The U.S. utility industry no longer needs to wonder whether its smart grid systems are being hacked. The Department of Homeland Security has confirmed it.
That’s according to the latest alert monitor report from DHS’ Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, which covers incidents between January and April of this year (PDF). In that time, “a public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network,” the report states.
“ICS-CERT validated that the software used to administer the control system assets was accessible via internet-facing hosts” -- in other words, it was connected to a web-connected desktop PC, something that’s true of almost every smart grid-enabled control system today. The utility did have some “simple” password protections, but “the authentication method was susceptible to compromise via standard brute forcing techniques,” the report concludes.
“Brute forcing” refers to flooding a password portal with password attempts until the right one is found, something that internet-connected systems are supposed to manage via the lockouts that frustrate the forgetful among us, and other such measures. Beyond this one successful intrusion, ICS-CERT discovered that the utility’s “systems were likely exposed to numerous security threats, and previous intrusion activity was also identified."
ICS-CERT reported that another unprotected, internet-connected control system operating a “mechanical device” had been breached, in a way that opened its SCADA network to access and possible control. This utility had no firewall or password protections at all, though it’s likely getting them now.
In neither instance did the unknown intruders do anything with their access once it was gained, according to the report. Still, it’s a frightening reminder that cyberattacks on the grid aren’t just conjecture -- they’re a fact. Energy sector targets made up 53 percent of all industrial control security incidents that ICS-CERT reported between October 2012 and May 2013, up from 40 percent in the previous reporting period.
It’s rare for DHS to single out a particular utility for censure. But the report comes amidst a lot of pressure to strengthen cyberprotections for critical infrastructure, which covers major industries including utilities. Reports of a sniper attack on a California substation have pushed federal regulators to demand physical security measures for the grid as well.
As for the under-the-covers type of cyberintrusion detailed in this latest report, “I think in the power industry, stealing data is probably a secondary concern,” said Eric Byres, security expert for industrial and grid communications and IT vendor Belden, in a recent interview. “What matters to the power industry is availability, availability, availability -- mixed in with a lot of safety.”
Belden makes secure grid and industrial routers and firewalls, and is working with grid giants like Schneider Electric on implementing security across the internet-connected utility IT landscape. A typical utility could see hundreds of attempted intrusions per day, ranging from common phishing and malware to what’s known in the industry as advanced, persistent threats, or APTs, that represent a threat to core operations.
That could include well-known cases of industrial sabotage, likely backed by governments, such as the Stuxnet and Shamoon worms, which were targeted at Iranian uranium enrichment and Saudi oil facilities. Both of those worms came from thumb drives inserted into desktop PCs and thus introduced into the SCADA system. Or they could come from the internet, via brute-force hacking techniques, or in malware hidden inside emails and web pages.
Once the PCs used to run industrial control systems and SCADA systems are hacked, it’s short work to gain access to devices on those networks, according to independent cybersecurity reports. Project SHINE, a group of security experts who’ve been seeking out internet-connected SCADA devices since 2012, reported in October that it was finding 2,000 to 8,000 devices per day exposed to cyberintrusion, including systems from Emerson, Honeywell, Mitsubishi, Phillips, Rockwell, Schneider, and Siemens.
That’s a lot of grid switches, power turbine controllers, building HVAC systems and massive metals and mining machinery controllers to protect. Simply unplugging them all from the internet isn’t really an option, unless the industry is prepared to lose the connectivity it’s been building toward over the past decade.
That leaves utilities with the task of managing their security like a core business operation, identifying their weaknesses, and creating the “defense in depth” strategy required to keep up with the rising threat. “Security is absolutely a board-level risk discussion today,” Bynes said, compared to just a few years ago, with utilities like Alliant Energy and Pepco reordering their corporate structures to bring it to the forefront.
At the same time, it’s tricky to quantify the benefits of proper security, since “if you do your job well, nothing happens,” he said. As for the risks it’s aimed at managing, “I do believe that DHS has information that would make your hair stand on end -- but we don’t hear it.”