Earlier this month, an explosion at a power station in Maryland caused outages at the White House, the Capital, and the State Department. The service interruption, which affected between 10,000 and 30,000 people, was caused by a 230-kilovolt transmission conductor that broke free from its support structure, according to NBC News. As a result, the Smithsonian and other popular tourist sites in the DC area were forced to evacuate their patrons. Additionally, the Washington transit system activated emergency lighting at 13 of its stations. The fact that this incident plunged some of the United States’ greatest power centers into darkness illustrates the extent to which our nation’s electrical power grid is vulnerable to a variety of threats, including cyber attacks. “It can be tough to envision the connection between power outages and cybersecurity, but it definitely exists,” explains Tim Erlin, Director of Product Management at Tripwire.
“We’ve seen vulnerabilities in windmills and fire at a German steel plant caused by a cyber attack. Loss of power can have a catastrophic effect very quickly.”
In the past few years, several reports and experts have confirmed the U.S. power grid’s susceptibility to targeted attacks. These include the following:
- Two researchers in the fall of 2013 documented vulnerabilities in over 20 different vendors’ critical infrastructure network control products. If exploited, these flaws could allow attackers to disrupt power delivery, such as by taking a master server at a substation offline.
- A study issued by the Federal Energy Regulatory Commission (FERC) in March of 2014 notes that of the 55,000 electric substations located throughout the country, attackers would need to disable less than 10 of them to cause a major outage that could last for as long as a month or more. FERC goes on to note in its study that there are currently no regulations in place to protect these specific critical assets.
- In response to a CNBC article published earlier this year, Eugene Kaspersky, CEO and founder of the IT security firm Kaspersky Labs, stated that we have seen an uptick in targeted attacks against critical infrastructure. He goes on to warn that we will likely see incidents that cause “very visible damage” to the power grid, among other targets, in the near future.
- Finally, an investigation led by USA Today and more than 10 Gannett newspapers and TV stations across the United States found that the power grid sustained 362 attacks between 2011 and 2014, which resulted in outages and power disturbances. The attackers were never identified in most of these cases.
The Department of Energy is currently working to mitigate these and other threats. According to a recent article in published by FOX News, the nation’s top energy officials have invested $4.5 billion in modernizing the U.S. power grid, including $100 million specifically allocated to sustain critical power functions in the event of a cyber attack. These efforts have had some positive effects on the number of breaches reported by utilities over the past year. “The 2015 Verizon Data Breach Investigation Report lists utilities as having only 73 of the nearly 80,000 reported security incidents in 2014,” notes Travis Smith, a Security Analyst at Tripwire, which is likely due to the fact that attackers generally want a monetary reward for their efforts, such as what they can expect from stealing credit card data or holding critical data for ransom. Even so, while profit-motivated hackers might have little incentive to attack critical infrastructure, sophisticated threat actors such as nation-states still do. Smith is well aware of this reality. “Public utilities such as the power grid are ultimately more susceptible to nation state and terrorist actors trying to damage a host country’s economy than they are to financially motivated hackers.” Going forward, utility companies need to acknowledge the importance of computer security with regards to defending critical infrastructure. This means adopting a different mindset as part of their business models. “Acknowledgement of the growing role of cyber security means actively moving from a compliance focus to a security focus when it comes to industrial control systems,” observes Erlin. “Security is a facet of reliability, and a lack of cyber security will have a detrimental effect on the same.” One way companies can embrace a security focus is by investing in threat intelligence solutions. As Smith explains: “To protect themselves against future attacks, the utilities sector should analyze the attack patterns today and monitor how they change over time via threat intelligence technologies. Organizations not taking advantage of threat intelligence are handing their foes an advantage that they can’t afford to give up.” These companies can then share their analyses with other utility companies, which would protect the power industry more generally. Erlin is a strong advocate of this recommendation.
“We as information security professionals should work to expand security technologies to support industrial control systems and their supporting infrastructure, and we should fund and promote information sharing efforts for utilities and other industrial control system users.”
Clearly, the U.S. power grid is at risk of outages as a result of targeted attacks. This threat therefore calls on utility companies to cooperate with the Department of Energy, with information security professionals, and most importantly with one another if they are to meet tomorrow’s security challenges.