There is a perception within IT circles that cybersecurity threats against critical infrastructure like smart grids are a problem waiting to happen -- but not right away. The reality is much more dire. Last year alone, there were a number of sophisticated attacks, and they should offer a wakeup call for the power industry.
According to figures from Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team (ICS-CERT), 41% of incidents reported and investigated by the agency last year were related to the energy industry.
Smart grids refer to the new IP networks being installed in the power grid, including substations, distribution and transmission networks, and smart meters. Utilities see a lot of advantages to smart grids, such as real-time measurement of power consumption, a better understanding of use patterns, and the ability to add and disconnect customers remotely. These improvements will generate electrical power more efficiently and in a way that better matches demand.
If the vulnerabilities and security concerns are not addressed, the consequences will be terrible. An attack against a corporation would be inconvenient for the company, and online identity theft can be troublesome to the victim, but a smart grid attack would impact more victims and have far-ranging effects. If a city lost power, hospitals would have to scramble to keep life-support systems on, traffic jams and accidents would occur because the traffic lights are out, and residents would be trapped in the dark.
A worldwide problem
Smart grids also represent the biggest upgrade to the electrical power infrastructure in many years. In the US alone, $3.4 billion of federal stimulus funds have already been for electric grid projects. The shift to these new networks is also a worldwide trend, making cyberattacks a global problem.
The attackers are already knocking. Last year a denial of service attack knocked the internal communications system of a German power utility specializing in renewable energy offline. The supply of electricity to customers was unaffected, but it reportedly took a few days to repair and bring back the email server and other communications platforms.
The traditional thinking is that smart grids are isolated networks separated from the Internet (protected with a firewall or two) and require a VPN for remote access. But this kind of perimeter security, with a hard exterior and soft interior, is not close to being sufficient anymore.
The Internet is a big source of threats, but the ever-dependable USB stick is turning out to be a very common attack vector. Remember that Stuxnet, the cyberweapon that disabled the centrifuges at Iran's Natanz nuclear facility, was initially spread via infected USB sticks.
In fact, toward the end of 2012, ICS-CERT reported that the industrial control systems at a power generation facility (which it did not name) had been infected with "both common and sophisticated malware" by a tainted USB drive. ICS-CERT investigated another malware infection at a power company in October 2012, this time in the turbine control system. This infection was also caused by a USB drive. It impacted about 10 computers on the control system network and delayed the plant's reopening by three weeks.
That being said, completely isolating a smart grid network from the Internet is not sufficient to truly protect it.
Blame it on passwords
Not surprisingly, default passwords are also a problem for smart grid equipment. So long as the local administrator doesn't disable the default account or change the hard-coded default passwords, attackers have a backdoor into the system. The problem is widespread across vendors. Power equipment vendors have not learned the lessons learned elsewhere.
RuggedCom's Rugged Operating System, used in many industrial control systems, has a hard-coded RSA SSL private key. The Magnum MNS-6K Management Software from GarrettCom has an undocumented hard-coded password. Siemens, the undisputed giant in this space, shipped its Synco OZW devices with a default password protecting administrative functions.
No one really knows the extent of the current problem; there haven't been a lot of incidents of this nature reported to ICS-CERT. Energy companies and electrical equipment vendors are not security experts. They don't know how to deal with the kind of sophisticated threats and attacks enterprise IT teams routinely face.
Still, there are many lessons the power industry can learn from enterprise IT, including the value of implementing layers of security (such as antivirus, anti-malware, and anti-bot software) on each device and control system. Though prevailing opinion says critical power systems should never be on the Internet, putting these systems online is actually a good security step. The software can be automatically updated whenever new signatures or versions are available. Running old, outdated security software is not adequate.
Current approaches are not adequate
Most enterprises standardize across a handful of operating systems. In the energy industry, it's not unheard of for Windows 95 machines to run critical systems. IT administrators need to make a business case to replace these older, more vulnerable, and harder-to-remediate network and systems. Staff members needs to be trained to improve their security capabilities.
There are already a number of smart grid standards, such as NERC-CIP, a federal regulation to protect critical infrastructure; IEC 61850, which covers how to network infrastructure; and IEEE 1613, which outlines environmental requirements for IT equipment in substations. These standards identify areas where utilities need to improve.
Securing the smart grid is essential, but it won't be easy. The good news is the tools and resources are available for utilities to get the job done. Just ask a colleague in IT.