The power and energy sector is one of the most critical areas of our country’s infrastructure, making it a prime target for cybercriminals increasingly looking for ways to infiltrate and disrupt the sector and ultimately the national grid. In fact, the U.S. Government Accountability Office (GAO) released a report in early 2021 that found the grid, and subsequently its distribution systems that carry electricity from transmission systems to end-users, to be growing targets for large-scale, strategic state-sponsored cyber war operations.
This heightened interest and motivation can be attributed to hackers looking for larger ransomware payouts as well as nation states who consider the sector key to crippling the U.S. economy. High-profile attacks like the Colonial Pipeline have given threat actors more motivation to go after critical infrastructure. These groups continue to mature and adopt sophisticated tactics, techniques, and procedures, while industry leaders look to safeguard their critical systems and essential services.
If recent history is any indication of what we can expect in 2022 and beyond, the power and energy sector must prepare for the worst and prioritize their industrial cybersecurity programs accordingly.
A History of Known Vulnerabilities & Attacks
More than a decade before the GAO’s report, a number of other U.S. agencies came forward to recognize vulnerabilities and threats facing the power and energy sector. The CIA revealed in 2008 that hackers were able to disrupt power supplies in four different cities, stating it typically didn’t make this information public but decided the benefits of sharing outweighed the risk so power equipment operators could protect their systems from the known threat. Shortly after, in 2009, the Dept. of Homeland Security (DHS) disclosed it had known about vulnerabilities in power grid computer systems for years.
These admissions spurred the North American Electric Reliability Corp (NERC) to begin implementing updated cybersecurity measures. NERC sought to increase a company’s accountability, including cybersecurity risk management practices such as asset management, training, perimeter and physical security, and incident response and recovery. It did this by requiring a designated manager with overall responsibility and annual reviews of risk-based assessments. Known as Version 2 of the Critical Infrastructure Protection (CIP) Reliability Standards, the updated measures removed terminology like “acceptance of risk” and “reasonable business judgement” resulting in more stringent control implementation requirements.
Despite the government’s efforts to warn organizations and NERC’s work to help ensure the security of the nation’s power system, the sector began to see a flurry of activity in the years following:
- In 2012, US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) shared that U.S. power plants began to see malware infections through USB drives.
- In 2013, DHS reported that the U.S. power grid was constantly being probed by Iranian threat actors.
- In 2014, officer members of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, known as GRU, hacked the Georgia utility company, Westinghouse Electric Co. LLC, and stole user credentials and passwords related to nuclear reactor systems.
- In 2014, the Dept. of Energy (DOE) revealed that more than 1,100 cyberattacks against its components occurred, 159 of which were successful cyber intrusions between 2010-2014 exposing critical information about the U.S. power systems.
Each of these incidents were examples of classic cyber reconnaissance techniques, also known as Network Information Gathering. And even though NERC was implementing security measures, these cybersecurity reconnaissance efforts were still being pulled off. In these cases, threat actors were looking for ways to circumvent the industry’s cybersecurity practices.
Yet, despite the government alerting the industry, and many years of reconnaissance activities by threat actors to uncover vulnerabilities of the U.S. power grid, a few of the nation’s adversaries launched campaigns against U.S. power companies:
- The North Koreans launched a probing campaign, utilizing spear-phishing techniques on U.S. electric companies in 2017 by using fake emails to conduct the early stages of cyber reconnaissance.
- An Iranian hacker group targeted the operational technology (OT) environments within power companies in the U.S., Europe, East Asia, and the Middle East in 2017.
- A hacker group connected to Russian intelligence services conducted more reconnaissance against OT networks within U.S. and UK electric utility companies in 2017, prompting the DHS to report that they possessed the ability to cause blackouts.
Between known vulnerabilities that have been identified and the flurry of cyber incidents over the course of the last decade, it is clear that a cyber war is well underway, and threat actors are deeply embedded in the electric networks and OT that are responsible for power generation across the nation. This is the new reality.
The Powerful Lessons to Learn from History
Many organizations are already behind in the race to safeguard against an attack. Companies in the power and energy sector must learn from the past and adapt to state-sponsored cyber operations.
For those responsible for protecting critical infrastructure, gaining a better understanding of their OT environment, and accepting the reality that they are exposed a good first step. Well-funded threat actors are spending time and resources to learn how to disrupt power operations to make the biggest impact with a cyber-physical event. These OT environments are found throughout power plants and the grid. Any disruption to these systems could have far-reaching effects such as brownouts, blackouts, and even wide-scale service disruptions, which is why they are such attractive targets for criminals.
In order to adequately secure OT, organizations must handle and secure them differently than they would information technology (IT). OT monitors and controls how physical devices perform, while IT creates, processes, stores, retrieves and sends information. The two typically require the use of different languages and protocols.
What’s even more important to note is that the consequences of exploitation in these areas also differ. IT cyber incidents often have financial ramifications that can be attributed to data loss, business interruption, and reputational damage. OT incidents can have physical impacts such as death or injury, and property or environmental damage – in addition to the financial impacts.
These differences require organizations to engage an industrial cybersecurity expert with experience working in OT in power and energy.
A cybersecurity leader with expertise in industrial cyber security in the power and energy sector will adopt the following best practices:
- Conduct a comprehensive audit of all OT systems to determine unique vulnerabilities.
- Gain visibility into all OT environments and monitor associated networks and technologies for threats and cybersecurity intrusions.
- Implement boundary protection devices and logically isolate OT from other networks.
- Ensure that the operating systems, firewalls, and VPN applications are patched and up to date.
- Review user accounts and disable or delete dormant or unused accounts.
- Implement multi-factor authentication.
- Use strong, unique passwords.
Course Correcting in 2022 for Better Protection
They say that those who do not learn from history are doomed to repeat it. For industrial cybersecurity, they might simply be doomed. As industrial systems become more connected, more remotely operated, and more dependent on digitalization, they become much more exposed to cyber attacks. This can have devastating consequences on operations, safety, and the environment. If history has shown us anything, it is that cyber threat actors are quick to adapt. It also shows that companies are often slow to evolve. Recent attacks on critical infrastructure show both the vulnerabilities and impacts of industrial cyber attacks. Failure to put in the basic prevention, detection and response will have increasing consequences for companies, and society as a whole. Not learning from the past, and not preparing for the future risks putting power in the wrong hands.
—Dennis Hackney, PhD, is Head of Industrial Cybersecurity Services Development at ABS Group.