There is a debate about whether the power grid can or cannot be hacked by malicious individuals for reasons such as political, activist or financial gain. The question is asked by energy professionals, engineers, government institutions, cybersecurity professionals and even the media, which promote a range of destructive images about grid hacking.
While the back-and-forth will most likely continue until a serious attack unfolds, individual utilities need to remain vigilant. It’s yet to be proven whether a cyber attack can trigger a widespread power outage, but there is no question that almost any single site can be brought down. Anything within the reach of the Internet can be hacked, including our modern grid infrastructure.
National and personal security
Electric power is essential to modern society. A variety of services, from traffic signals to water system pumps, hospitals, gasoline pumps and even lighting and refrigeration in grocery stores, are critically dependent on electricity. Some of these facilities have backup power capabilities, most often diesel generators, but such capabilities tend to be very limited and are only useful as long as the fuel lasts. In practice, when events such as flooding or weather cause long-lasting power outages in urban areas, those areas are deemed uninhabitable and are evacuated by local authorities.
The Department of Homeland Security (DHS) is aware of the risk that cyber hacking poses to critical grid infrastructure and to the reliability of the electric power service. This May, the DHS sent a memo to electric and nuclear sector CEOs in regards to a recent string of cyber-attacks using basic tools to enable remote control of grid control systems. “In at least one case, the attackers successfully obtained all the information needed to access the industrial control systems environment,” the DHS noted.
Opening the door for hackers
Those outside of the security industry might ask, “Just how can the grid be hacked?” There isn’t much computer equipment within a power plant, much less directly attached to individual turbines and generators, and there are even fewer computers in substations. This is true. The threat comes from the networks that are built up around the power infrastructure.
Modern power utilities are deeply reliant on computer networks. The trend for the last 20 years has been toward increasing numbers and types of network connections between the computers that control equipment in the power grid, between that equipment and business systems in power utilities, and between those business systems and the Internet.
Even a decade ago, expert thinking followed the logic that “if I have a firewall and encryption, then I’m safe.” Today, this thinking is dangerously dated, but it is still the leading impression that all-too-many security professionals have about their networks. In today’s networked world, so-called “advanced” hackers routinely defeat firewalls, encryption and other conventional cyber defenses.
These techniques compromise both business networks and control system networks almost at will; witness the well-documented Night Dragon and Shady RAT attacks. The techniques used by these attackers are well-documented and widely understood; they are part of the curriculum in most intermediate cybersecurity classes.
Now, the sites in the North American power grid that are the most critical to the grid as a whole are required to be secured to North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards. Unfortunately, there is nothing in the currently active Version 3 standards that addresses this new norm for cyber attackers.
Utilities that trust NERC CIP provisions alone to secure their infrastructure are living with a false sense of security. While the details rarely make the news, security tests of fully CIP-compliant sites breach perimeter protections in hours (or in some cases, minutes) from the start of the attack.
How is this possible? Say an attacker, or security tester, does a bit of homework on the utility he is targeting, using social media to find a number of public figures in the utility — executives, representatives on standards bodies, marketing directors — and learns what they are working on and with whom.
The attacker then forges an email to a handful of these people, a forgery that appears to come from one of their correspondents outside the organization. The attacker attaches a piece of malware to the email, which is designed to persuade the target to open the attachment.
Malware and Trojan Horses are off-the-shelf products today; you can buy your own malware for as little as several thousand U.S. dollars. These attack tools are intelligent enough to avoid detection by anti-virus systems when used in low volumes, and they include a user interface with many features, such as a remote control system similar to widely used remote desktop and terminal server tools. The malware connects via the Internet back to the attacker’s computer, which now has remote control of a computer on the utility’s business network. Empirical tests of this tactic show that it is successful with 20 to 50 percent of target users, depending on the sophistication of those individuals.
The attacker’s next step would likely be to acquire administrative credentials by using the malware to bring up cryptic error messages on the compromised computer, and wait for a central helpdesk support person to log into the machine remotely with domain administrator credentials and fix the faked problem. The attacker can use a tool to harvest the “password hash” left behind when the administrator logs into the machine.
With a domain administrator password hash, the attacker can now login to the domain controller and create accounts, giving himself complete access to all centrally administered computers in all NERC CIP critical networks in the utility. Ironically, it is the most integrated and the most centrally administered utilities who are seen as the most “advanced” in the industry, and it is precisely these utilities that are the most vulnerable to this class of attack.
Inherent security measures
Many other classes of attack are possible, as well. Too many security administrators still have the impression that firewalls let real-time data move between networks while protecting the critical systems, which are the source of the data. A more accurate statement is that firewalls expose parts of critical servers to external networks, such as business networks. The exposed servers can now receive requests for data from the business network.
“Polite” requests for data yield the requested data. “Impolite” requests for data, such as those containing buffer overflows, SQL injection attacks or other attacks, yield compromised CIP-critical servers. Every path through a firewall that lets you move data out of a reliability-critical network also lets attacks move into the network.
So what is the alternative? Disconnecting critical networks tends not to be a practical alternative any more, since utilities have become dependent on the cost savings and other benefits that come from access to real-time / critical-systems data.
The alternative to firewalls that is recognized by CIP Version 5 — and which is being deployed increasingly in the power grid — is Unidirectional Security Gateways. The principle behind unidirectional technology is simple: the gateway hardware allows data to flow in only one direction — out of the critical network.
The gateway software makes copies of critical servers on the business network and manages those replicas in real time. Business users then access the replica servers, rather than put the original servers in the critical network at risk. The replica servers keep data flowing and modern businesses working, while the gateway hardware prevents any network attack from reaching the protected network.
In a sense, deploying Unidirectional Security Gateways in the above-mentioned manner “exports” those systems outside and converts the security issue from a reliability and safety concern to a “normal” business matter.
IT security professionals continue to use firewalls in business networks, but not because those professionals have any faith in the firewalls to keep systems secure. In the last half decade, IT experts have come to regard firewalls as providing little more security than account passwords.
“Everyone” knows how to break passwords with keystroke loggers, rainbow tables and social engineering, but using accounts without a password is just silly. Firewalls are fine for business networks and workstations, but it is hard to find a cybersecurity expert nowadays who truly trusts firewalls to keep attackers out of his critical networks. Control system security practitioners need to internalize this development in the same way that IT security practitioners have over the last half decade.
Given all these realities, why are there not more attacks that cripple power grid control systems? Some believe the low rate of attack is attributable to the lack of knowledge of these well-documented techniques among our adversaries. Others believe there is a fear of legal or other retribution, or perhaps no one has yet proven a model for monetizing this class of attack.
But it does not matter which of these analyses is correct. Look at them all — these are motives being debated. Should utilities be protecting their infrastructures against attackers’ motives? Or should we be defending against their capabilities? The time for debate is past. Going forward, utilities everywhere need to give serious consideration to improving protections for critical networks.
Author: Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control system middleware products and industrial cybersecurity products.