October 24, 2016
Still think all of those concerns about cybersecurity protections on the electric grid are overblown?
Try asking the 225,000 people in the Ukraine whose power was cut last December by a Russian hacking group that calls itself “Sandworm.” During the hack, Sandworm’s savvy experts remotely switched breakers in a way that cut power to users after installing malware, according to the Department of Homeland Security in the United States.
Making matters more damaging and disruptive, the same hackers may also have spammed the Ukrainian utility’s customer-service center with a barrage of phone calls designed to block real customers from reporting true conditions after the hackers breached the system, according to Reuters citing a report issued by SANS Inc.
While it is generally believed that the hack of the Ukrainian utility was the first of its kind, don’t think for a moment that hackers elsewhere weren’t encouraged, and possibly emboldened, to try the same thing in the United States or elsewhere.
@NewAmCyber fellow @RobertMLee talks Ukraine hack and lessons for US power grid with @SaraSorcher & @peterwsinger https://t.co/rnIflpiMjI
— CSMPasscode (@CSMPasscode) June 21, 2016
FERC Recognizes Threats
The breadth and depth of complex electric utility networks make them uniquely vulnerable to cybersecurity threats. Officials in the U.S. are only too aware of this.
Evidence: In July, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop a new supply chain risk management standard that addresses risks to information systems and related bulk electric system assets.
“The 2015 cyberattack on the electric utility grid in Ukraine is an example of how cyber systems used to operate and maintain interconnected networks more efficiently can have the unintended effect of creating cyber vulnerabilities,” the agency said in its July notice.
The new or modified Reliability Standard is designed to address software integrity and authenticity, vendor remote access, information systems planning, and vendor risk management and procurement controls. In each case, the ability to keep a firm grip on document control is absolutely vital. There’s both good and bad news here. The good news is FERC is not forcing a “one-size-fits-all” requirement on anyone. The bad news is that this move places even more responsibility on those entrusted with the security of the utility grid to get the job done. Failure is not an option.
“Don’t think for a moment that hackers elsewhere weren’t encouraged, and possibly emboldened, to try the same thing in the United States.”
Document Control Demanded
FERC tasked NERC with developing a forward-looking, objective-based Critical Infrastructure Protection (CIP) Reliability Standard that requires each affected entity to “develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.”
FERC also took it a step further. It also issued a Notice of Inquiry (NOI) into modifying COP standards regarding the protection of control centers that are used to monitor and control the bulk electric systems in real-time. FERC seeks comments on possible modifications, and any potential impacts they may have on the operation of the Bulk-Power system, to address separation between the internet and the cyber control systems in control centers that perform transmission operator functions.
The agency also wants to hear from the industry regarding computer administration practices that prevent unauthorized programs from running, also called “application whitelisting,” for those cybersystems in key control centers.
DHS Spreads the Word: Security Matters
Circling back to the real-life situation in Ukraine, it is important to recall that the Department of Homeland Security (DHS) initially downplayed the significance of the security breach. It changed its tune a few months later and launched a nationwide campaign at the end of March that included a dozen in-person briefings and online webinars designed to help those in the power infrastructure understand the latest threats.
“These events represent one of the first known physical impacts to critical infrastructure which resulted from cyber-attack,” acknowledged an announcement by the DHS Industrial Control Systems Cyber Emergency Response Team when the sessions were announced.
It went on, “The attacks leveraged commonly available tools and tactics against the control systems which could be used against infrastructure in every sector.”
In other words, the nation’s top cybersecurity officials realize they may have underestimated this threat to the utility grid. If they’ve changed their minds, it probably means those tasked with protecting America’s energy infrastructure ought to consider doing the same in the hopes of being ready to prevent or at least mitigate the next attempted terrorist strike.
History tells us the threat is real. It also tells us the stakes are high.
