A report released by the National Academies of Sciences, Engineering and Medicine warned, based upon the interconnectedness of our information networks, that the country’s electricity system and associated infrastructure remains vulnerable to cyberattacks with a significant potential for widespread system outages, despite any agency or company’s best efforts. Further, the technologies driving Grid Modernization, coupled with continuously evolving regulations, make it both difficult and expensive to stay ahead of someone who is not playing by the rules. Hackers are usually ahead of the curve. They are on the cutting edge, exist outside legal frameworks, well organized and well-funded. The report concluded that the federal government needed to work with utilities and other stakeholders to fortify the nation’s power system.
While North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) standards are today to some degree effective, so too are the tools and techniques which hackers use to control or scuttle the power grid. Security steps, such as educating workers on best practices for securing laptops, thumb drives, substations and control centers, will not be enough to guarantee the safety of our national grid. Consistent with our firsthand experience, the report calls for a comprehensive security strategy comprised of clear steps for protecting the grid. Security, as noted in the report, must be addressed as a safety issue and be dealt with on an ongoing basis.
In March 2018, the Department of Homeland Security and the FBI issued a joint alert stating that hackers, employed by the Russian government, have been targeting U.S. energy and other critical infrastructure sectors. Electric companies were informed that in 2017 Russia undertook a "multi-stage intrusion campaign" against U.S. utilities using such hacking techniques as malware and spear-phishing. It was reported that the hackers gained access to at least one power plant control system.
Analysts stated that these hackers were not just interested in looking around. They were planting tools in the system that would allow them to turn off the power. These same analysts warned utility organizations in the U.S. are not ready to defend against these types of cyberattacks. Fortunately, as far as the authors know there has not been a report on secondary penetrations or events.
Impact and What to Do
In 2017, the financial impact of cyberattacks reached $5 billion and the monthly attack rate was 10-times the rate of attacks in 2016. The industrial and personal reliance on the U.S. power grid makes the impact of a successful attack troubling. The risk in not addressing the need for fundamentally and strategically changing our cybersecurity strategies is compelling, yet activity remains tactical.
Governing bodies issuing rules and regulations are trying to address these cyber risks, but their current actions cannot keep pace with broadening threat vectors. Companies have limited security resources available, and even these find themselves in continual tactical response mode rather than strategizing ways to head off potential hackers.
Given the serious nature of this challenge, there are strategies and actions which utility organizations can take in order to reduce risks. But this is not a one-time fix. In the same way that “safety” is an ongoing and primary concern, “security” must also be managed with such seriousness. Security should be a system of flexible strategies and routine tasks that include every employee, supplier, process and technology. Security needs to be a truly holistic process where compliance is a result, not the driver. A culture of siloed compliance operations is untenable as a strategy for defending the power grid.
Utilities Must Take the Following Actions
- Integrate – Assimilate compliance concepts into your security program as strategic elements of your business.
- Prioritize – Manage both security and associated compliance activities using a risk perspective. Have the ability to flex, repurpose, reorganize and refocus based on changing priorities.
- Drive – Continuously employ tasks that provide a holistic status of interconnected activities required to meet compliance requirements and audits.
- Verify – Routinely simulate penetration attempts, and a successful attack, to assess the company’s response, this is then followed immediately with targeted improvements.
Utilities cannot rely solely on current compliance standards and assume they have therefore properly safeguarded the grid from attackers. Rather, flexible, adaptive cybersecurity strategies, combined with strict compliance adherence, are needed to shield the grid from attacks that can come in all formats, not just malware. Cybersecurity and compliance cannot be seen as just “IT issues.” Instead, there must be ownership by multiple company stakeholders and execution by ALL company employees and suppliers. The best methods for getting all these stakeholders engaged? Simplify programs, reduce the burdens on overworked staff through increasing connectivity, prioritize actions based on risk, and underscore the need for continued vigilance and action. In doing so, a utility’s security challenges can be properly managed to the point where risks are sufficiently mitigated.