Despite relatively low interest in cybersecurity issues among power industry professionals, the threat of cyber attacks on generation systems is real, as the latest report by a U.S. Department of Homeland Security (DHS) group reveals.
The January–April report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) notes that the DHS group recently received reports of three new cyber incidents resulting from “weak network configuration and/or lack of perimeter security. Two of those incidents involved intrusions by unauthorized parties, and the other was identified as vulnerable by a researcher. In the majority of these cases, the system owners are unaware of the nonsecure configurations or the associated risk.”
In the first instance described, an unnamed public utility was compromised when a “sophisticated threat actor” gained access to the utility’s control system network via the Internet. “The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques.”
A “brute force” attack involves sending strings of common passwords until the correct one is found. Generally, only systems with weak password security are vulnerable to brute force techniques.
In this case, ICS-CERT, which works with industry to identify, prevent, and respond to cyber attacks, “provided analytical assistance, including host-based forensic analysis and a comprehensive review of available network logs. It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified.”
The second case involved a threat actor accessing a “mechanical device” through a supervisory control and data acquisition (SCADA) protocol. “The device was directly Internet accessible and was not protected by a firewall or authentication access controls.” A system exposed in this manner is accessible to anyone with the device’s Internet Protocol address. The third case involved an HVAC system at the Sochi Olympics.
The report urges immediate defensive actions using defense-in-depth principles.
However, past calls to action appear to have fallen on deaf ears. In a recent reader survey by POWER, respondents (n = 1,956) ranked their interest in security/cybersecurity the lowest of 11 possible topics. Sadly, the level of interest and the need to understand the issues are not aligned.
For the basics of generation cybersecurity, see “Generation Cybersecurity: What You Should Know, and Be Doing About It” and “NIST Cybersecurity Framework Aims to Improve Critical Infrastructure” in the February issue of POWER. Also look for a special report on NERC CIP Version 5 in the forthcoming June issue (online at powermag.com by June 2).
—Gail Reitenbach, PhD, Editor (@GailReit, @POWERmagazine)