Cybersecurity attacks are on the rise, and no industry is immune. While all security risks are disconcerting, the threats to the US power grid are particularly worrisome. Given the broad scope of electricity networks, millions of people at billions of endpoints are affected by any nefarious activity.
More than the threat of cybercrime on IoT networks, the US has been experiencing unprecedented weather changes recently. Rolling blackouts like those experienced in Texas and California are becoming more widespread as the summer temperatures, rainfall, and cold snaps increase across the country.
In a study by Siemens and Ponemon Institute, security professionals in the utility industry were surveyed about their perception of grid threats. More than half of the respondents reported operational data loss or at least one shutdown per annum. A quarter of those surveyed was impacted by mega attacks, and 64% report that sophisticated attacks are a priority challenge. To top it off, a third of attacks on operational technology go undetected.
Vulnerabilities in the Energy Sector
Technological advancements have increased the ease and management of energy environments, but it has come at a cost. IoT connectivity has increased vulnerabilities, making security a moving target. While the conceptual approach to cybersecurity has traditionally been focused on securing the perimeter, elements such as IoT and remote management have all but made the perimeter a moot point.
As recently as a decade ago, power grids were largely a physical concern. Security meant protecting the perimeter and physical devices, which was far easier to manage. IoT connectivity creates many variables through a larger and wider-reaching network which now includes power lines, substations, and home endpoints all accessible through an IoT framework. As smart meters rapidly come online across the nation, utilities are collecting more and more customer and usage data.
Targeting connected devices is an alluring prospect for cybercriminals. By finding and exploiting a single vulnerability, bad actors can penetrate vast networks for their own gain – whether they’re after the data, or using it as a pawn in hopes of collecting ransom.
In targeting industrial systems, criminals can disrupt supply chains, the manufacturing industry, emergency services, and even national defense. Manipulating or shutting down the power grid can impact not only the economy but the personal safety of those connected.
While IoT offers more opportunities for efficiency and streamlined maintenance, the threat of malware is clear. Cybercriminals often turn to malware to sabotage networks as it’s cheaper and easier to execute once a vulnerability is identified.
Malware attacks are particularly effective as they can be installed long before they are launched. Sophisticated malware attacks are also frighteningly scalable, allowing criminals to target multiple systems at once.
Overall, however, malware isn’t the only concern. The energy sector is at risk of the same types of threats as any other business. Denial-of-service (DDoS), ransomware, and trojan attacks are all particularly foreboding, potentially allowing attackers to seize control of management systems and valuable data.
Federal government agencies in the US have issued a formal warning that industrial control systems (ICS) are a target for state-backed hackers with malicious intent. Using a custom toolkit to scan and compromise devices, these criminals could gain control of devices connected to an IoT network.
Bear in mind, that criminals targeting large-scale electricity networks are typically well-funded. These state-backed hackers have all of the finances and resources available to be effective, increasing the need for sophisticated security measures.
NERC CIP Standards
The North American Electric Reliability Corporation (NERC) was established in 1965 on the heels of a blackout that darkened much of the Northeastern US and Canada. In the pre-internet days, NERC was formed as a nonprofit entity tasked with overseeing energy producers across North America.
To streamline and ensure consistency across the entire energy industry, NERC developed the Critical Infrastructure Protection (CIP) standards. The bulk electric system must adhere to these standards in order to protect the electric grid. As such, NERC can impose fines for noncompliance.
Current CIP standards cover four key areas:
- Supply chain risk management
- Configuration change and vulnerability assessment
- Incident reporting
- Security perimeters
NERC CIP standards provide a useful guideline, and there are resources available to help prepare for an audit to ensure compliance. It should be noted, however, that as these standards apply to a broad industry, they are not individualized and attention should be given to individual security needs above and beyond the NERC CIP framework. Still, these standards are essential.
Key Aspects of Mitigating Risk
Implementing a security strategy often starts at the same point: discovery and assessment. You can’t protect what you don’t see, and understanding what you have installed, where, and how it’s functioning will provide a scope and a baseline to start from. Only then can you truly detect and address anomalies.
Operational analytics will signal any peculiarities across your network through Artificial Intelligence (AI) automation. With a robust inventory, your threat mitigation systems can be set to run like clockwork, remaining vigilant and responding to alerts quickly.
Automated threat mitigation (ATM) systems are leading technologies for sophisticated network environments. They monitor and parse massive amounts of data and respond accordingly, making decisions on the fly. This approach serves to plug holes related to manual processes and the potential for user error when addressing security.
Organizations often name a lack of staff or expertise as a primary challenge to achieving a high level of security. The energy sector is no different. With a noticeable lack of qualified and available cybersecurity experts in the employment market, it’s not as easy as filling more roles to solve security issues.
Thankfully, it’s not an all-or-nothing situation. ITEGRITI supports US energy organizations with cybersecurity and compliance advisory. Drawing from our wealth of experience and modern-day expertise, we help organizations stay ahead of cybercriminals. Our virtual support models include vCISO, vCompliance, and workforce support.