A smart grid is a liability if it isn’t secured properly against intruders. Here, we analyze how suscepticle to cyber attacks our energy infrastructure is
Concerns that the global energy infrastructure is becoming an increasingly tempting target for disruption and sabotage is on the rise. The International Atomic Energy Agency (IAEA) reiterated its concerns about attacks on nuclear systems this week, with director Yukiya Amano telling Reuters that there has been at least one successful disruptive attack on a nuclear power plant several years ago – though he did not name the plant, specify the extent of the attack, or disclose who carried it out (and why).
Although the risks are there in multiple countries, including the US, at present they appear to be limited by several circumstances, one of which is, of course, the unwillingness of such attackers to play their best hand up front just to “test” the waters by probing the targets for weaknesses. It is suspected that the Chinese and Russian governments have been making strides in gaining the capability to fully shut down any kind of power plant, including nuclear.
Still, trying (let alone succeeding) to cause a meltdown would be beyond the capabilities of most of actors at present.
The first cycle of cyber security infrastructure for America’s nuclear power plants’ was implemented from 2009 to 2015, according to the Nuclear Regulatory Commission. The Commission says they have not been able to model a cyber attack that could actually compromise a reactor’s primary systems because these controls are isolated from all other areas in what is commonly known as the “air gap” issue. However, as a number of attacks (see the description of Stuxnet below) and research have shown, innovative attackers are quickly overcoming this challenge. Even primary systems can be vulnerable, though: In 2003, a computer worm compromised display data for an Ohio reactor, sheer bad luck on the plant’s part since this was not a targeted attack, but just malware jumping across computer systems until it hit a core one.
It is the secondary systems – which actually control power generation – that are the more vulnerable to disruption. But if shut down, “only” widespread blackouts would be the result, not a meltdown. Though this would still be extremely disruptive, resolving it would not be insurmountable.
As older control systems are replaced by more modern ones, even primary systems will increasingly go digital, improving efficiency and safety. This opens the industry up to different threats, but broadly speaking, such upgrades are sorely needed for utilities systems running on outdated and easily exploited technology.
How responding to cyber attacks is extremely different from typical disasters
Responding to power disruptions due to cyber attacks will require a substantially different approach from traditional disaster management techniques. For one thing, a hurricane is not a determined attacker with a list of targets and end goals. It does not reconnoiter the power grid in advance before storming through. Adding to the challenge, most power companies do not have the in-house resources to respond to attacks, due to the prohibitive costs of maintaining that capacity – hence the need for governments to get involved. But, as noted in a Trend Micro report for the Organization of American States on cyber security for critical infrastructure, private-state cooperation is not nearly as developed as it is with respect to traditional contingency planning for earthquakes or big storms.
Outright acts that lead to destruction of systems are rare, but are possible. In the 1980s, the US allegedly pioneered a secret campaign to disrupt the Soviet economy by enabling the sale of industrial control systems to the Soviet Union that were pre-programmed to malfunction. As the Soviets were illegally purchasing these systems, certain private companies cooperated with the US government to slip the flawed products into the supply stream, and then looked the other way as the goods made their way to the USSR. The result was that, “Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory.”
Many more tools now exist to carry out such operations than in the 1980s. And industrial control systems have advanced to the point where they automate many features previously performed by human operators. This has opened up new avenues of attack using cyber weapons, such as the Stuxnet and Nitro Zeus worms that target these systems. Stuxnet was first used against Iran’s nuclear program in 2010, destroying crucial enrichment technology by wreaking havoc on its Siemens-built controllers. In Ukraine last year, sophisticated malware deployed by as-yet unnamed parties literally flipped off the switches for a power company’s substations, plunging hundreds of thousands of people into darkness. Even Iran, often the victim of nation-state attacks on its energy infrastructure, has proven technically capable of retaliating in kind.
Other cyber attacks on energy infrastructure are less ambitious. Most assaults on infrastructure aim to trip enough wires that the power plant shuts itself down for safety reasons, nonetheless still depriving customers of electricity until the systems are rebooted. There is value in such limited goals because adversaries gain knowledge in seeing how their target responds. Intelligence operations have been documented to this end involving multiple nations.
Clash of work cultures
Looking to address these vulnerabilities in critical infrastructure, there has been a considerable growth spurt in the number of companies offering solutions. This past year, for example, the US government put out $34 million in grants to encourage further R&D into “smart grid” protection, and also invested money into training power companies’ workforces to be more ICT-savvy.
Israel, like the US, has strong experience in both the offensive and defensive realms of this field due to its experience developing attack programs for use against adversarial states. Claroty, the latest cyber startup to emerge from the Tel Aviv-based house over at Team8, emerged from stealth last month when they announced that they had raised a $32 million in combined Series A and B round funding. Two other big names out of Israel in this space are CyberX and Indegy, both having raised rounds this summer and offering solutions for protecting industrial systems like power plants from attackers.
The reason for the late bloom in industrial security is due to the fact that the introduction of IT networks into the operational side of industrial sectors is relatively recent. These affect not only how the hardware (i.e., centrifuges or turbines) are controlled, but also how they are monitored. Part of the challenge that has been recognized in countering these threats is the lack of desire from the industry stalwarts who do not see the need for it, based on their experience of the old system where IT was not a real component.
What is also needed, as outlined by a nuclear safety report from Chatham House, is cyber security training for the new systems and openness about the problems faced in a secretive, highly competitive industry. This is starting to change, however, as the companies discussed above are offering them additional data, increased visibility across their network, and insight tools, providing value beyond protection.
Hackers can severely disrupt normal life and send whole industries scurrying about from the most unlikely perches. It is a question of when, not if, such attacks will become more widespread, but for now, hackers cannot remotely set off a second Chernobyl. “The good news,” McAfee notes, “is that adoption of security measures continues to grow. The bad news is that, unlike threats and vulnerabilities, adoption of new security measures is improving at a snail’s pace.”
Gabriel Avner contributed reporting.