We can’t afford to live in a virtual world when it comes to cyber attacks on our electric grid–this pain would be real. A disruption of our critical infrastructure would be life threatening and could cripple our economy.
U.S. utilities know this and are working around the clock to ensure the safety of their networks and systems. Yes, the electric power system is vulnerable but with constant vigilance and sound cyber security policies we can protect the grid–we just have to be sure we are doing enough.
Cyber attacks increasing–and changing
Last year, the number of cyber attacks on utilities per day almost doubled, according to SecureWorks, a managed security services provider to more than 1,800 clients, including 100 utilities. From January through April 2007, the company blocked an average of 49 attackers per utility client per day, while from May through September of that year, it saw an average of 93 unique hackers attempting attacks on each of its utility clients per day.
In the same time frame, the number did not jump as significantly for other industries, said Wayne Haber, director of development at SecureWorks, and it wasn’t a temporary increase. Utilities must be very vigilant to be sure they’re protected, using technology and policy, he said, and they have to keep up with the latest trends in types of attacks, too.
“What’s different now is that a large number of these attacks are targeted at the user’s web browsers,” said Haber. “We used to see attacks on web servers. If the utility was running a web server to take bill payments, for instance, that’s where the attacks would be focused. What we’re seeing now is that the attacks are on the browsers of the work stations of the utility employee.”
It’s important to keep up with the latest patches and to employ content filtering to block inappropriate websites that could host malicious content. “But no one technology is perfect,” he said. “It’s important to employ an offense-in-depth strategy.”
Add intrustion prevention to the mix to block attacks as they are occuring, he suggested, and tell employees to only open links they are sure are safe. But sometimes the attacks won’t be on the technology. “Train your employees about the latest social engineering tactics that will try to get them to reveal information they shouldn’t,” said Haber. “We’ve seen some very targeted attacks on organizations. They use the help desk info and the organization’s logo to make an e-mail sound very legitimate. They’ve actually gotten passwords out of people by having them go to websites that are not the organization’s and type them in.”
Are utilities responding enough? Some are taking it very seriously and some are not, said Haber; it depends on whether they understand the risk and the repercussions. Like insurance, some people buy the appropriate amount and some continue with the risk.
It can be difficult to get the budget dollars but “sometimes it’s changing people’s attitudes toward security that’s the hardest thing to do,” said Haber.
Hackers just need one way in. With just one linkage, hackers can jump across networks. Sometimes miscommunication between groups in the company can create these holes, but with a special department or role, most often a chief security officer, these gaps can be minimized.
“An organization can have really good security without it being a huge amount of money, a huge amount of time or a huge change,” said Haber. “You don’t want to make an organization so secure that no one can do his or her job. It’s not all doom and gloom.”
The threat landscape
“What we are witnessing between vendors and hackers is an arms race,” said Ken Pappas, vice president of marketing and security strategy at Top Layer, a global provider of network intrusion prevention systems. Pappas travels the world addressing companies about the “threat landscape” of cyber security and what preventative measures they can take.
Pappas explained that hackers could “throw” false data at the control panels to disrupt operations or try to take control of some of the systems inside the power company. Once hackers get in the network, they could overpower the systems to a point of failure.They’ll also just hack into a company for financial gain. “They want to get the customer credit cards in the database,” said Pappas.
“Overseas, a couple of power grids were taken over by hackers–this was reported by the CIA,” said Pappas. “They did it for ransom money and then they gave control back. In this country, we are going to be faced with hackers from all over, from overseas or just next door to us. I think you’re going to see shutdowns here, but I’m a security guy so I always assume the worst.” In fact, Pappas said, there was a recent report that a U.S. power company hired security experts to penetrate its power system. Penetration took less than a day and the test was halted.
But Pappas is optimistic about preventative measures. Through education and training, “you don’t have to be a victim.”
Steps to take
“At the end of the day, every system is connected to the Internet,”said Pappas. “Every company should have a very strict security policy in place. You have to educate constantly so your employees don’t break it.”
Pappas outlined these policies for employees:
- Do not web-surf.
- Do not bring files from home.
- Don’t plug in thumb drives or CDs, not even music CDs, to your work computer.
- No personal e-mail at work.
Some companies even restrict personal cell phones at the office. Hackers, Pappas explained, have demonstrated how they can hack into an iPhone, take control through the Internet connection and use speaker mode to eavesdrop. Downloaded games could have trojans that can steal all the computer’s files. A bad Windows media file can wipe out all program files.
“Some of the threats coming into businesses today could be originating from mobile devices,” said Pappas. “Do you plug into a wireless network or do you e-mail with your Blackberry? Do your employees work from home on the same network as the rest of their family?”
Be creatively paranoid: Pappas said some hackers have dropped thumb drives in the parking lots of target companies. “It’s just a matter of time before some employee plugs it into his or her computer,” he said.
Companies of course should have firewalls and virus protection but now intrusion prevention on the network should be mandatory. According to Pappas, it’s the first security technology that takes proactive measures. “An intrusion prevention system checks all the traffic the other technologies such as firewalls think they have already checked,” he said. “It rejects all traffic until inspected. Firewalls don’t do that. IPS has a “˜trust no one’ mindset.”
Hackers, untraceable, scattered throughout the world, attacking the financial sector, the power sector, the fuel sector “
“Companies need to think about the unthinkable,” said Pappas. “These things are possible and if they’re possible, they’re going to happen. I don’t believe there is any one single technology that is the holy grail of security. Companies have to take advantage of all different types of security, technology and measures, to protect their networks.”
The Federal Energy Regulatory Commission approved eight security standards in January to protect the bulk power system from cyber security breaches. The critical infrastructure protection standards, known as “CIPs,” begin by addressing critical cyber asset identification and work through to recovery plans for critical cyber assets. FERC has directed the North American Electric Reliability Corp. to oversee the program and to make modifications as needed. (The NERC website provides details of compliance dates, etc.)
Actually, the CIPs went into effect in June 2006. (See the July/August 2006 Electric Light & Power Industry Report, “Industry and Government Partnering for Cyber Security,” at www.elp.com.) Not exactly a stellar example of the kind of quick response one would expect to a threat to our critical infrastructure.
But at least it’s a start. Gary Woodward, director of product marketing and business development at Emerson Process Management, agreed. Emerson has been involved with the CIPs from the start. “It’s a good start,” said Woodward. “You can’t make this too burdensome initially. The time frame is multi-year and actually some of what the utilities are being asked to do are just good provisions of running a business.”
It’s a good idea to back-up data to be sure it’s recoverable and to make sure important data is physically secure from other people, and that’s some of what the CIPs are asking for. “These are provisions of normal IT business infrastructure,” said Woodward.
“And that’s what’s been sorely lacking in control systems for a number of years,” said Eric Casteel, manager of SCADA and security business development at Emerson Process Management. “Most of the time, control systems weren’t attached to the corporate network or the outside so they didn’t have a pure need for security.”
Fifteen years ago, most of these systems were proprietary, and the idea of a virus or worms was non-existent. “But now everything is an open system. A control system is an IT system,” said Woodward.
The CIPs do give utilities something to benchmark against, although Casteel said many of his clients would like even more guidance. “That’s something that needs more clarification,” said Casteel. “How do I really become compliant? The utilities are going to be audited in the next two years and there’s not a real strong definition.” Casteel said he has been in some plants and facilities where the company has no idea what it needs to do from a security perspective to secure the control system infrastructure.
The IT/Control divide
“There has also been a polarization between people responsible for control systems and the IT folks in the business,” said Woodward. “They have been trying to bond for 15 years and I think this is going to bring them together.”
The key, explained Casteel, is to take the techniques the IT department has used to manage the corporate network and apply them to the control system environment, keeping in mind the important distinctions. Rebooting an e-mail server, for instance, is not like rebooting a distributed control system, where a power plant has to go off-line. Casteel used the security acronym “CIA” to explain the divergence in viewpoints. CIA stands for confidentiality, integrity and availability. From the IT perspective, that’s the order of precedence, but in a control system, it’s flipped around. Availability is first, integrity second, with confidentiality the least important. For the control people, reliability is key.
Woodward and Casteel said the utility should start by putting a security philosophy in place, then turn to suppliers for specific solutions. Executive leadership has to be committed, too, so the resources will be there.
Next, a risk assessment of the power assets has to be done. How critical is the particular asset to the business? What are the risks to the business of securing it or not securing it? But it’s also a risk to the grid.
“A power plant is tied into other computer systems and if it’s breached, from a security perspective, it could cause problems all across the board,” said Casteel, “the domino effect.” That’s the struggle between NERC and the utilities. “I’ll assume this risk” isn’t acceptable when it’s a risk to the grid, too.
CIPs language allows a utility or power company to do a self-risk assessment and conclude “I don’t think I have any critical assets,” but Casteel said he expects FERC to make some more clarifications that will require every transmission, distribution and generating facility to have these standards in place. FERC is worried that one domino could take down the grid.
“Right now, one of the ways the grid is staying secure is by obsolescence,” said Woodward. “It has such old technology that in some cases it doesn’t have any cyber assets or IT-type technology. But as the grid gets smarter and more dynamic, it will have to be secure.”
Always behind the cyber criminals?
Will we ever be able to get one step ahead of the cyber criminals? “You never get completely ahead,” said Casteel. “There has to be ongoing vigilance. But probably more of what these companies are experiencing is from inside, not outside.” The threat comes, for instance, from disgruntled employees or just plain old human error.
Hackers have recently set their sights on control systems at power plants, when before no one had paid much attention to these protocols, many of which were proprietary. “These are standards that are in the control system industry and there was only a small group of people familiar with them,” said Casteel, “but now they are available out on the Internet. Hackers can now break in and exploit security shortcomings in those protocols to take devices off-line or create an interruption in the control system.”
How do you deal with the risk of telecommuting? Workers at home tap into a virtual private network (VPN), which creates a safe, secure environment, but if they put their laptops on the wireless network they could get infected with spyware from a website. If they then go on the VPN, the spyware could replicate and push itself down to the control system. Casteel said there is a new technology called network admission control to address that problem. “When you connect up, it won’t let you touch anything until it’s sure you have all the latest protection.”
Then there’s virtualization. Casteel explained that it’s something that is deeply rooted in IT: how to get more out of your resources. Instead of having 10 separate servers, for instance, a virtual server can be run on one platform. Malware can take the same approach and make attacks look like they’re coming from different directions with many different techniques. “This has been happening in the IT space for the past five years,” said Casteel, “and now it’s starting to make its way toward control systems because of the interconnection to corporate environments and people wanting to have remote access to be more effective on their job.”
Automation and standardization can help with the expense of meeting the CIPs and being secure. That’s important for utilities that are worried about having to hire additional people to manage the requirements of compliance.
“Technology will be there to solve all these problems in time,” said Woodward, “and it can move quickly if it needs to.”
Department of Homeland Security Sponsored International Cyber Security Workshop at Idaho National Laboratory
Top cyber security researchers and infrastructure protection specialists from five countries met in Idaho Falls in April to participate in an annual international cyber security training workshop. The four-day event was sponsored by the U.S. Department of Homeland Security’s National Cyber Security Division and the U.S. Department of Energy’s Idaho National Laboratory. This is the second year for the workshop.
Researchers from Australia, New Zealand, the U.K., Canada and the U.S. learned about new technologies and methods for enhancing the security of infrastructure network and process control systems, the computer-based devices that operate infrastructures such as the electric power grid, oil and gas refineries and telecommunication stations, among others.
The workshop featured several interactive cyber security training courses, technology discussions, and a simulated cyberexercise that tests participant’s knowledge and abilities to detect, deter and prevent an intrusion on a utility network.
Utilities, a Prime Target for Cyber Attacks
The CIA is hunting for international cyber terrorists.
In January, the CIA briefed 300 government and industry representatives from around the world about the risks of cyber attacks. During that briefing, the CIA discussed several incidents where cyber attackers broke into electric utilities overseas and demanded extortion payments. In one incident, the attackers turned off the lights across multiple cities.
The CIA is now involved in an international hunt for the skilled cyber terrorists behind this massive extortion plot. Our intelligence sources tell us that the utilities never paid the ransom. While the psychological, financial and economic impact of these attacks has not been assessed or publicly disclosed, the fact that at least three of these attacks were successful will weigh heavily on the minds of utility executives.
At the briefing, the CIA disclosed that the U.S. government believes some of the hackers had the benefit of inside knowledge to cause the outages. A recently published security briefing by Spy-Ops noted that more than 80 percent of security breaches are done by insiders or with the assistance of insiders. One of FERC’s new cyber security standards specifically addresses personnel risk assessments and includes employees, contractors or service providers in the personnel risk assessment requirements.
An intelligence expert from Intelomics who asked not to be identified said, “Over the past decade, a half dozen “˜three-letter’ agencies have studied the threat posed by insiders and all concluded this risk is significant and that few organizations are addressing it.” I contacted three software development consulting companies and none had what I would consider adequate on-boarding and off-boarding processes for employees, contractors or consultants. In addition, the vendor management processes focused on credit worthiness, contractual and purchasing issues, and not product assurance and security issues. When I asked a 16-year utility industry insider, he indicated no special process or procedures were in place for handling critical equipment vendors and inventory.
Critical infrastructure providers are a strategic target for cyber attacks and acts of terrorism. We have been lucky so far. Our adversaries have learned from these attacks and so should we.
Kevin G. Coleman is a senior fellow and security and technology advisor at the Technolytics Institute. Coleman, formerly chief strategist at Netscape and a 15-year veteran of the information technology industry, has recently published more than a dozen articles on cyber terrorism and cyber warfare and his work has been referenced in the U.S. Army’s “Cyber Operations and Cyber Terrorism Handbook.” Coleman has testified to Congress on Internet security, protection and privacy. Contact him at firstname.lastname@example.org. (To read the complete article, search for “CIA Hunting for Cyber Terrorists, extended” at www.elp.com.)