Light Dark
October 30, 2017 By Steve Dougherty
Michael Ash
4 min read
Energy & Utility
Risk Management

Power grids are a tantalizing target for sophisticated attackers. In the U.S., every major economic sector relies heavily on electricity. That dependence includes the military as well. Given the rising threat levels, it isn’t surprising that there are calls for the Department of Defense to ends its reliance on the power grid for key military installations.

The Potential Cost of a Power Grid Breach

The economic cost of a successful power grid breach in the U.S. could be monumental. A major insurance underwriter estimated that the potential economic impact of a hypothetical attack on the U.S. Eastern Interconnection, which serves nearly 100 million people, could reach $250 billion.

In addition, the attack and subsequent wide-scale blackout would result in a rise in death rates due to failures in health and safety systems. Whether or not such a large-scale attack is feasible is a subject of debate, as is the question of whether the attackers could be positively identified.

In 2015 and 2016, cybercriminals successfully attacked the Ukrainian power grid. In the first attack, cybercriminals stole an internal user’s credentials and wiped certain control systems clean at five major distribution points on the grid. Operators were forced to resort to 100 percent manual controls as they slowly restored power.

A year later, a second cyberattack targeted the transmission side of the grid, tripping a series of circuit breakers that resulted in an even wider blackout impact. Could this second attack have been a test to see just how far the attackers could go toward attacking a broader grid? The Ukrainian national critical infrastructures are preparing for a repeat.

Far-Reaching Impact

Last year threat actors hit the Board of Water and Light in Lansing, Michigan. While only the corporate network was affected and electrical power delivery was uninterrupted, the utility did shell out $25,000 in ransom to regain access to mission-critical email and accounting servers.

The U.S. power grid is extremely complex, comprised of some 3,300 different utility companies and 5.5 million miles of power distribution lines. There are three principal elements of the grid: power generation, power transmission and power distribution, any of which could become attack targets.

Many of the industrial control systems within this vast grid rely on legacy computers that were not necessarily designed with the kind of security needed in today’s threat environment. They are also very hard to upgrade for better security, so these systems cannot undertake security basics such as authenticating administrators and maintaining activity logs.

Included in this vast U.S. grid are hundreds of smaller electric producers and distributors, such as local municipal power companies and small co-ops. For attackers, these can represent soft targets because they typically lack the kinds of military-grade risk mitigation security needed today.

Related: At Risk: The Energy and Utilities Sector Infrastructure

Attacking just one of them would seem to have limited impact. However, the grid, by definition, is highly interconnected. If one or more of these soft targets were attacked, the grid would sense various supply imbalances that could potentially trip several circuit breakers to avoid damage to sensitive equipment. That is what happened in the second Ukrainian attack. This could set off a cascading effect and result in a broad-scale power outage. In fact, the previously mentioned hypothetical attack on the Eastern Interconnect could be triggered with an attack on just nine transformers.

How to Stop a Power Grid Breach in Its Tracks

The threats to the power grid are real. Below are six steps security professionals can implement to help thwart them.

1. Assign Unique User IDs

User behavior analytics can be very useful in ferreting out qualified users — or those who may have compromised their credentials — whose behavior may be suspicious, such as an engineer looking at credit card payment data, HR files or possibly rooting around control systems that have little do to with their job. To make this possible, utilities must first be using unique user IDs. While this is common in most other industries, it isn’t prevalent in electric utilities today for control systems.

2. Use a Password Manager

Follow the basics of good password hygiene. Consider using a comprehensive password manager that auto-generates lengthy passwords users don’t need to remember. The new NIST password guidelines specify that a longer password — say, 10 letters long — is stronger than an 8-digit, multicharacter password. These password managers also give administrators visibility into password practices without revealing users’ actual passwords.

3. Conduct Phishing Training

As part of ongoing employee education and training, conduct simulated phishing attacks. Also, encourage employees to report suspicious emails, phone calls and even suspicious visitors.

4. Consult a Security Testing Specialist

Consider using a trusted third party to assist in various aspects of security testing. They can be invaluable in helping you develop and maintain an integrated security strategy across several technology and business areas within the utilities industry.

5. Regularly Review Privileged Accounts

Constantly re-examine privileged user accounts. People often change jobs and functions within the energy and utilities industry, and their system access may need to change accordingly.

6. Develop an Incident Response Plan

Develop and implement — again, perhaps via a trusted third party — a comprehensive incident response plan so that a successful breach doesn’t catch you flat-footed.

Incentivizing Cybersecurity

Ultimately, something needs to be done to replace the aging legacy systems at many energy and utilities companies, a difficult task in a relatively low-margin business. The Department of Energy recently offered an award to developers who produce next-generation cybersecurity tools and technologies capable of protecting the energy sector from cyberthreats. These types of incentives could be just what the doctor ordered to address these growing cyber risks.

Read the X-Force Research Report: Energy and Utility Companies — Targeted on all sides

 |  |  |  |  |  |  |  |  | 
Steve Dougherty
Associate Partner, IBM
Michael Ash
Associate Partner, Security Strategy Risk & Compliance, IBM

More from Energy & Utility
May 15, 2023

Today’s biggest threats against the energy grid

2 min read - Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats. Physical threats to the energy grid Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid…

April 13, 2023

2022 industry threat recap: Energy

3 min read - In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023. This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack. Despite the overall drop in threats, however, the industry remains…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature