The Power Sector’s High-Stakes Battle for Cyber-Resiliency
The power sector’s relentless pursuit of an increasingly connected power paradigm amid an escalating cyber threat landscape demands an urgent, multifaceted strategy for cybersecurity. Recently, the sector has embarked on innovative methods to tackle inherent challenges in its evolving quest for a robust cybersecurity posture.
In 2022, a third party alerted industrial control systems (ICS) firm Dragos it had identified a new collection of malware, PIPEDREAM, that fostered a “reusable cross-industry capability” that could unleash disruptive and even destructive effects on ICS/operational technology (OT) equipment. As Dragos CEO Robert Lee explained to Congress in March 2023, “Years ago, I often [said] that I was not worried about the threats of today because our infrastructure owners and operators had focused so much on reliability and safety that it naturally helped cybersecurity.” But PIPEDREAM, distinct for its capability to exploit “homogenous infrastructure,” stunned him.
“Based on Dragos’ assessment, PIPEDREAM was initially targeted toward energy assets such as liquid natural gas and electric transmission equipment,” he noted, “but it can work on almost all OT environments, ranging from the heating, ventilation, and cooling equipment in data centers to control systems used in next-generation military and weapons systems.” And while PIPEDREAM was one of many ICS-specific malwares—following STUXNET, AURORA, HAVEX, BLACKENERGY2, CRASHOVERRIDE/INDUSTROYER, TRISIS/TRITON, and INDUSTROYER2 (Figure 1)—it presented “the first realistic cyber capability that can significantly disrupt critical infrastructure domestically,” he said. “It’s not capability you can simply patch away or otherwise prevent. Once it is in a target’s networks, it is a reliable tool for an attack as it takes advantage of the native functionality and common software now deployed across infrastructure sites.”
PIPEDREAM’s identification led Dragos and its partner to the National Security Agency (NSA), Federal Bureau of Investigations (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Energy (DOE), and under “one of the most significant public-private partnership wins of all time in cybersecurity,” the collaborative effort identified, analyzed, and ultimately reported PIPEDREAM to the broader infrastructure community before PIPEDREAM could make an impact, Lee said. While its proactive containment represents a victory, the specter of the insidious malware that can unleash potentially massive repercussions remains significant.
One reason is that since 2015, when a cyberattack prompted power outages in Ukraine, the power sector has dramatically ramped up its cybersecurity posture. But adversaries have been relentless. “In 2017, the first-ever cyberattack that targeted human life directly took place in a Saudi Arabian petrochemical facility by targeting an OT system,” Lee noted. “Across 2018 to 2021, there were over a dozen new state actor cyber teams that started targeting industrial companies directly.”
Attacks have highlighted vulnerabilities in all parts of the industry. The 2020 SolarWinds SUNBURST attack, spearheaded by the Russian Foreign Intelligence Service, exposed computer networks worldwide, highlighting vulnerabilities in supplier and manufacturer networks. (While SolarWinds initially reported 18,000 customers could potentially have been vulnerable to SUNBURST, the firm estimates the actual number of customers hacked through SUNBURST to be fewer than 100.)
Ransomware operations are meanwhile ramping up, reports security firm Resecurity. While the energy industry has seen a “brief, sectoral ‘ceasefire’ following the 2021 Colonial Pipeline ransomware attack, cybercriminals are once again honing in on energy-industry targets,” it warned in November. “In the wake of the MOVEit Transfer supply-chain extortion campaign, which has claimed over 2,180 victims so far, 2023 may actually go down in history as the most profitable year ever for ransomware actors. The broader trend driving the ransomware industry’s increasing ROI [return on investment] is the return of ‘big game hunting,’ or the targeting of large organizations,” it said. Operators are now targeting nuclear, and oil and gas firms, and “will continue to increase their extortion demand beyond $7 million, weaponizing their essentiality to CI [critical infrastructure] operations,” it said.
A Collective Push Toward Resilience
For the power sector, cyber threats remain top-of-mind, but its quest for good cybersecurity posture has evolved into a crucial risk management strategy with several new drivers. For one, significant security risks are associated with the changing resource mix. The grid transformation “is expanding the existing attack surface due to the use of emerging technologies, additional communications, and industrial controls as well as remote control capabilities,” explains the North American Electric Reliability Corp. (NERC), a quasi-governmental compliance enforcement authority.
Modern cybersecurity, which includes several security principles and concepts, typically comprises a defense-in-depth philosophy, but these were not historically integrated into the planning, design, and operation of the grid’s OT systems, NERC notes. As part of their embrace of digitalization, power companies are increasingly connecting the OT environment to outside networks through the incorporation of intelligent devices capable of internet protocol (IP) communications. “These channels provide opportunities for adversaries to exploit latent vulnerabilities within the existing system, as cybersecurity was not part of the design equation for legacy equipment, software, and networks. The introduction of new technologies and new types of entities entering electricity markets also present new cyber-attack vectors,” it added.
In North America, power entities abide by NERC Critical Infrastructure Protection (NERC CIP) standards, which have set requirements for cybersecurity management and control, personnel training, incident reporting, response planning, recovery plans for critical cyber assets, and security controls for grid technology and product suppliers. The European Union, meanwhile, in October 2023, modernized its 2016 Network and Information Directive (NIS). The update broadens the scope of critical entities to recharging point operators and various electricity market participants, and it reinforces cybersecurity requirements along their supply chain.
Power sector cybersecurity posture has also been guided by voluntary cybersecurity frameworks, including from the DOE and the National Institute of Standards and Technology (NIST), and public-private collaborations, such as an effort led by the Electricity Information Sharing and Analysis Center (E-ISAC). One example is the Cybersecurity Risk Information Sharing Program (CRISP), which facilitates the timely bi-directional sharing of unclassified and classified threat information, and development of situational awareness tools. CRISP participants currently provide power to more than 75% of U.S. customers, the DOE said.
However, the power sector’s cybersecurity imperative also largely responds to shareholder concerns about corporate risks posed by cybersecurity. In March 2022, the U.S. enacted the Cyber Incident Reporting for Critical Infrastructure Act, placing a reporting obligation on companies in some critical infrastructure sectors, including energy and nuclear reactors. And in July 2023, the U.S. Securities and Exchange Commission (SEC) finalized a rule that mandates disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting for publicly traded companies. Future rules may hinge on the White House’s March 2023 rollout of a National Cybersecurity Strategy, which envisions “fundamental shifts” in how the U.S. allocates roles, responsibilities, and resources in the cyberspace.
Industry-Led Innovation
“Regulations, if done correctly, are good and required to set a baseline,” noted Patrik Boo, portfolio manager of Cyber Security Services at ABB. “The risk, when regulations are not done well, is that they set a minimum level,” he noted. Industry appears to understand this. Despite pressures, it is today leveraging a legacy in innovation and has embarked on exploring new tools to enhance cybersecurity along with efficiency.
Some companies are looking into integrating artificial intelligence (AI) to enhance and streamline cybersecurity. AI for cybersecurity offerings also appears to be ramping up. Technology firm NVIDIA recently rolled out Morpheus, an open application framework that “enables cybersecurity developers to create optimized AI pipelines for filtering, processing, and classifying large volumes of real-time data,” It essentially brings a “new level of security to the data center, cloud, and edge,” by using AI to “identify, capture, and act on threats and anomalies that were previously impossible to identify.” One attribute, for example, uses digital fingerprinting of the AI workflow to “uniquely fingerprint every user, service, account, and machine across the network—employing unsupervised learning to flag when activity patterns shift.”
Efforts are also progressing to integrate blockchain—best known for securing digital currency payments—with cybersecurity. A project under Oak Ridge National Laboratory’s Darknet initiative had developed a framework to detect unusual activity, including data manipulation, spoofing, and illicit changes to device settings. “Cyber risks have increased with two-way communication between grid power electronics equipment and new edge devices ranging from solar panels to electric car chargers and intelligent home electronics. These activities could trigger cascading power outages as breakers are tripped by protection devices,” ORNL noted. The framework proposes a “totally new capability” to respond to anomalies rapidly,” it said. “In the long run, we could more quickly identify an unauthorized system change, find its source, and provide more trustworthy failure analysis. The goal is to limit the damage caused by a cyberattack or equipment failure.”
The DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is spearheading several notable partnerships with industry, including funding initiatives, aimed at enhancing power sector cybersecurity. A notable program is the Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program at Idaho National Laboratory, which tests critical system components to identify cyber vulnerabilities before they are exploited. The effort is geared to improve the security of ICS and software supply chains.
“DOE connects equipment manufacturers, vendors, and utilities with state-of-the-art, intelligence-informed analytic capabilities at its National Laboratories where they test operational technology components voluntarily submitted by the participating companies,” CESER noted. In January, nuclear giant Westinghouse joined four private sector companies, GE Vernova, Hitachi Energy, Schneider Electric, and Schweitzer Engineering Laboratories in the program. Westinghouse will test for potential cyber vulnerabilities in one of the company’s instrumentation and control systems used for nuclear applications.
CESER is also spearheading other noteworthy programs. It recently launched the Renewable Energy and Storage Cybersecurity Research (RESCue) initiative, which seeks to address cybersecurity concerns in hybrid energy systems, including wind, solar, and energy storage. In addition, it recently released $100 million in funding to explore cyber-resilient design frameworks for hybrid renewable systems, tools for forensic analysis, technologies to identify and mitigate cyber threats to inverter-based resources (IBRs) and energy storage, secure communications solutions for distributed energy resources (DERs), and cybersecurity enhancements for virtual power plants.
The Bold Prospect of Security Integration
Industry is also separately working with NERC to explore a “security integration,” which attempts to set down a more integrated approach to incorporate cyber and physical security into planning, design, and the operational phases of assets on the bulk power system. Recent efforts, for example, include equipment standards and device certification for behind-the-meter DERs, cyber-informed transmission planning approaches, and recommendations to address cyber threats facing IBR vendors, owners, operators, and aggregators.
To address security risks in the supply chain, the power sector is meanwhile championing Software Bills of Materials (SBOMs). SBOMs are essentially an “IT [information technology] list of ingredients in software,” Alex Santos, co-founder and CEO of Fortress Information Security, explained to POWER. “Software is not coded anymore—it’s assembled like Lego in blocks” from catalogs. Blocks, for example, comprise a database or a login screen, he said. “So, the SBOM is an ingredient list of the Lego pieces in our software.”
Fortress recently called attention to insidious cybersecurity issues that lurk in software products used to manage the U.S. power grid. In a report, the firm said that an estimated 90% of software products, including IT products, which are utilized for network management, as well as OT products, which are used to monitor and control physical processes and equipment, contain code “contributions” from Russian or Chinese developers. Santos noted federal entities like the CISA have supported SBOMs as a critical tool to prevent cyber-attacks, and the government has explored mandating SBOMs for software makers. “If the industry takes steps to require SBOMs and attestation forms voluntarily, the less the government will have to mandate them,” he said.
Yet another emerging industry-championed attribute is the “zero-trust” (ZT) principle. Seeking to proactively manage threats to OT technology, including ransomware and malware tools like PIPEDREAM, ZT is a collection of concepts (Figure 2) that builds upon and enhances historical controls and perimeter-based security models—as opposed to tearing them down. “Industry needs to continue to develop equipment and software as well as people, processes, policies, and governance capable of delivering on ZT principles,” NERC said. “Entities should invest in staff training for ZT, develop OT security programs, design roadmaps based on a ZT maturity model for the development of ZT architecture (ZTA) at the right pace for their organization.” ZTA, however, will be a long-term effort. NERC suggests operators should typically begin by implementing it in their IT environments, focusing on IT/OT demilitarized zones (DMZs) and operational control centers.
ZTA, however, will be a long-term effort. NERC suggests operators should typically begin by implementing it in their IT environments, focusing on IT/OT demilitarized zones (DMZs) and operational control centers. These areas, characterized by modern, flexible digital platforms and advanced network infrastructures with shorter refresh cycles, offer the most significant opportunities for ZTA deployment, providing a favorable cost/benefit ratio by addressing a broad attack surface and minimizing potential disruptions, it said. The effort should be pursued “incrementally” and in collaboration with OT integrators and vendors. “OT networks and legacy devices may create constraints that require hybrid approaches to solve,” it noted. “No single product or tool on the marketplace provides a complete ZTA, and organizations may already have infrastructure and controls in place that qualify as components of a ZTA.”
Pervading Challenges
Despite these measures, experts suggest more will need to be done, and several challenges lie ahead. The most glaring issue remains an organizational issue, where “engineers and managers who ‘own’ the power plant and substation equipment are generally not part of a cybersecurity program,” said Joseph Weiss, a registered professional engineer, who is managing director of ISA99, an International Society of Automation (ISA) standards committee that produced and continues to develop the ISA/IEC (International Electrotechnical Commission) 62443 series of standards and technical reports. ISA/IEC 62443 provides a framework for ensuring the secure operation of OT systems used across various sectors. A key reason is that “cybersecurity is being addressed as a network problem,” Weiss stressed. He noted the mismatch is longstanding and has its roots in the early 2000s, when companies began shifting their cybersecurity from operational organizations to IT.
Today, Weiss said there is no cybersecurity, authentication, cyber forensics, or cybersecurity training for control system field devices such as process sensors, actuators, and drives. The dire gap poses a serious cybersecurity oversight with potential impacts to reliability and process safety, he noted. Weiss warned that current regulations and approaches aren’t proving effective because “current technology is not identifying, preventing, or mitigating control system cyber incidents. There have been hundreds of power plant and substation cyber incidents that have shut down facilities or damaged equipment but are outside the scope of cyber security regulations,” he said.
Research and advisory firm Gartner pointed out other pervading challenges, including difficulties in fulfilling a demand for security talent (Figure 3). “The global cybersecurity talent shortage is a perennial issue,” it noted. In the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of current demand—an all-time low over the past decade. Unfortunately, labor market supply-and-demand issues cannot be solved by individual security and risk management (SRM) leaders,” it said. “What can be solved is an emerging skills gap. Yet cybersecurity leaders continue to hire for legacy roles and skills,” it said.
The skills that cybersecurity teams need are changing drastically, given a convergence of megatrends. These include cloud adoption, the rapid rise of generative AI, an operating model transformation requiring cybersecurity professionals to increasingly work with and through business partners, and vendor consolidation. The threat landscape now also encompasses cyber-physical systems, remote work, and generative AI, it noted. “SRM leaders must reskill their teams by retraining existing talent and hiring new talent with new profiles,” Gartner said.
These new demands arrive with new scrutiny about corporate spending as the industry grapples with inflationary pressures and other industry disruptions. According to a benchmarking collaboration between security practitioners, IANS Research, and human resources firm Artico Search studying security budgets over 2023, cybersecurity budgets grew only 6%, “a modest figure following double-digit increases in 2020 and 2021,” though nearly a third of the 550 security executives it surveyed reported flat or declining budgets.
ABB’s Boo suggested that “while many power companies’ initiatives are spearheaded by one or two truth fighters—the ones that really live for cybersecurity even though it may not be their dedicated role—they also rely on external help for various reasons. It’s extremely beneficial to them because they get all that combined experience from that external consultancy or resource as a part of their organization,” Boo said. Third-party consultants like ABB, he noted, are often practical and pragmatic. “We utilize industry standards, such as IEC 62443, to establish a robust network architecture and foundational cybersecurity, which can be expanded upon with additional cybersecurity measures as needed.” In addition, third-party firms are typically aware of emerging technologies, therefore, they can guide customers through recommendations, he said. “More and more of our customers I talk to have actually done impressive things and are taking cybersecurity seriously, but I also fear that there’s a lot out there that could use a little bit of a boost.”
—Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine).
Correction (Feb. 20): This article erroneously reported the 2020 SolarWinds attack exposed as many as 16,000 computer networks worldwide. SolarWinds’ updated estimates suggest fewer than 100 customers were hacked through SUNBURST.