Reports from the U.S. Government Accountability Office (GAO) and Siemens highlight both the increasing cyber threats faced by the electric utility companies and the lack of adequate readiness to respond to these threats. According to these reports, a cyber-attack on the electric grid could cause “severe” damage.
The electric grid delivers the electricity that is essential for modern life. As a result, the reliability of the grid, its ability to meet consumers’ electricity demand always, has been of long-standing national interest. The grid’s reliability can be impaired by cyberattacks on the IT and OT systems that support its operations. Cyberattacks could result in widespread loss of electrical services including long-duration, large-scale blackouts.
“Power and energy is the core of almost everything we do. Nothing in our modern society can function without access to power, and it’s the utility industry that provides that to everybody, which is why this is an urgent matter of national concern,” said Former Homeland Security Secretary Michael Chertoff. According to Chertoff and many cybersecurity professionals, the security of the national electric grid is a “real national security issue.”
What Are the Cyber Risks?
The Siemens report, compiled by the manufacturing company and the Ponemon Institute, focuses on cyber risks to electric utilities with gas, solar or wind assets as well as with water utilities.
“The survey results show that risk is worsening, with potential for severe financial, environmental and infrastructure damage,” reads the Siemens report, noting that “the risk that cyber-attacks pose to the OT environment is increasing in frequency and potency as malicious actors’ ability to accurately target critical infrastructure assets improves.”
The majority of those surveyed by Siemens and Ponemon, around 54%, reported that they expect a cyberattack on critical infrastructure within the next year, and 64% described cyberattacks as a “top challenge.”
“Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages,” says the report.
The Siemens report findings match those of the World Economic Forum report on “Regional Risks for Doing Business 2019.” According to the WEF report, “cyber attacks” and “failure of critical infrastructure” are within the top 10 risks faced by businesses worldwide. Focusing in the region of US and Canada, “failure of critical infrastructure” is the fifth top risk faced by businesses, which is closely related to “cyber attacks.” ranking at number one of the list.
“The latest American Society of Civil Engineers (ACSE) report rated the US ‘D+’ on its infrastructure, only slightly better than ‘unfit for purpose.’ Cyber-related threats are also likely to contribute to concerns about critical infrastructure, as these systems become increasingly connected to the internet of things (IoT),” says the WEF report.
The cyber-related concerns of the electric grid’s ability to withstand a cyber-attack are enhanced by the sophistication of the recent security incidents. These more advanced attacks make managing the security of the OT involved in utilities more difficult, with 64% of the Siemens survey respondents citing concerns around the increasingly sophisticated attacks.
“Because many utilities manage infrastructure critical to daily life, nation-states and other malicious actors have an interest in developing cyber weapons that target utilities,” note Siemens and Ponemon. “Individuals and criminal organizations may now also have the backing of nation-states, or state-aligned proxy groups, interested in damaging physical assets, and may use potent cyber warfare tools originally developed by nation-states.”
Can the Electric Grid Address the Risks?
The report released in August 2019 by the Government Accountability Office (GAO) found that the Department of Energy (DOE) has not done enough to protect the electrical grid against increasing cyber attack attempts.
GAO wrote in the report that “the nation’s electric grid is becoming more vulnerable to cyberattacks — particularly those involving industrial control systems that support grid operations. Recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, but the scale of such outages is uncertain.”
GAO emphasized that DOE “plays a key role in helping address cybersecurity risks in each component of the electric grid’s infrastructure.” However, “although the Department of Energy has developed plans and an assessment to implement a federal strategy for addressing grid cybersecurity risks, these documents do not fully address all of the key characteristics needed for a national strategy.”
The report also found the following:
…the Federal Energy Regulatory Commission (FERC)—the regulator for the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. However, it has not ensured that those standards fully address leading federal guidance for critical infrastructure cybersecurity—specifically, the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Without a full consideration of the framework, there is increased risk that grid entities will not fully implement leading cybersecurity practices.
The GAO report notes that the U.S. electric grid faces “significant cybersecurity risks” because “threat actors are becoming increasingly capable of carrying out attacks on the grid.” Nations, criminal groups and terrorists pose the most significant cyber threats to U.S. critical infrastructure, according to the report.
At the same time, “the grid is becoming more vulnerable to cyberattacks” via:
- Industrial Control Systems: The integration of cheaper and more widely available devices that use traditional networking protocols into industrial control systems has led to a larger cyberattack surface for the grid’s systems.
- Consumer Internet of Things (IoT) devices connected to the grid’s distribution network: Malicious threat actors could compromise many high-wattage IoT devices (such as air conditioners and heaters) and turn them into a botnet. The malicious actors could then use the botnet to launch a coordinated attack aimed at manipulating the demand across distribution grids.
- The Global Positioning System (GPS): The grid is dependent on GPS timing to monitor and control generation, transmission and distribution functions.
Even though cyber incidents involving the grid have not caused power outages in the United States, GAO highlights the fact that cyberattacks on foreign industrial control systems have resulted in power outages. For example, in December 2015, malicious actors linked by Ukrainian officials to the Russian government conducted cyberattacks on three Ukrainian power distribution operators, resulting in a loss of power for about 225,000 customers. Additionally, GAO did not find evidence that these attacks physically damaged grid components, but cyberattacks on industrial control systems in other sectors demonstrates that this is possible.
The GAO report identified five significant challenges grid owners and operators face in addressing cybersecurity risks:
- Difficulties in hiring enough cybersecurity employees,
- Limited public-private information sharing of classified information,
- Limited resources to invest in cybersecurity protections,
- Reliance on other critical infrastructure that may be vulnerable to cyberattacks, and
- Uncertainties about how to implement cybersecurity standards and guidance.
GAO recommends that the DOE “in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.” In addition, FERC should consider adopting “changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks.”
The GAO report includes a response from Karen Evans, the assistant secretary of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response, who says that she “concurs” with GAO’s recommendation on the creation of a federal cybersecurity strategy, and noted that “DOE’s current actions meet the intent of GAO’s recommendation.” Evans wrote that DOE is currently working to develop a “national cybersecurity implementation plan” to address energy sector cybersecurity, with the plan due expected to be completed during the fall of 2019.
What Is the Solution?
Concluding their report, Siemens and Ponemon suggest that electric grid operators should adopt “frameworks for building systems that continually improve security.” The organizations need to have the capability to keep up with changes in technology, business models and attack modes; detect when an attack or other anomaly occurs and respond when an incident is detected.
Building these capabilities requires:
- Clear ownership for OT security within organization.
- A strategy to get the visibility, skill set and security improvements around an organization’s needs as well as the budget and resources to back up this strategy.
- The commitment to iteratively implement the cyber security strategy.
Tripwire can help mitigate the increasing cyber risks on the industrial control systems. Tripwire’s ICS solutions help gain network visibility, continuously monitor your status for potential problems and increase your resilience. You can learn more by reading this whitepaper.