Posted by Sudeeptha Adgal on December 28, 2015
There are three main components of any energy network: generation, transmission, and distribution. The modern energy industry has come a long way since it was a simple web of electrical devices. The system, now called a ‘smart grid,’ involves a highly integrated network of hardware and software components performing high-end computing and decision-making activities with minimal human involvement. The addition of such complex components to the basic energy grid attributes to the ‘smartness’ of the smart grid.
As such networks grow, there’s an increasing need for software that can make that network more efficient and robust. With the rise in software usage comes increased risk of cyber attacks on the smart grid. This can not only damage the energy industry’s reputation, but also the very basis of life in modern America.
When it comes to securing a smart grid, it is not only the security of the hardware and software components that are important. Accurate security configuration and integration measures play a huge role in determining the overall security posture of the network. In other words, a defense-in-depth methodology must be implemented in the smart grid to protect the whole network.
Loopholes and improper practices in current and legacy implementations have paved the way for cyber attackers from around the world to get their hands on smart grids. On average, a physical or cyber attack occurs on the U.S. power infrastructure once every four days, based on reports submitted to the U.S. Department of Energy (DoE) by utility companies on power reliability.
A statement made to USA Today by Scott White, Professor of Homeland Security and Security Management, and Director of the Computing Security and Technology program, at Drexel University sums up the security situation within the energy industry ideally:
“The potential for an adversary to disrupt, shut down (power systems), or worse … is real here today.”
Professor White’s statement is all too true. Sadly, this potential has been ‘real’ for some time now. The lack of spotlight on cyber security is an issue which should have been addressed decades ago. NATO has compiled a list of cyber attack incidents that illustrate that this has been an issue for some time. This is due to the general misconception that the importance of cyber security in the energy industry is minimal in comparison to other, more attractive targets such as the financial industry. This misconception leaves the energy sector as a lucrative target for cyber criminals.
Attackers from around the globe have leveraged such misconceptions (and of course many other flaws in the smart grid energy network) to attempt hacks on information systems containing critical data about the nation’s power grid, nuclear weapons, and research in the U.S. According to USA Today, over 1,300 of these attack attempts were made between 2012 and 2014 with a success rate of over 10%. A reported 53 of these attacks were successful due to root compromise (resulting in the attacker having super user privileges on the host) and 90 of these attacks were aimed at gaining access to research conducted by the Office of Science within the Department of Energy.
Such numbers are alarming, to say the least, for anyone interested in security.
One of these targeted attacks, taking place in 2013, provided unauthorized access to personally identifiable information (PII) of over 100,000 energy sector employees. The attack was attributed to the shortfall of awareness among officials responsible for sensitive information management in 41 servers and 14 workstations which had been configured to use default or easily guessable passwords.
Although initiatives have been implemented to prevent attacks such as this, throughout the years, the attention to detail with regards to security aspects of the smart grid have proven insufficient and have many shortcomings. It will come as no surprise, if events such as large scale black outs or nuclear data compromise occur in the near future. Cyber attackers have proven to be many steps ahead of the infrastructure systems.
Due to an increasing number of cyber threats to the energy sector, cyber vulnerability assessment (CVA) is an annual requirement for electric utilities that must comply with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan. Securing assets within the energy industry should be one of the top priorities for the U.S. government through the creation of prescribed security policies to which the energy industry must abide. In order to tackle such situations, we need minds that can think like cyber attackers.
Get the latest AppSec news and trends sent directly to you.