Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/7/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Project 'Gridstrike' Finds Substations To Hit For A US Power Grid Blackout

Turns out free and publicly available information can be used to determine the most critical electric substations in the US, which if attacked, could result in a nationwide blackout.

Remember that million-dollar Federal Energy Regulatory Commission (FERC) study in 2013 that found that attacks on just nine electric substations in the US could cause a blackout across the entire grid? Well, a group of researchers decided to see just what it would take for a small group of domestic terrorists to identify the US's most critical substations -- using only free and public sources of information.

While FERC relied on confidential and private information in its shocking report and spent a whopping $1 million in research, researchers at iSIGHT Partners used only so-called open-source intelligence, at a cost of just $15,000 total for 250 man-hours by their estimates. The Wall Street Journal, which obtained and first reported on the confidential FERC report, never publicly revealed the crucial substations ID'ed by FERC for obvious reasons, nor does iSIGHT plan to disclose publicly the ones it found.

Sean McBride, lead analyst for critical infrastructure at iSIGHT, says the goal of his team's so-called "Gridstrike" project was to determine how a small local-grown terror group could sniff out the key substations to target if it were looking to cause a power blackout -- either via physical means, a cyberattack, or a combination of the two. "How would an adversary go about striking at the grid?" McBride said in an interview with Dark Reading. He will speak publicly for the first time about the Gridstrike research next week at the S4x2016 ICS/SCADA conference in Miami.

The iSIGHT researchers drew from a combination of publicly available transmission substation information, maps, Google Earth, and grid congestion documentation, and drew correlations among the substations that serve the top ten cities in the US. They then were able to come up with 15 substations that serve as the backbone for much of the electric grid: knocking out those substations would result in a nationwide blackout, they say.

FERC's report had concluded that the US could suffer a nationwide blackout if nine of the nation's 55,000 electric transmission substations were shut down by attackers.

"We looked at maps and tried to … identify [power] generation facilities, and looked up both centers and what substations are in the middle that would make high-value targets," for example, McBride says. "We tried to identify which substations have the highest number of transmission lines coming in and out," as well, and weighed their significance.

The researchers shared the findings from Gridstrike with their customers as well as "organizations most interested from a defense perspective" to such attacks, says McBride, who declined to provide any further details on the specific organizations.

"We were extremely concerned about the amount of publicly available information" on the critical substations, McBride says. There were several documents available publicly that should not have been: in some cases, a sensitive document was sitting on an organization's public website even though it specified that the report was not for public consumption.

The hope is that the findings will alert critical infrastructure and other organizations with ties to the power grid that understanding how an adversary thinks can help shore up defenses, McBride says. "They need to manage their recon exposure."

What does all of this mean for the US power grid's actual vulnerability to a physical or cyber-physical attack? McBride says the openly available intel is "reason for concern." He says he worries more about the possibility of a regional, localized, grid attack targeting a city or area, than a nationwide attack.

As for the recent power blackout in the Ukraine that appears to have been due in part to a cyberattack, McBride says he'd be surprised if the attackers didn't gather some of their reconnaissance via open source intelligence.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brian.365
50%
50%
Brian.365,
User Rank: Apprentice
1/11/2016 | 7:32:23 PM
Probably much more vulnerability out there....
Years back, I did an interesting study on a theoretical terrorist attack to San Onofre Generating Station in Southern California, before new units of the nuclear power plant came on line. I got all the info I needed from the public library and the Environmental Impact Report. Although it is now in the process of decommissioning, back in 1980's it appeared to be very vulnerable to sabotage and terrorism.  The ocean intake cooling tubes were wide open and could easily be compromised. Without adequate cooling water the plant would have been toast. My only credentials to do such a study is that I was a commercial diver a few years prior.
Leati
50%
50%
Leati,
User Rank: Apprentice
1/11/2016 | 4:35:48 PM
Re: Correction?
No, it's okay
sbarry71
50%
50%
sbarry71,
User Rank: Apprentice
1/7/2016 | 4:08:43 PM
Correction?
"He will speak publicly for the first time about the Gridstrike research next week at the S4x2016 ICS/SCADA conference in Miami."

 

Pretty sure I attended a webinar about the report January 13th of 2015.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.