Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/2/2018
02:30 PM
Cameron Camp
Cameron Camp
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Power Grid Security: How Safe Are We?

Experiencing a power outage? It could have been caused by a hacker ... or just a squirrel chewing through some equipment. And that's a problem.

As I type this, parts of the Pacific Northwest are recovering from a power outage cascading across multiple towns. The cause? A contractor with a piece of heavy equipment severed a buried copper power line. The contractor is very sorry (and poorer), and we all now understand how secure we are against bulk power outages — digital or otherwise.

Digital technology is new for the power grid. Whereas in the computer security world, we focus on things such as system integrity or confidentiality as our primary goal, those are far from the top driver for the power grid folks. Here, the focus is system availability, where typical system uptimes are measured in decades. No one calls the power company to report that the grid is running smoothly, but have an outage and a flood of complaints pours in within seconds. This dynamic drives the lack of appetite for potentially vulnerable digital systems that could affect uptime.

It makes a certain kind of sense. After all, what if your computer was designed before the Internet existed, had to run for decades, cost millions, arrived on a train car, and required a crane to install? Would you upgrade when a new app came out because some guy in IT thought doing so "might" be a good idea? Not likely.

What about the personnel running the grid: Should they be anxious to install remote management software they don't totally understand because it "might" be better in some way? Again, not likely.

The amazing part is that the grid actually works, and for very long periods of time. But enter a new threat: foreign (or domestic) actors bent on crippling commerce, the ability to run hospitals, and provide transportation; and now you can understand the temptation to meddle digitally with the power grid, and the need to defend it all. And digital attacks are on the rise, as we recently investigated.

When we observe the progression of attacks against critical infrastructure, they start with large-scale reconnaissance, where would-be attackers assess the attack surface and build dossiers of weaknesses. While there may be some specific attacks against high-value targets, think of it largely as weapons stockpiling based on gathered intelligence.

In the few actual attacks seen to date, the hackers' next step has been to attempt some low-level attacks to judge the readiness of the adversary to detect and respond to an attack and the response time. After that, the more sophisticated attacks ramp up.

However, because potential attackers have their own goals and targets in mind, there's no such thing as a one-size-fits-all attack. But the security goal from the defenders' mindset is the same — to protect what matters.

I recently interviewed a security staff member working in the power sector, and he related a close call in which attackers almost succeeded in crippling a large power transformer supplying a major tech metropolitan area. The attack: taking out a critical bottleneck, unfortunately located right next to a major freeway — providing easy access, anonymity, and ease of egress.

The attack didn't succeed, but not for reasons you might expect. The attackers damaged a link from the transformer to the bulk transmission lines but didn't use quite enough force. The company's response was to replace parts and get the system back up and running, not necessarily to assess what other potentially crippling attack vectors might exist or to perform a comprehensive post-mortem investigation. If the attacker been more successful, it might have taken a month to replace some of the more specialized parts, had they failed.

Steps Forward
Recently, at a summit on Capitol Hill, I spoke during a collaborative event for private, public, legislative, and military personnel to discuss the way forward. While no single piece of that puzzle is a silver bullet, direction and budget from the Department of Energy, the National Institute of Standards and Technology, and others, along with industry technology can help.

Initiatives aimed at information sharing among electrical grid players are a positive step forward but are still hampered by barriers created by security clearance requirements. Also, participants need safe harbor initiatives to encourage sharing without fear of retribution. Technology solutions, however, such as supply chain integrity testing and multifactor authentication, are slowly moving forward.

Still, underlying it all is a people problem. The most senior folks (nearing retirement) — the ones with the experience to keep the power grid running — are reluctant to embrace digital security. After all, they're not going to get raises if they learn this new-fangled digital security thing (since they're at or near the top of the pay scale anyway), and they stand a chance of being punished for potential missteps.

Until digital natives who also have mastered the art of keeping the grid humming can begin to view the problems through a security lens, we will continue to see low-level hacks against important systems.

This is why the scammers don't even need elite technologists and zero-day exploits when they can gain access through ancient operating systems and operators who don't feel all that comfortable with technology.

Meanwhile, some grid equipment still runs Windows NT, where no security patches are even available. These systems have little or no authentication and run on horribly insecure protocols like Modbus. But the incentives to upgrade a $5 million generator to increase communication security are low.

As I finish typing this, the media is reporting an outage in Louisiana caused by a squirrel chewing through some electrical equipment, leaving thousands without power. While the squirrel wasn't part of an international cadre of elite hackers, the result was similar — the lights went out. And in the end, that's the part that everyone cares about, whether caused by rodents of unusual skill level or rogue hackers from across the globe.

We have a lot of work to do.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Cameron Camp is a researcher for global security provider ESET, and has played a critical role in growing the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.