In August 2013, Former Assistant Defense Secretary for Homeland Defense & Americas’ Security Affairs, Dr. Paul Stockton sat on a panel that discussed cybersecurity challenges facing the electric sector and some of the vulnerabilities in the U.S. electric grid system. He stated that if there was a successful computer network hack that brings down the grid for a significant period of time, critical lifeline infrastructure is going to fail. Failure of infrastructure such as hospital, transportation, food and pharmaceutical distribution could threaten public health and safety.
Given this backdrop, wouldn’t you believe that it would be prudent to ask some very hard questions to understand the preparedness of our power generating industry in order to protect the populace from such a failure? For example – how real is this scenario and what is the trend? If real, what are the mitigation steps and sense of urgency?
From a cyber-attack perspective, this year has been a watershed year for the electric and critical infrastructure industry. After generally resisting the notion of vulnerabilities because of the stated traditional controls of “air gaps” between the internet and power generation equipment and heavy use of “proprietary SCADA IP protocols,” the industry has finally had to acknowledge the increased threats and risks to normal service delivery. This acknowledgement came from an onslaught of recent successful attacks and some new announced plausible attack vectors such as the much reported “Energetic Bear”malware reports. So, what is going on? Is this something of a real concern and if so, or not, what are the takeaways?
To leverage an acronym developed from Richard Clarke, a former Special Advisor of cybersecurity during the Bush administration, the origin of the cyber-attack risks fall into four major categories as follows:
Cybercrime: The notion that someone is going to attack you with the primary motive being financial gain from the endeavor.
Hacktivism: The motive of attacking someone based upon a difference in ideologies. The primary focus of these attacks is not financial but rather to persuade or dissuade certain actions or “voices.”
Espionage: Straight forward motive to gain information on another organization in pursuit of leverage (e.g. political, financial, capitalistic, marketshare, etc.).
War (Cyber): This is the notion of a nation-state or transnational threat trying to tear down the centers-of-power of an adversary via a cyber-attack. This could be to target non-military targets like critical infrastructure or financial service, or more traditional targets such as the military industrial complex.
Given these motives one can clearly see how an average small rural electric utility may find itself both inundated with attacks from customers who are not lock-step with service fee increases, to hacktivists who don’t condone the methods of power generation, or to foreign intelligence operatives who are attempting to find a weak link in our power grid infrastructure.
The task is clearly daunting and real. Threats such as Stuxnet, Night Dragon, Shamoon, Dragonfly and Energetic Bear have targeted critical infrastructures around the globe over the past few years and represent harbingers for increased concerns.
Although you can assemble a list of threats for nearly any industry today, it may be unbalanced to call out the power generation industry. However, I believe that the power generation industry in particular needs to rise above the normal corporate culture of security controls and become obsessive about removing risks and compulsive about action. After all, these organizations may literally be holding life and death decisions in their hands – and this makes their actions rather profound and very unique.
In the end, I hope we can agree that the klaxon is sounding and actions need to be impactful to avoid catastrophes.