infected USB sticks.

In fact, toward the end of 2012, ICS-CERT reported that the industrial control systems at a power generation facility (which it did not name) had been infected with "both common and sophisticated malware" by a tainted USB drive. ICS-CERT investigated another malware infection at a power company in October 2012, this time in the turbine control system. This infection was also caused by a USB drive. It impacted about 10 computers on the control system network and delayed the plant's reopening by three weeks.

That being said, completely isolating a smart grid network from the Internet is not sufficient to truly protect it.

Blame it on passwords
Not surprisingly, default passwords are also a problem for smart grid equipment. So long as the local administrator doesn't disable the default account or change the hard-coded default passwords, attackers have a backdoor into the system. The problem is widespread across vendors. Power equipment vendors have not learned the lessons learned elsewhere.

RuggedCom's Rugged Operating System, used in many industrial control systems, has a hard-coded RSA SSL private key. The Magnum MNS-6K Management Software from GarrettCom has an undocumented hard-coded password. Siemens, the undisputed giant in this space, shipped its Synco OZW devices with a default password protecting administrative functions.

No one really knows the extent of the current problem; there haven't been a lot of incidents of this nature reported to ICS-CERT. Energy companies and electrical equipment vendors are not security experts. They don't know how to deal with the kind of sophisticated threats and attacks enterprise IT teams routinely face.

Still, there are many lessons the power industry can learn from enterprise IT, including the value of implementing layers of security (such as antivirus, anti-malware, and anti-bot software) on each device and control system. Though prevailing opinion says critical power systems should never be on the Internet, putting these systems online is actually a good security step. The software can be automatically updated whenever new signatures or versions are available. Running old, outdated security software is not adequate.

Current approaches are not adequate
Most enterprises standardize across a handful of operating systems. In the energy industry, it's not unheard of for Windows 95 machines to run critical systems. IT administrators need to make a business case to replace these older, more vulnerable, and harder-to-remediate network and systems. Staff members needs to be trained to improve their security capabilities.

There are already a number of smart grid standards, such as NERC-CIP, a federal regulation to protect critical infrastructure; IEC 61850, which covers how to network infrastructure; and IEEE 1613, which outlines environmental requirements for IT equipment in substations. These standards identify areas where utilities need to improve.

Securing the smart grid is essential, but it won't be easy. The good news is the tools and resources are available for utilities to get the job done. Just ask a colleague in IT.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/26/2013 | 3:31:50 PM
Another security threat to keep us up at night
This is a fascinating article that opens up a whole new set of security concerns. Your example of the denial of service attack last year that knocked out the internal communications system of a German power utility is striking example about how vulnerable industrial control and eneergy systems are. As the Internet of Things expands, it's only going to get worse. Thanks for raising the red flag, Bob. 
<<   <   Page 2 / 2
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.