Threats grow as hackers turn eyes on new target: utility providers
JEFFERSON CITY, Mo. – The threat of hacking has become an ever-looming danger to companies and governments across the world with each day, as new technology continues to arrive.
But as the technology keeps changing, so does the target of the hackers. The latest victim of attacks seems to be energy facilities. Energy, nuclear, and manufacturing organizations continue to be the frequent subject of these advanced and complex cyber attacks, which experts say could have dramatic effects. But why is that?
Joseph S. Abrenio, the President of the Midwest Cyber Security Alliance, says that the answer is quite simple.
“This really goes back to the classic Willie Sutton quote – when asked why he robbed banks, he responded, quite simply ‘because that’s where the money is.’ The reasons and rationale for hacking cover the spectrum from political motivations to nation-states using this to infiltrate,” he said. “As hacking has increased both in breadth and depth, many industries have shored up their defenses. While many industries have brought in experts and taken steps to thwart hackers, some industries are a bit lagging. Here, in many respects, the power grid may be an easier target than a financial bellwether, and additionally, the rise in identity theft puts power operators at a bit of a disadvantage as they may retain sensitive personally identifiable information (PII) and yet lack the policies and technological wherewithal to adequately protect this PII.”
For months now, hackers have attempted to penetrate the computer networks of companies operating nuclear power stations and utility service providers. The most notable of these attacks was the one for Wolf Creek Nuclear Operating Corporation, which operates a nuclear power plant near Burlington, Kan.
A report from Homeland Security and the FBI was assigned an urgent amber warning, which is the second highest rating for the sensitivity of the threat. But the report did not say whether the cyber attacks were an attempt at espionage or just part of a plan seeking to cause destruction and turmoil.
“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” a spokesman for the Department of Homeland Security said.
The report shows that the attack was contained to just the business side of the plant and that no critical infrastructure was affected. Officials from Wolf Creek say that their corporate network and the internet were separate from the network that runs the plant, creating a gap between the two and preventing potential hackers from gaining access.
But even the phishing of data from the business side can prove to be dangerous, as hackers could gain access to emails, communications involving design plans, information about security assessments, documents that contain passwords or more. Even if the first attack doesn’t do much, it could potentially set up another future attack.
“These things are pretty scary. Wolf Creek didn’t turn out as bad as it could have, but when you’ve got people constantly looking at taking down your power grid or taking down a nuclear facility, or other critical areas of infrastructure, that’s serious, and we don’t want to be another example of that,” Trey Davis, President of Missouri Energy Development Association (MEDA), said. “Obviously, our systems integrate with regional electrical systems and go way beyond just the state of Missouri. There’s constant contact with each other on a daily basis, but those attempted hacks are a wakeup call. It’s not only a reminder to our industry, but to the general public.”
Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission, said in a recent interview that while the security of United States’ critical infrastructure systems had improved in recent years, they were still vulnerable to advanced hacking attacks.
And the signs have been around for years. In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility demonstrated how computer attacks could disrupt and destroy physical infrastructure. Government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.
A 2010 FBI report showed a series of hacks against smart meters may have cost a Puerto Rico utility company $400 million annually over the matter of a few years.
And the greatest threat with these attacks is that someone could potentially hijack these systems remotely do something similar as the Stuxnet attacks, or even worse.
On May 11, during the attacks, President Trump signed an executive order to strengthen the cybersecurity defenses of federal networks and critical infrastructure. The order required government agencies to work with public companies to mitigate risks and help defend critical infrastructure organizations “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
The order specifically addressed the threats from “electricity disruptions and prolonged power outages resulting from cybersecurity incidents.”
And while it may sound like the attacks on nuclear facilities are increasingly becoming more dangerous, some experts say the real threat lies with the hacking of the power grids themselves.
A 2015 report by USA Today showed that hackers infiltrated the Department of Energy’s computer system over 150 times in the span of 2010-2014, targeting the DOE networks more than 1,100 times.
Many experts believe that the next significant targets will be the power grid, with hackers turning off water, electricity, and causing power outages.
Today, most critical infrastructure is controlled by the supervisory control and data acquisition systems, or SCADA, as it is called. These systems monitor variables like pressure and flow through pipelines, and allow operators to watch and diagnose problems. But, like any software these days, SCADA systems are just as susceptible to hacking and computer viruses as any other programs.
“In 2003 a computer malware worm code-named Slammer infiltrated power grid SCADA systems,” Abrenio said. “The worm was CPU intensive and, consequently, the digital controls were less responsive and thus when a tree fell on a power line in Ohio, the SCADA systems were unable to prevent a cascading power loss. Consequently the combination of events: the worm which slowed the SCADA systems, and the power line hit from a downed tree resulted in a loss of power for over 50,000,000 across eight states.”
And fighting for control of the grid could mean long outages that disrupt the lives of thousands or millions of people, as well as billions in damage.
The right attack could take down basic communication, disrupting telephones, cell towers, and cable lines. But it could mean even more than that: potentially, a hacker could turn off power providing stable room temperatures to keep things frozen and dormant or cause mass disruptions to places like hospitals, healthcare centers, nursing homes, or schools, places where specialized care might be needed.
And the scenario has already been played out. In 2015, about 225,000 citizens in Ukraine were left in the dark when a cyber attack caused a power outage. A similar attack also occurred in Ukraine in 2016.
“If an attempted electric or natural gas cyber-attack were successful in Missouri…in let’s say December, think about what impact that would have on elderly or low-income customers. The impact could be catastrophic,” Davis added. “Missouri is very good at being the Show-Me State. We wait for things to happen then we react. Physical and cyber-attackers won’t wait until we are ready. We must be proactive, not reactive.”
In theory, one well-placed and well-timed attack could cost more than just money; it could cost lives.
So, in this environment, specialists say that the need to enhance and improve cybersecurity and modernize the grids and infrastructure is more paramount than ever.
But the interesting thing is that as more utility companies continue to push forward and use newer forms of technology, the opportunities for hackers to cause mischief increase, leading some to speculate that the greatest defense against hackers is the analog system instead of newer, more modern digital systems.
“While in truth, the analog grid was not susceptible to hacking and infiltration via remote attacks and malicious code. However, the analog grid is highly susceptible to thermal breakdown and mechanical component failures,” Abrenio says. “Furthermore, it has been estimated that non-digital controls limit the grid to roughly 60% of its transmission capabilities. Additionally, the movement to a “Smart Grid” provides a plethora of features, not the least of which is the ability to pursue demand side management to help load balance and to prevent cascading failures. Further benefits include the ability to integrate renewable energy sources and to quickly perform regeneration and restoration of services following a power-disturbance.”
To combat potential attacks, the regulatory frameworks in place for utilities require a minimum compliance to safeguard against attacks. Each company is required to develop a sound cybersecurity policy, and maintain strong protocols as well as properly educate and train their staff.
At the national level, the federal government also has taken steps to try to beef up their security oversight by creating the Office of Energy Infrastructure Security in 2012 under the Federal Energy Regulation Commission (FERC) in order to analyze and recommend best procedures. Companies also could adopt the existing cyber security standards developed by the North American Electric Reliability Corporation (NERC). But Abrenio says that part of the issue is that only certain elements of the standards fall under the guidelines, meaning not all are mandated to follow them.
“One of the greatest issues facing grid entities (and others as well) is having a complete, accurate, and dynamic inventory of assets so that they can understand what pieces are part of their total system environment and then take steps to implement safeguards to protect those assets from unauthorized access and/or exfiltration,” Abrenio said. “This would include understanding both physical, virtual, as well as human components in order to effectuate appropriate safeguards and knowledge transfer.”
Here in Missouri, utility companies and their regulating body have also taken steps to address the issue.
“MEDA’s electric, natural gas, and water members are subject to significant cybersecurity regulation at the federal level by such bodies as the Federal Energy Regulatory Commission (FERC) and they communicate on a regular basis with federal, regional, and state entities such as the Department of Homeland Security (DHS), the Department of Energy (DOE), the Environmental Protection Agency (EPA), and regional transmission authorities like MISO and SPP for example,” Davis said. “MEDA’s members recently participated in the Missouri Public Service Commission’s (MoPSC), the regulatory body for Missouri’s Investor-Owned Utilities, “Workshop to Address Security Practices for Protecting Essential Utility Infrastructure.” Comments were submitted regarding safeguarding critical infrastructure information, cybersecurity standards and monitoring, and cyber-related information sharing.”
But Davis says that, while these are good steps, there’s still more to be done.
“While participation in such MoPSC workshops is an important part of the constant dialogue regarding cybersecurity, Missouri’s Investor-Owned Utilities are still funding and operating a utility infrastructure that is regulated with a model dating back to 1913. Forty-six other states have worked to significantly improve their regulatory climates,” Davis said. “According to a Bloomberg article from earlier this year, the U.S. Energy Department stated that the nation’s electricity system “faces imminent danger” from cyber-attacks, which are growing more frequent and sophisticated. Overall, the department’s report said, total investment requirements necessary for utility grid modernization range from $350 billion to $500 billion. PricewaterhouseCoopers only just found that 65% of United Kingdom businesses were “significantly concerned” over risks to energy technology.”
And in the end, the saying “a system is only as secure as the people who run it” goes a long way, and to truly keep fighting off the hackers, then companies have to invest the time and resources to make sure that they stay at least one step ahead of their attackers.