The idea of the nation's power grids becoming the next battleground for cyber warriors could make hacking into consumers’ credit card accounts and personal information seem like child’s play.
While U.S. power companies are likely targeted by foreign governments and others in increasingly sophisticated breaches, actually shutting off the lights and causing chaos is far more complicated than many pundits make it seem.
Dan Scali, senior manager of industrial control systems at Mandiant, a cybersecurity consulting arm of FireEye (NASDAQ:FEYE), explained that while cyber criminals may gain access to power and utility data systems, it doesn’t necessarily mean the result will be a power outage and a total takedown of power grid control systems.
In other words, the power grid is controlled by more than just a panel of digital buttons.
“Losing the control system is bad from the perspective that it takes you out of your normal mode of operations of being able to control everything from one command center, but it doesn’t mean you’ve lost control or all the lights go out [in the city],” Scali explained.
While many of the systems have been modernized to include digitized control panels, if a hacker were to infiltrate the system, a utility worker could still have the ability to manually control the machines by flipping a switch, pushing a button, or tripping a breaker.
As the world saw with the recent attack in Ukraine, which caused a blackout for 80,000 customers of the nation’s western utility, the biggest problem may be ensuring the power grid’s control systems are not vulnerable to cyber break ins. The January attack in Ukraine was likely caused by a corrupted Microsoft Word attachment that allowed remote control over the computer, according to the U.S. Department of Homeland Security.
Scali said there was no evidence from the incident in Ukraine that the hacker’s malware was able to physically shut down the power.
"Attackers might be in position but waiting for the right time to strike.”
“It wiped out machines, deleted all the files. Kill disk malware made it impossible to remotely control things. It caused chaos on the business network, and the area where control system operations sat. But the attacker, we believe, would have had to actually used the control system to cause load shedding, which caused the power to go out, or trip breakers to cause the actual problem. Malware itself didn’t turn the power out,” Scali said.
He said what most likely happened in that incident was the hacker stole user credentials and logged into the system remotely.
The bottom line: Yes, a similar event could happen in the U.S. And corporate America is concerned. A recent survey released in January on the state of information security, conducted by consulting firm Pricewaterhouse Coopers, showed cybersecurity as one of the biggest concerns among the top brass at U.S. power and utilities firms.
Part of the problem, Brad Bauch, security and cyber sector leader at PwC said, is the interconnectedness of the industry’s tools.
“Utilities want to be able to get information out of [their] systems to more efficiently operate them, and also share that information with customers so they have more real-time information into their usage,” he explained.
While allowing access to their own consumption data allows the companies to give their customers more of what they want, it also opens up a host of access points for hackers, making the systems more vulnerable than they otherwise would be.
But to say that the power grid is susceptible to cyber hackers is a bit of an oversimplification.
Nation State Motivation
Perhaps the most interesting part of the story is not the power grid’s potential for cyber-attacks, but that hackers could already be inside the system, just waiting for the right moment to strike, according to Scali.
The most likely source of attacks on U.S. power and utilities companies would come from other nation-state actors. Scali said the sticking point is they’re likely not looking to cause a physical disruption because they realize it could result in retaliation.
“If you look at the situation in Ukraine, most of the attribution that’s going on is a linkage to the fact it’s likely the attackers are from a Russian nexus from Ukraine. Obviously, it’s in Russia’s interest to flex muscles and turn the lights out in Ukraine as part of operations and campaigns in the conflict over the territory there,” he said.
But when you turn the focus to potential attacks on the U.S., the question becomes: Who would want to turn out the power here?
Scali has seen vulnerabilities in corporate networks, computers and machines with malware, or devices communicating with China. He said while there may be pieces of the system that have been infected, it doesn’t necessarily mean they’ve been compromised.
“When we go in we see exposures and that industry systems are vulnerable, but no impact of attacks,” he said. "How do you reconcile that? First, nation states are waiting for the right time. You wouldn’t do it unless it fits into strategy or create problems in the midst of overall conflict...attackers might be in position but waiting for the right time to strike."
When it comes to locking down power and utilities systems, attempting to safeguard against potential outside threats, Rodney Joffe, cybersecurity expert and Neustar fellow, said it’s a challenge that everyone fails.
“Unless power is off and machines are shut down, it’s vulnerable,” he said. The secret, he said, is recognizing early on that a system is corrupted.
Joffe explained that often the motive for a nation state to attempt to hack another company is to steal proprietary information. In some cases, hackers could spend months and millions of dollars building systems based on stolen designs. However, what those cyber thieves don’t know is that those plans are actually fake versions of legitimate documents the company has put in place to look like real design plans or industrial processes. The hackers don’t know they’ve been had until they’ve invested time and money only to find they don’t work.
“It’s recognizing where you can be compromised, and what you can do about it,” he said.
Further, there’s also a need to not just identify that an attack has happened, but to understand why and by whom. He reiterated that just stopping an attack doesn’t always mean a company is safe. It’s imperative to know who it was and what they left behind.
Scali added that another difficulty for the industry is a longstanding mindset that has been: If it’s working, don’t touch it. That makes it easier for potential attackers to learn the systems and figure out the best way to break in.
Another prong to the muli-faceted solution is better prevention.
“You can install all the best practice security in the world, but if the attacker steals the username and password of a legitimate user and they login remotely using that, it’s game over,” Scali said.
Just like average computer users of Google’s (NASDAQ:GOOGL) Gmail have become accustomed to the use of two-step authentication, power and utilities companies should do the same. The prevention measure requires a user to enter a unique, one-time code sent to a second device like a cell phone or token, to access control panels and data systems.
“That second factor frustrates an attacker because they know they have to have your mobile phone or token or know that extra code in addition to the username and password. We see a lot of attacks that take advantage of credential theft, and for those, the key to prevention is two-factor authentication,” Scali said.