Months after the Mirai Virus and WannaCry cyber attacks, another series of massive ransomware attacks shook companies across the globe, including a state power company in Ukraine. The impact of the NotPetya virus was devastating, locking down multinational corporations and disrupting critical services to healthcare patients. Earlier this month, it was reported that hackers are targeting US nuclear facilities.
These series of cyber attacks are a wake-up call for operators of critical infrastructure to upgrade their industrial control system (ICS) security and protect their infrastructure from physical risks and cyber attacks. The US Department of Homeland Security has designated 16 critical infrastructure sectors, including the energy sector, electric utility grids, water systems, transportation and communications.
Prior to the most recent incidents, there were earlier cases of cyber attacks against power companies. In 2015, for example, Ukraine's power grids were hacked. The hackers took advantage of software vulnerabilities of equipment in power substations to penetrate and manipulate electrical transmission and distribution systems, leaving hundred thousands of consumers literally in the dark. Many speculated that these attacks were a worrying sign of terrorism.
Experts warned utility companies in the US that their power grids could be hacked, which threaten the economy and human safety. They also warned that recuperating from the impact of a power grid hack could be more challenging for America, ironically, because America's power grids are more advanced and automated.
But what should electric utilities do to protect their power grids from being hacked?
- Test the vulnerability of the power grid and assess cybersecurity readiness. According to the same report, the energy industry used to deny or underreport cases of hacking. Recently, many utilities and power grid equipment manufacturer are taking initiatives to combat electric grid hacks. GE, for one, has issued patches to fix a software bug that can compromise power grids. A power company, on the other hand, hired a group of hackers to test its existing security measures.
The US government is also taking steps to prevent power grid hacks. The Pentagon intends to spend $77 million on functionalities that can help detect and contain threats and restore civilian power and communication. The Department of Defense (DoD), on the other hand, is developing an automated system "that can help accelerate recovery from attacks against the power grid in less than a week."
Power companies should acknowledge that power grids are prone to hacks; assess the cybersecurity readiness of the business, organization, and technology; and implement a more effective approach to power grid security.
- Analyze the vulnerabilities and implement protections. How can hackers physically access buildings and power substations? What tools and strategies do they employ? What network and system vulnerabilities can they exploit?
Analyzing how hackers work can help you determine the vulnerabilities of power grid systems and how to fortify them. This video features how hackers compromised a power company in just days. These intruders demonstrate how they easily bypassed existing security. This also demonstrates the importance of training all employees including non-security staff (e.g., receptionists, supervisors, plant managers, clerks) about security.
Familiarize yourself with the tools and programs that hackers use such as plug bots, wire-dialers, port scans, and malware-containing apps. Doing so will enable you to determine which solutions can help safeguard your systems against malicious technologies.
- Comply with standards. Security standards can help you evaluate the strength and effectiveness of your power grid protection and security. For example, the North American Electric Reliability Corporation (NERC) sets rules on how power grids should be adequately protected - physically and electronically via a set of Critical Infrastructure Protection (CIP)
In 2016, NERC rolled out the NERC-CIP-5 (or CIP v5), which defines controls and pocess to defend against power grid cyber attacks. The new standard mandates companies to identify and document critical cyber assets (CCAs) associated with resources that support reliable bulk electric system (BES) operations, implement minimum security management controls to protect CCAs, and ensure security awareness and training.
NERC also proposed changes to Reliability Standard CIP-003 to modify the cybersecurity protections required for low-impact Bulk Electric System (BES) Cyber Systems, in response to FERC Order No. 882. BES systems include all facilities 100 kV or above that are necessary for reliable operation of a power grid. The new NERC CIP-003-7 Standard (i) clarifies electronic access control requirements, (ii) adds requirements related to the protection of transient electronic devices, and (iii) requires utility companies to document cybersecurity policies related to declaring and responding to CIP Exceptional Circumstances for low-impact BES Cyber Systems.
- Upgrade power grids with stronger cybersecurity controls.
Protecting power grids has become more challenging than ever due to advancements in technology. The Internet of Things (IoT), for one, opened many backdoors for penetrating power grid systems. According to Gartner, more than 25% of enterprise attacks will involve the IoT by 2020. Hackers also take advantage of more sophisticated tools that can easily overcome perimeter defenses.
Conventional perimeter-based security solutions such as firewalls and threat detection are not enough to prevent power grid hacks. Securing power generation, transmission, and distribution networks demands new technologies and frameworks that go beyond conventional security and enable intelligent edge devices (IEDs), remote terminal units (RTUs), PLCs, and gateway controllers to defend themselves. Investing in technology to prevent hacks rather than monitor them is critical. It is important to demand that power grid equipment manufacturers offer advanced security protections such as secure boot, multi-factor-authentication and encrypted data communications in equipment used in BES facilities.
Power grids are the lifeblood of virtually every industry sector and most aspects of daily life. Electric utilities should test the vulnerabilities of their power grids, study how hackers work, comply with standards, and protect power grids with comprehensive cybersecurity controls.
Talk with our security experts to learn more about how our cybersecurity solutions can help electric utilities to prevent power grid hacks. Mocana solutions help improve safety and reliability of power generation plants, fortifying programmable logic controllers (PLCs), fire and safety systems, and surveillance.