Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/2/2018
02:30 PM
Cameron Camp
Cameron Camp
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Power Grid Security: How Safe Are We?

Experiencing a power outage? It could have been caused by a hacker ... or just a squirrel chewing through some equipment. And that's a problem.

As I type this, parts of the Pacific Northwest are recovering from a power outage cascading across multiple towns. The cause? A contractor with a piece of heavy equipment severed a buried copper power line. The contractor is very sorry (and poorer), and we all now understand how secure we are against bulk power outages — digital or otherwise.

Digital technology is new for the power grid. Whereas in the computer security world, we focus on things such as system integrity or confidentiality as our primary goal, those are far from the top driver for the power grid folks. Here, the focus is system availability, where typical system uptimes are measured in decades. No one calls the power company to report that the grid is running smoothly, but have an outage and a flood of complaints pours in within seconds. This dynamic drives the lack of appetite for potentially vulnerable digital systems that could affect uptime.

It makes a certain kind of sense. After all, what if your computer was designed before the Internet existed, had to run for decades, cost millions, arrived on a train car, and required a crane to install? Would you upgrade when a new app came out because some guy in IT thought doing so "might" be a good idea? Not likely.

What about the personnel running the grid: Should they be anxious to install remote management software they don't totally understand because it "might" be better in some way? Again, not likely.

The amazing part is that the grid actually works, and for very long periods of time. But enter a new threat: foreign (or domestic) actors bent on crippling commerce, the ability to run hospitals, and provide transportation; and now you can understand the temptation to meddle digitally with the power grid, and the need to defend it all. And digital attacks are on the rise, as we recently investigated.

When we observe the progression of attacks against critical infrastructure, they start with large-scale reconnaissance, where would-be attackers assess the attack surface and build dossiers of weaknesses. While there may be some specific attacks against high-value targets, think of it largely as weapons stockpiling based on gathered intelligence.

In the few actual attacks seen to date, the hackers' next step has been to attempt some low-level attacks to judge the readiness of the adversary to detect and respond to an attack and the response time. After that, the more sophisticated attacks ramp up.

However, because potential attackers have their own goals and targets in mind, there's no such thing as a one-size-fits-all attack. But the security goal from the defenders' mindset is the same — to protect what matters.

I recently interviewed a security staff member working in the power sector, and he related a close call in which attackers almost succeeded in crippling a large power transformer supplying a major tech metropolitan area. The attack: taking out a critical bottleneck, unfortunately located right next to a major freeway — providing easy access, anonymity, and ease of egress.

The attack didn't succeed, but not for reasons you might expect. The attackers damaged a link from the transformer to the bulk transmission lines but didn't use quite enough force. The company's response was to replace parts and get the system back up and running, not necessarily to assess what other potentially crippling attack vectors might exist or to perform a comprehensive post-mortem investigation. If the attacker been more successful, it might have taken a month to replace some of the more specialized parts, had they failed.

Steps Forward
Recently, at a summit on Capitol Hill, I spoke during a collaborative event for private, public, legislative, and military personnel to discuss the way forward. While no single piece of that puzzle is a silver bullet, direction and budget from the Department of Energy, the National Institute of Standards and Technology, and others, along with industry technology can help.

Initiatives aimed at information sharing among electrical grid players are a positive step forward but are still hampered by barriers created by security clearance requirements. Also, participants need safe harbor initiatives to encourage sharing without fear of retribution. Technology solutions, however, such as supply chain integrity testing and multifactor authentication, are slowly moving forward.

Still, underlying it all is a people problem. The most senior folks (nearing retirement) — the ones with the experience to keep the power grid running — are reluctant to embrace digital security. After all, they're not going to get raises if they learn this new-fangled digital security thing (since they're at or near the top of the pay scale anyway), and they stand a chance of being punished for potential missteps.

Until digital natives who also have mastered the art of keeping the grid humming can begin to view the problems through a security lens, we will continue to see low-level hacks against important systems.

This is why the scammers don't even need elite technologists and zero-day exploits when they can gain access through ancient operating systems and operators who don't feel all that comfortable with technology.

Meanwhile, some grid equipment still runs Windows NT, where no security patches are even available. These systems have little or no authentication and run on horribly insecure protocols like Modbus. But the incentives to upgrade a $5 million generator to increase communication security are low.

As I finish typing this, the media is reporting an outage in Louisiana caused by a squirrel chewing through some electrical equipment, leaving thousands without power. While the squirrel wasn't part of an international cadre of elite hackers, the result was similar — the lights went out. And in the end, that's the part that everyone cares about, whether caused by rodents of unusual skill level or rogue hackers from across the globe.

We have a lot of work to do.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Cameron Camp is a researcher for global security provider ESET, and has played a critical role in growing the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.
CVE-2014-3699
PUBLISHED: 2019-12-15
eDeploy has RCE via cPickle deserialization of untrusted data