By Joseph Abrenio
About the Author
Joseph Abrenio serves as Vice President of Commercial Services for Delta Risk LLC, where he advises clients in multiple commercial industries, including healthcare, legal, insurance, and retail, on cyber risk mitigation and management. Mr. Abrenio develops and manages enterprise cyber risk assessments and facilitates cyber breach exercises focusing on incident response preparedness for commercial clients. Prior to joining Delta Risk, Mr. Abrenio was a partner in Le Clair Ryan’s Intellectual Property and Technology Group, heading the Firm’s Data Privacy and Security practice. In addition to his duties at Delta Risk, Mr. Abrenio serves as the President of the Midwest Cybersecurity Alliance.
Disabling one of the power grids, even in otherwise distinct sections of the country, would have vast consequences, as these grids share some interconnections.
Introduction
Ongoing cyber-attacks are the new normal. Whether they’re the work of politically or criminally-motivated individuals, or the coordinated efforts of nation-state actors, our nation’s critical assets will continue to be bombarded by digital attacks. Those protecting our critical infrastructure must be vigilant to the ever-evolving cyber threats to the industry.
Many of these threats have to do with the fact that power grids throughout the country are now connected online. New digital technologies increase the efficiency and ease of use of power and electrical grids. However, these smart technologies are in many respects the grids’ greatest weaknesses. If an adversary is able to successfully exploit such weaknesses, a compromised power grid has great potential to disrupt the daily lives of millions of Americans, cause billions of dollars in economic damage, create mass disruptions at hospitals and healthcare centers, and significantly challenge national security.
Attacks on critical infrastructure (such as power grids) pose significant short-term chaos and long-term economic impact across the nation. In fact, such an attack could be seen as an act of war, a modern-day cyber Pearl Harbor.¹
Threats to the Grid
Because a majority of critical infrastructure facilities rely on networked technologies, they are susceptible to attack and intrusion by malicious actors from around the world. The same connectivity which allows remote access to critical systems and devices can be used to disrupt operations, and even cause physical damage to equipment.² Disabling one of the power grids (there are three large interconnected systems that help transport electricity), even in otherwise distinct sections of the country,would have vast consequences, as these grids share some interconnections.³ If the grids are compromised, basic communications such as telephones, cell towers, and cable lines could also be disrupted and go offline.
In essence, we would be flying blind without basic warning systems in place.
This scenario is not merely hypothetical. There have already been instances in which cyber-attacks have been used to compromise power grids and disrupt communications ahead of physical invasions. The first instance of a cyber-attack officially recognized as the cause of a power outage occurred in December 2015 in Ukraine.4 Arguably attributable to a Russian hacking group, this attack resulted in 225,000 private citizens being left in the dark. This demonstrates the real risk of malicious cyber actors effectively flipping switches on the power grid, remotely. The outage did not last long, but it is easy to imagine the effects of an extended outage.
A similar incident also occurred in the U.S. In the late summer of 2013, Iranian hackers were able to infiltrate the networks of a small dam just outside New York City.5 While this attack did not involve an electric grid per se, it does demonstrate that critical infrastructure facilities in theU.S. are also vulnerable.
More troubling is the possibility of such an attack preceding a physical invasion. Allegedly, Russia used a DDoS attack to disrupt network connections and websites in Georgia before invading in 2008.6 It is easy to see that a cyber-attack preceding a physical invasion is the most effective war strategy in our modern world.
These types of events are no longer restricted to the realm of science fiction movies.7
Regulations
To reduce the effects of some of those most damaging incidents, a unique set of regulations governs the critical infrastructure industry. The entire power industry is subject to mandatory cybersecurity standards pursuant to the Energy Policy Act of 2005.8 These cybersecurity standards are developed by the North American Electric Reliability Corporation (NERC), and the Federal Energy Regulatory Commission (FERC) reviews and approves them. These standards cover a variety of issues, from identifying critical assets,personnel and training, incident reporting and response, and planning and recovery plans.9 NERC audits the companies subject to their jurisdiction and has the ability to issue fines of up to $1 million per violation per day.10
Another area of regulation involves the sharing of threat information. A 2013 executive order titled “Improving Critical InfrastructureCybersecurity” directly addresses this area.11 Its goal is to improve the sharing of threat information among both private and public industry actors.12 As part of its operations, NERC issues alerts containing actionable information to relevant entities, and operates the Electricity Sector Information Sharing andAnalysisCenter (ES-ISAC). Other agencies that have
oversight or advisory roles in the regulation of the power industry include the DOE, DHS, and NIST.
Best Practices
The regulatory framework—specifically the standards which NERC/FERC issue—describe the minimum organizations must do to achieve compliance.However, because threats rapidly change in the cybersecurity field, companies must do more than the minimum to stay resilient. To be more than secure enough, organization must implement the latest cybersecurity industry best
practices and safeguards.Managing a company’s processes and people is integral to strong cybersecurity.
A major first step companies can take is to develop a sound cybersecurity policy. This policy should identify what assets a company has (i.e.,what attackers would be after), the methods available to attack those assets, and current defense capabilities. Once the current state of security is known, an organization can compare its practices with industry standards to see where it has gaps. The cybersecurity policy should then indicate how those gaps will be filled.Critically evaluating and planning a company’s defenses is imperative to creating an appropriate cybersecurity defense.
One of the technical measures companies can take is implementing multifactor authentication systems. This process involves requiring various methods of accessing secure accounts (e.g., a username and password, a physical object or card, biometric authentication, etc.).
A related account security measure is to implement procedures to appropriately manage account access. By restricting user access to the lowest logical level, and eliminating unnecessary accounts (such as those of past employees),the risk of an account being compromised is reduced, as well as the risk of a malicious actor gaining high-level network access.
To address the human element of the cybersecurity dilemma, power companies must institute sufficient training and education for all their employees. One of the biggest threats to cybersecurity in any industry is the insider threat. This can manifest itself in the malicious actions of a disgruntled employee, or could be the result of accidents or negligence. Education on cybersecurity issues and training on the proper ways to handle network information can lead to better overall cyber hygiene and prevent unauthorized access.
From a procedural perspective, a critical infrastructure entity should test its own defenses and practice responding to the inevitable cyber-attack. The former can be conducted through what is known as penetration tests or, more generally, red teaming. The latter can be accomplished with cyber tabletop exercises, in which all relevant company personnel walk through a hypothetical attack scenario to determine what they will (or should) do during an actual attack. The best practices described above are not exhaustive.
Much more can and should be done to protect the critical infrastructure of our country, especially because of its importance to national security. Contrary to the adage “the best defense is a good offense,” the best national defense is a good cybersecurity defense.
Republished with permission from United States Cybersecurity Magazine, Fall 2016 edition, available for viewing at http://www.uscybersecurity.net/united-states-cybersecurity-magazine/fall-2016/#p=30
