”Security is a journey, not a destination.” – Marc Solomon, SecurityWeek.com
Supervisory Control and Data Acquisition (SCADA) systems are widely used in the power sector to monitor and remotely control high voltage transmission system operations. As the smart grid evolves, however, convergence of operational technology (OT) and information technology (IT) will increase the functions and capability of these systems as well as the risks. Convergence increases the risk of a security breach via cyberattacks and operational technology malfeasance. Concerted effort is required to ensure the security, reliability and resiliency of the United States power sector.
What is at stake?
SCADA systems communicate critical information on a real-time basis to system operators which is then incorporated into operating decisions. The Northeast Blackout of 2003 illustrates how critical this information can be. This three-day power outage spread across the Northeastern and Midwestern United States, as well as Ontario, Canada on August 14, 2003—50 million people lost electricity, 600 trains were stranded, car accidents caused by inoperative traffic lights ensued, and people could not get gas or access cash from automatic teller machines. The post-event diagnostic report identified a number of causes, including the failure of a sensor to deliver information in a timely manner. The Northeast Blackout illustrates the magnitude of potential consequences if SCADA systems are not secure. If sensors fail to deliver accurate or timely information—as the result of an embedded operational flaw maliciously placed or a cyberattack that modifies the data before it is communicated to the operator—widespread system failure can occur.
How it can happen
There are a number of industry trends that are increasing risk of a SCADA system breach:
1) Convergence of OT and IT functionality
2) Industry evolution towards an Internet of Things
3) Increasingly global supply chain
4) Rise of cyber warfare backed by nation-states and hackers for hire
Although industry players today may believe that there is relatively low risk of a SCADA system breach, and limited impact due to predominantly analog legacy systems, the probability of such risk is compounding. The increasing probability of a catastrophic failure deserves attention.
Where it already has happened
The risk of a SCADA attack is not theoretical. The 2015 Ukrainian attack is perhaps the most notorious. A coordinated attack against three distribution companies caused power outages that resulted in a loss of power for 225,000 customers. Spear phishing emails and BlackEnergy 3 malware accessed the electricity companies’ IT networks, followed by access to the ICS network to remotely control the SCADA distribution management system. Threat actors also used customized malicious firmware to damage field devices and prevent remote commands from being issued to substations, wiped out devices that could have enabled automated recovery of the system, and conducted a telephone denial‐of‐service attack to prevent customers from contacting customer support.
SCADA attacks also have happened in the United States, on power utilities, water utilities and dam controls. A cyber espionage group linked to the Iranian government, tracked as APT33 has been observed targeting energy organizations in the United States. It is just a matter of time before the power sector is compromised, if it is not already.
Who is in charge
A number industry players and governmental agencies already are on alert and thinking through how to secure SCADA systems in the U.S. The Office of the Director of National Intelligence (ODNI) and Department of Homeland Security (DHS) have sponsored two public-private analytical partnerships to research risks to the electricity industry supply chain. The Department of Energy has initiated a voluntary industry effort to understand potential risks and mitigation approaches. States such as New York, Connecticut and Rhode Island have created and tasked agencies to focus specifically on cyber security. Cyber security issues have been on the agenda of the Federal Energy Regulatory Commission and North American Electric Reliability Corp. for the past few years. Telemetry and remote system SCADA manufacturers such as GE and Schneider Electric have focused research and development on stronger security controls and recognizing breaches through big data.
Utilities continue to emphasize system reliability and resiliency, including continuous improvement of security measures. More is required.
Going forward, there needs to be a better understanding of the problem landscape. Once the scope of the potential problem is understood, resources must be prioritized and applied to create change, including establishment of industry standards and guidelines, better sharing of classified and unclassified information, and education, training and awareness. Science and innovation around development of clever ways to address, prevent a breach and mitigate potential consequences of such a breach should be promoted. Industry tools and avenues for testing IT/OT security transgressions should be developed. It is important to get to the destination of a secure grid; the journey has just begun.
(Special thanks to the DHS public-private analytical exchange program and various team members tasked with assessing supply chain risks of SCADA/Industrial Control Systems in the electricity sector.)
About the author: Tanya Bodell is the Executive Director of Energyzt, a global collaboration of energy experts who create value for investors in energy through actionable insights. Visit www.energyzt.com. She can be reached at: [email protected] or 617-416-0651.