By Tim Sanguinetti and Andrea Carcano, Contributors
What is the likelihood of a cyberattack on the U.S. electric grid this summer? This answer to this is complex as there are a number of aspects that factor into it. To evaluate this, we must consider the types of threat actors, the types of threats and the target – the U.S. electric grid.
The grid is comprised of power generation, transmission, distribution and consumers. Each will have a unique impact on the depth of a successful cyber incident. There is also the consideration of the size of the target and its location within the distributed model of the U.S. electric grid. An intentional incident against the U.S. electric grid would most likely be executed by a Nation-State actor as they have the time, resources, and motive to be successful.
The types of intentional incidents brought by Nation-States are specific, targeted and sophisticated. While attribution is rarely concrete and questionably necessary, some recent examples of malware purportedly attributed to nation-states include Stuxnet, Havex, and BlackEnergy. One other important intentional threat actor is the disgruntled employee. They may or may not be trained or sophisticated, but they are inside the organization and trusted. They may exfiltrate passwords, critical documents, embed logic bombs or otherwise undermine the process.
On the opposite spectrum are unintentional incidents most likely caused by personnel (employees or contractors). They may be over-worked or undertrained, which result in unintentional incidents possibly through an opportunistic malware such as crypto-lockers or simple human error.
The short answer is to the question in the title is that every sector of the U.S. electric grid should not worry about a major attack this summer. They should be prepared for one occurring any time. Will it happen this summer? That is something that no one can predict with 100% accuracy.
Prepare for a worst-case scenario
The best course of action for electric grid operators is to be prepared for a worst-case scenario at any time. They can do this by implementing cybersecurity programs with technical and administrative controls supported by management buy-in, periodic site-specific risk assessments, basic cyber hygiene, backup and disaster recovery plans, cyber incident remediation plans, change management, cyber incident insurance, and training for personnel (awareness and ICS-centric technical training). On the technical side, preparations include defense-in-depth architectures including ISA/IEC 62443, ICS aware firewalls, network monitoring and visibility, and patch management.
Electric grid operators likely already have some cybersecurity best practices in place. Best practices are a great baseline for utilities but that should not be where we end. Likewise, NERC CIP will never ‘protect’ the grid from successful attacks, but it will reduce existing risk while bringing practices and awareness to electric grid operators. But it cannot now or in the future make the grid ‘safe.’
That being said, perhaps the best place to get started is the ICS-CERT website. A section of the site is committed to bringing the current best practices together. These include practices from DHS and CPNI. Additional best practices can be found from NIST and ICS vendor websites. Best practices can provide general guidance and recommendations but should not be the starting place. Grid operators should begin a program by building an accurate spreadsheet of all their connected devices (IP and Serial).
From there, they should document accurate and complete physical and logical network maps. Next, they should complete the spreadsheet by filling out details: Software versions, firmware, ports and services, etc. Grid operators must work with their vendors to determine methods to secure your environment. Lastly, they should not be afraid to ask for help from the ICS Security community including the DHS CISA (ICS-CERT).
Learn from Lockheed Martin’s cyber kill chain
Lockheed Martin developed the Cyber Kill Chain to visualize and communicate the anatomy of a cyber incident. The Cyber Kill Chain has 5 steps including planning, preparation, intrusion, management and sustainment. In ICS, the Cyber Kill Chain typically needs to be repeated a second time to successfully mount an attack inside the ICS. One possible cyber incident against a power plant might look something like the following scenario:
- A threat actor performs reconnaissance on a potential target or market (multiple targets). Prior to choosing a target they may use a Waterhole attack in which they infiltrate a common industry website to collect unique information about a group of targets.
- Once the threat actor chooses a target, they will accumulate information from multiple sources including LinkedIn profiles, News releases and company job listings. The threat actor may then develop a unique spear phishing email aimed at particular personnel within the target.
- Assuming that uninformed personnel clicks on the phishing email, the threat actor exfiltrates user passwords to gain access to the target IT system. At this point the threat actor may spend time (as much as 6-8 months) in the IT system exfiltrating data from the target in order to understand the infrastructure the target has and possibly.
- Assuming the right information is collected, the threat actor group will develop a crafted attack for the environment. The threat actor laterally moves into the OT environment and deploys the exploit. Throughout the incident the threat actor must continue to ensure they maintain access to the target systems and cover their tracks.
Will the US political climate result in a more vulnerable grid?
The U.S. political climate is a multiplier to the likelihood of a cyber event against the US electric grid. Ever changing political agendas will always instigate Nation States or Ideological Militants to engage with cyber warfare with the U.S. As such, the critical infrastructure that supports our modern state of society will always be at risk of a cyber incident instigated by political event.
Regardless of the climate, energy and utility companies still need to make cybersecurity a #1 priority. Many have not and this will be at their own peril. At Nozomi Networks, we’ve seen grid operators place greater importance on cybersecurity with OT cybersecurity gaining traction and getting attention at the board level. Dedicated personnel and budgets are starting to appear, and metrics are starting to be developed. This is a highly positive development for the U.S. electric grid and one that we believe will continue over the next decade and beyond.
Tim Sanguinetti brings 13 years of experience in ICS cyber security and 19 years as a telecommunications architect to Nozomi Networks. He has led numerous cyber security initiatives including the design of industrial networks for hydroelectric plants. He is also a distinguished policy author on ICS governance, and champion for industrial standardization. As Product Owner for Nozomi Network, Tim guides the direction of our operational visibility and industrial cyber security solutions.
Tim holds numerous security certifications including Certified Information Systems Security Professional (CISSP), GIAC Cyber Security Essentials (GSEC), GIAC Global Industrial Cyber Security Professional (GICSP), GIAC Response and Industrial Defense (GRID), Cisco CCNA, CompTIA Project+, Network+ and A+.
Andrea Carcano is an expert and international leader in industrial network security, artificial intelligence and machine learning. He co-founded Nozomi Networks in 2013 with the goal of delivering a next generation cyber security and operational visibility solution for industrial control networks.
As Chief Product Officer Andrea defines the vision for Nozomi’s products and is the voice of the customer within the organization. In this role he draws on his real-world experience as a senior security engineer with Eni, a multinational oil and gas company, as well as his academic research.
With a passion for cyber security that began in high school, Andrea went on to study the unique challenges of securing industrial control systems. His Ph.D. in Computer Science from Università degli Studi dell’Insubria focused on developing software that detected intrusions to critical infrastructure control systems. His Masters in Computer Science from the same institution involved creating malware designed to take advantage of the lack of security in some SCADA protocols and analyzing the consequences.
Andrea has published a number of academic papers, including one describing an early example of malware targeting SCADA systems.