The dark side of the smart energy grid is its vulnerability to cyber attacks. Previously, attacks on the electric grid seemed reserved for faraway places like Ukraine (Russian hackers took down a portion of Ukraine’s power grid in 2015 for several hours – it was the first cyber attack known to have caused a blackout). Now, such attacks are hitting closer to home.
It was disclosed that a malicious “cyber event” against an electrical utility in the United States occurred on March 5th, 2019, from 9am-7pm. On its disturbance form, The Department of Energy labelled it a “cyber event [causing] interruptions of electrical system operations.” An Energy Department official said that it was a ‘denial of service’ incident, meaning the system was overwhelmed with fake internet traffic produced by a threat actor. The anonymous utility serves parts of Utah, Wyoming and California. Luckily, no outages resulted, nor was the electrical grid’s reliability compromised.
If no real damage occurred, then why you should care?
Crossing a Line
Because a disturbing new line has been crossed and by a comparatively simple hack. If a simple hack disrupted the utility service, what might happen if a sophisticated threat actor, or threat group, issued a more formidable attack, causing widespread outages? A 2015 report stated that a significant grid attack in the United States could cost up to $1 trillion.
John Hultquist, Director of Intelligence Analysis, FireEye Inc. says, “The grid runs everything. Forget how robust it is. How many other critical infrastructure sectors rely on electricity? It’s the best way to cause cascading effects across society — the public knows that. They don’t know anything about how hard that would be.” Hard, but not impossible, as the recent disruption demonstrates.
What is remarkable is that no US electrical utility is known to have experienced any disruptive cyber attack in the past, as Energywire reported in 2018, even though utilities often find themselves targeted by the world’s most sophisticated hackers and face millions of hacking attempts daily. The March attack could have been easily thwarted. It relied on a widely known computer virus; one for which there was a software patch. If the utility had practiced good cyber hygiene and kept updated on its patches, the incident could have been prevented.
“In theory, a grid with more distributed resources can increase the potential attack surface for adversaries because the capacity of distributed generation, including renewables, has grown exponentially over the last decade,” stated Bill Lawrence, Director, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center. Sam Feinburg, Executive Director of Helena said, “[Grid] infrastructure is getting more complicated, and because of that, it’s getting harder and harder to defend each part of it. The ability to conduct these attacks is only being distributed across a wider and wider set of folks.”
Protecting Canadian Critical Infrastructure
According to KPMG, “almost half of power and utility CEOs think a cyber attack on their company is inevitable. Of those surveyed, 48% feared cyber attacks were a matter of “when” not “if,” 58% felt prepared to identify a cybersecurity threat and 59% identified cybersecurity specialists as the most important new role in their company.”
While Robert M. Lee, former NSA hacker and founder of Dragos says “I don’t want to make light of threats poking and prodding our infrastructure. But we also don’t want to hype up the challenge,” Feinburg believes that “It does not take a sophisticated attacker to deal damage to critical electrical infrastructure, and that’s scary.” The potential fallout is scary and while we don’t want to “hype up the challenge,” we do want to ensure Canadian energy companies are putting up the best defence possible.
Both the Canadian federal and provincial governments have been urging critical sectors, which includes utilities, to toughen their cybersecurity practices. At the end of April, Ontario’s energy regulator, the Ontario Energy Board (OEB) demanded that the province’s 65 local distribution companies report on their cybersecurity. Requiring a yearly filing of “Readiness Reports” on their cyber status measured against what is called the Ontario Cyber Security Framework.
The OEB Cyber Report asks the licensee to identify the following (taken from the report summary):
- the organization’s cybersecurity risk using the Inherent Risk Profile Tool in the Framework as either “high,” “medium” or “low”;
- the status of implementation of control objectives consistent with the organization’s risk profile;
- whether specific security objectives have been implemented, such as: a corporate privacy and cybersecurity governance program, privacy and cybersecurity risk identification and risk prioritization processes, third party or self-audits of privacy and cybersecurity program, and participation in the IESO’s information sharing services;
- whether mitigation plans and privacy and cybersecurity awareness education and training programs are in place;
- whether the licensee has systems and/or processes in place to identify, protect and detect cybersecurity and privacy events/incidents;
- whether incident response processes are in place and if they are regularly tested; and
- whether documented incident recovery processes are in place and if they are regularly tested.
The cyber reporting intends to confirm whether a licensee has implemented sound and appropriate cybersecurity measures and can be considered appropriately cyber-resilient. While this reporting is unique to electrical distributors in Ontario, other provinces and utilities will shortly follow suit.
Making All Utilities Cyber-Resilient
It is essential to understand that any device that connects to the Internet can be hacked: If it’s connected, it’s vulnerable – even a utility company with a relatively small network of 50-100 routers. Any organization, across all sectors, are susceptible to a cyber attack. For a skilled cybercriminal, all it takes to jeopardize an entire system is access to a single device or individual.
Recommendations for how to make your energy company cyber-resilient include:
- Educate. All companies need to prioritize cybersecurity education in their cybersecurity strategy; including cybersecurity awareness programs, cyberliteracy programs and cyber hygiene training. As the Canadian Institute for Cybersecurity, University of New Brunswick stated, “Cybersecurity and privacy, once issues only for technology experts, have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem. It is a business problem; it is everyone’s problem. The weakest link in cybersecurity is now people, not devices. As such, the human factor is considered the biggest threat to cyber safety.”
- Culture. Create a culture of cybersecurity in your organization – making cybersecurity a priority for employees at all levels.
- Secure funding. Ask for additional cybersecurity funding.
- Ask a specialist. Partner and communicate with a cybersecurity specialist.
- Assess. Conduct a vulnerability assessment.
- Strategize. Develop and follow a cybersecurity incident response plan.
- Practice. Conduct organization-wide cybersecurity exercises to keep staff sharp.
- Stay alert and adapt. Stay current on the changing threat landscape and adjust your incident response plan accordingly.
Protecting critical industries is of vital importance with cyber attacks increasingly targeting utilities. Utility-providers need to respond with network fortification measures and utility-specific incident response plans. Talk to the cybersecurity solutions specialists at ISA, who have over 27-years of demonstrated industry excellence, about how to protect your company from a cyber attack.