What Are the Cyber Risks?The Siemens report, compiled by the manufacturing company and the Ponemon Institute, focuses on cyber risks to electric utilities with gas, solar or wind assets as well as with water utilities. “The survey results show that risk is worsening, with potential for severe financial, environmental and infrastructure damage,” reads the Siemens report, noting that “the risk that cyber-attacks pose to the OT environment is increasing in frequency and potency as malicious actors’ ability to accurately target critical infrastructure assets improves.” The majority of those surveyed by Siemens and Ponemon, around 54%, reported that they expect a cyberattack on critical infrastructure within the next year, and 64% described cyberattacks as a “top challenge.” “Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages,” says the report. The Siemens report findings match those of the World Economic Forum report on “Regional Risks for Doing Business 2019.” According to the WEF report, “cyber attacks” and “failure of critical infrastructure” are within the top 10 risks faced by businesses worldwide. Focusing in the region of US and Canada, “failure of critical infrastructure” is the fifth top risk faced by businesses, which is closely related to “cyber attacks.” ranking at number one of the list. “The latest American Society of Civil Engineers (ACSE) report rated the US 'D+' on its infrastructure, only slightly better than 'unfit for purpose.' Cyber-related threats are also likely to contribute to concerns about critical infrastructure, as these systems become increasingly connected to the internet of things (IoT),” says the WEF report. The cyber-related concerns of the electric grid’s ability to withstand a cyber-attack are enhanced by the sophistication of the recent security incidents. These more advanced attacks make managing the security of the OT involved in utilities more difficult, with 64% of the Siemens survey respondents citing concerns around the increasingly sophisticated attacks. “Because many utilities manage infrastructure critical to daily life, nation-states and other malicious actors have an interest in developing cyber weapons that target utilities,” note Siemens and Ponemon. “Individuals and criminal organizations may now also have the backing of nation-states, or state-aligned proxy groups, interested in damaging physical assets, and may use potent cyber warfare tools originally developed by nation-states.”
Can the Electric Grid Address the Risks?The report released in August 2019 by the Government Accountability Office (GAO) found that the Department of Energy (DOE) has not done enough to protect the electrical grid against increasing cyber attack attempts. GAO wrote in the report that “the nation’s electric grid is becoming more vulnerable to cyberattacks — particularly those involving industrial control systems that support grid operations. Recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, but the scale of such outages is uncertain.” GAO emphasized that DOE “plays a key role in helping address cybersecurity risks in each component of the electric grid’s infrastructure.” However, “although the Department of Energy has developed plans and an assessment to implement a federal strategy for addressing grid cybersecurity risks, these documents do not fully address all of the key characteristics needed for a national strategy.” The report also found the following:
...the Federal Energy Regulatory Commission (FERC)—the regulator for the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. However, it has not ensured that those standards fully address leading federal guidance for critical infrastructure cybersecurity—specifically, the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Without a full consideration of the framework, there is increased risk that grid entities will not fully implement leading cybersecurity practices.The GAO report notes that the U.S. electric grid faces “significant cybersecurity risks” because “threat actors are becoming increasingly capable of carrying out attacks on the grid.” Nations, criminal groups and terrorists pose the most significant cyber threats to U.S. critical infrastructure, according to the report. At the same time, “the grid is becoming more vulnerable to cyberattacks” via:
- Industrial Control Systems: The integration of cheaper and more widely available devices that use traditional networking protocols into industrial control systems has led to a larger cyberattack surface for the grid’s systems.
- Consumer Internet of Things (IoT) devices connected to the grid’s distribution network: Malicious threat actors could compromise many high-wattage IoT devices (such as air conditioners and heaters) and turn them into a botnet. The malicious actors could then use the botnet to launch a coordinated attack aimed at manipulating the demand across distribution grids.
- The Global Positioning System (GPS): The grid is dependent on GPS timing to monitor and control generation, transmission and distribution functions.
- Difficulties in hiring enough cybersecurity employees,
- Limited public-private information sharing of classified information,
- Limited resources to invest in cybersecurity protections,
- Reliance on other critical infrastructure that may be vulnerable to cyberattacks, and
- Uncertainties about how to implement cybersecurity standards and guidance.
What Is the Solution?Concluding their report, Siemens and Ponemon suggest that electric grid operators should adopt “frameworks for building systems that continually improve security.” The organizations need to have the capability to keep up with changes in technology, business models and attack modes; detect when an attack or other anomaly occurs and respond when an incident is detected. Building these capabilities requires:
- Clear ownership for OT security within organization.
- A strategy to get the visibility, skill set and security improvements around an organization’s needs as well as the budget and resources to back up this strategy.
- The commitment to iteratively implement the cyber security strategy.