Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/2/2018
02:30 PM
Cameron Camp
Cameron Camp
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Power Grid Security: How Safe Are We?

Experiencing a power outage? It could have been caused by a hacker ... or just a squirrel chewing through some equipment. And that's a problem.

As I type this, parts of the Pacific Northwest are recovering from a power outage cascading across multiple towns. The cause? A contractor with a piece of heavy equipment severed a buried copper power line. The contractor is very sorry (and poorer), and we all now understand how secure we are against bulk power outages — digital or otherwise.

Digital technology is new for the power grid. Whereas in the computer security world, we focus on things such as system integrity or confidentiality as our primary goal, those are far from the top driver for the power grid folks. Here, the focus is system availability, where typical system uptimes are measured in decades. No one calls the power company to report that the grid is running smoothly, but have an outage and a flood of complaints pours in within seconds. This dynamic drives the lack of appetite for potentially vulnerable digital systems that could affect uptime.

It makes a certain kind of sense. After all, what if your computer was designed before the Internet existed, had to run for decades, cost millions, arrived on a train car, and required a crane to install? Would you upgrade when a new app came out because some guy in IT thought doing so "might" be a good idea? Not likely.

What about the personnel running the grid: Should they be anxious to install remote management software they don't totally understand because it "might" be better in some way? Again, not likely.

The amazing part is that the grid actually works, and for very long periods of time. But enter a new threat: foreign (or domestic) actors bent on crippling commerce, the ability to run hospitals, and provide transportation; and now you can understand the temptation to meddle digitally with the power grid, and the need to defend it all. And digital attacks are on the rise, as we recently investigated.

When we observe the progression of attacks against critical infrastructure, they start with large-scale reconnaissance, where would-be attackers assess the attack surface and build dossiers of weaknesses. While there may be some specific attacks against high-value targets, think of it largely as weapons stockpiling based on gathered intelligence.

In the few actual attacks seen to date, the hackers' next step has been to attempt some low-level attacks to judge the readiness of the adversary to detect and respond to an attack and the response time. After that, the more sophisticated attacks ramp up.

However, because potential attackers have their own goals and targets in mind, there's no such thing as a one-size-fits-all attack. But the security goal from the defenders' mindset is the same — to protect what matters.

I recently interviewed a security staff member working in the power sector, and he related a close call in which attackers almost succeeded in crippling a large power transformer supplying a major tech metropolitan area. The attack: taking out a critical bottleneck, unfortunately located right next to a major freeway — providing easy access, anonymity, and ease of egress.

The attack didn't succeed, but not for reasons you might expect. The attackers damaged a link from the transformer to the bulk transmission lines but didn't use quite enough force. The company's response was to replace parts and get the system back up and running, not necessarily to assess what other potentially crippling attack vectors might exist or to perform a comprehensive post-mortem investigation. If the attacker been more successful, it might have taken a month to replace some of the more specialized parts, had they failed.

Steps Forward
Recently, at a summit on Capitol Hill, I spoke during a collaborative event for private, public, legislative, and military personnel to discuss the way forward. While no single piece of that puzzle is a silver bullet, direction and budget from the Department of Energy, the National Institute of Standards and Technology, and others, along with industry technology can help.

Initiatives aimed at information sharing among electrical grid players are a positive step forward but are still hampered by barriers created by security clearance requirements. Also, participants need safe harbor initiatives to encourage sharing without fear of retribution. Technology solutions, however, such as supply chain integrity testing and multifactor authentication, are slowly moving forward.

Still, underlying it all is a people problem. The most senior folks (nearing retirement) — the ones with the experience to keep the power grid running — are reluctant to embrace digital security. After all, they're not going to get raises if they learn this new-fangled digital security thing (since they're at or near the top of the pay scale anyway), and they stand a chance of being punished for potential missteps.

Until digital natives who also have mastered the art of keeping the grid humming can begin to view the problems through a security lens, we will continue to see low-level hacks against important systems.

This is why the scammers don't even need elite technologists and zero-day exploits when they can gain access through ancient operating systems and operators who don't feel all that comfortable with technology.

Meanwhile, some grid equipment still runs Windows NT, where no security patches are even available. These systems have little or no authentication and run on horribly insecure protocols like Modbus. But the incentives to upgrade a $5 million generator to increase communication security are low.

As I finish typing this, the media is reporting an outage in Louisiana caused by a squirrel chewing through some electrical equipment, leaving thousands without power. While the squirrel wasn't part of an international cadre of elite hackers, the result was similar — the lights went out. And in the end, that's the part that everyone cares about, whether caused by rodents of unusual skill level or rogue hackers from across the globe.

We have a lot of work to do.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Cameron Camp is a researcher for global security provider ESET, and has played a critical role in growing the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20637
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connecti...
CVE-2020-11650
PUBLISHED: 2020-04-08
An issue was discovered in iXsystems FreeNAS 11.2 and 11.3 before 11.3-U1. It allows a denial of service.
CVE-2020-11653
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
CVE-2020-2732
PUBLISHED: 2020-04-08
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.
CVE-2020-1627
PUBLISHED: 2020-04-08
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending ...