The annual U.S. intelligence-community report published recently offered sobering conclusions for critical infrastructure.
Foreign powers now have "the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects" on facilities such as power grids and natural gas pipelines, according to the report, which predicts such disruptions could last from hours to weeks, depending on the target of the attack.
Yet there is a sliver of good news behind these mounting concerns. Experts say the bad news of the last several years is now driving progress that could be vital in mitigating, if not altogether evading, future risks.
"The energy industry has taken information about Dragonfly very seriously," said Symantec Technical Director of Security Response Vikram Thakur. "They are investing in security teams, are investing in creating redundancy for infrastructure, and are auditing the products and processes that they're using. They are taking huge strides in improving the security posture of their organizations."
Complex Topography, Complex Risks
The dangers presented by critical-infrastructure vulnerabilities have become increasingly clear in recent years. Most dramatically, successive hacking attacks on power systems in the Ukraine led to blackouts in December 2015 and 2016.
The most serious attack in the United States to date was the Dragonfly group's apparent efforts to map U.S. utility systems in 2017, largely by attacking vulnerable supply-chain partners and working upstream to the better-protected utilities. The sophisticated group used malicious emails, watering holes, and customized malware to gain network credentials and install backdoors in target computers.
Responses within the U.S. power system have accelerated since that time, shaped – and considerably complicated – by the grid's patchwork nature.
Geographically, the system is split between the high-voltage bulk power transmission system, which carries power over long distances, and the local distribution systems that provide power to homes and businesses.
The bulk system is federally regulated, with strong cyber security compliance rules developed by the North American Electric Reliability Corporation (NERC), a standards-setting body. An expansion adopted in October last year deals with supply-chain security standards – a clear effort to deal with some of the problems exposed in the Dragonfly attacks.
By contrast, local power-distribution systems are regulated at the state level. While a set of best practices for state regulators does exist, each body has its own set of rules, leaving room for potentially broad and in some cases poorly understood vulnerabilities.
"It is very hard to say whether [local distribution systems] have the same level of compliance as in the bulk power system," said Manimaran Govindarasu, an Iowa State University professor who studies power-grid cyber security. "The best practices are there, but there are definitely spots that are not secured to the extent they could be secured. They are definitely vulnerable."
From Legacy Systems to Tomorrow's Tech
As regulators and operators seek to mitigate vulnerabilities, risk assessment is a key initial task.
This approach assumes that some attacks will inevitably succeed. On this basis, scarce resources are allocated to protecting the most vital components of the system. Within local grids, this has also meant expanding redundancies that enable unaffected stations to take up slack if others are knocked offline.
Information-sharing programs, for instance through the NERC-affiliated Electricity Information Sharing and Analysis Center (E-ISAC), play a key role in keeping utilities aware of current threats. NERC also runs periodic wargames-style cyber attack simulations.
Separately, best practices increasingly call for integrating supply-chain partners such as fuel suppliers and meter data processers into utilities’ risk assessments, and for including cyber security provisions in procurement language.
From a technological perspective, experts say a multi-layered approach is necessary.
IT resources ranging from employee laptops to energy-market software systems can often be shielded with conventional digital-security tools. For example, Symantec provided protection against much of the malware known to be used by the Dragonfly group.
The industrial control systems (ICS) that directly monitor, and control utility operations are a more difficult proposition. The legacy hardware running such control systems often has little computational intelligence and is subject to conditions such as latency requirements that make ordinary IT-security software impractical.
Traditionally, such systems have been kept "air gapped," or physically cut off from networks, in order to keep them secure. However, the Stuxnet worm – which exploited propagation channels such as USB thumb drives to jump across such gaps – clearly exposed the flaws in such a defense.
Security companies today offer a variety of approaches to this problem, ranging from software that detects malware on USB devices to artificial-intelligence systems that compare current control-system sensor readings to past operating profiles, automatically triggering a response if anomalies are discovered.
Future systems, still in the test phases today, will reach even deeper to compare apparent sensor readings with the plausible underlying physics of the grid, offering another way to spot anomalies or manipulated sensor data.
Finally, the changing nature of power generation itself is complicating the problem further. As distributed renewable-resource generation systems multiply – sometimes even located at customer residences – new vulnerabilities are appearing.
For example, while an attack on a single solar panel might be of marginal danger, the successful hack of a manufacturer that pushes out automatic software updates could be vastly more damaging. Moreover, the sheer variety of new network-connected technologies, from smart meters to rooftop wind turbines, raises many of the unprotected-device dangers seen elsewhere with the internet of things (IoT).
"Owners may not have the same level of security as utilities do today," said Washington State University Assistant Professor Adam Hahn, who runs one of several university centers around the country that tests such technologies. "From a grid perspective, it's not really a significant risk yet. But in the future, it may be."