The Department of Energy released its multi-year plan for energy cybersecurity (PDF) this week, and it’s a timely document. The past year and a half has provided new evidence that Russian-sponsored hackers penetrated the IT networks of U.S. energy companies, and are seeking to worm their way into the operations technology systems that run power plants and other critical grid infrastructure. And, as the Russian-led hacks in Ukraine have shown, these methods are capable of taking down the grid.
These ever-growing and evolving threats require much better coordination, DOE warns. At present, electric utilities and grid operators have been playing whack-a-mole with hackers, discovering penetrations long after they’ve occurred and scrambling to seal the breaches they’ve made.
So far, these hacks seem to have caused relatively minor disruption or damage, at least as publicly acknowledged. But “anticipating and reacting to the latest cyber threat is a ceaseless endeavor that requires ever more resources and manpower,” the report finds. “This approach to cybersecurity is not efficient, effective [or] sustainable in light of escalating cyber threat capabilities.”
This means that utilities have to focus their limited cybersecurity investments and efforts on what DOE described as “disruptive changes in cyber risk management practices.” This term includes a host of available methods and technologies, ranging from workaday information sharing and best practices, to implementing “game-changing” cutting-edge technologies like quantum encryption, or grid devices that can sense, and refuse, commands that would destabilize the physics of the power grid.
Here’s a breakdown of DOE’s new plan.
Cyberthreats are much scarier today
"The frequency, scale, and sophistication of cyber threats have increased, and attacks have become easier to launch,” as more and more energy infrastructure has been connected with digital technologies, the report notes. “Nation-states, criminals, and terrorists regularly probe energy systems to actively exploit cyber vulnerabilities in order to compromise, disrupt, or destroy energy systems.”
And while utilities have long relied on their relative isolation from one another to contain the effects of a cyber-attack, “growing interdependence among the nation’s energy systems increases the risk that disruptions might cascade across organizational and geographic boundaries.”
The cyberattacks on Ukraine’s grid, which knocked out power for about 225,000 customers for several hours in December 2015, and caused an hour-long outage using more sophisticated techniques a year later, illustrates that “attackers have shifted their aim from exploitation to disruption and destruction,” the report noted. “Today, a cyber incident has the potential to disrupt energy services, damage highly specialized equipment, and threaten human health and safety.”
Utilities aren’t ready for what could be coming
DOE’s last big review of energy cybersecurity was the 2016 Roadmap Milestone Assessment, which engaged seven national laboratories and more than 45 industry representatives to assess progress made by both the public and private sectors over the decade.
This report “identified numerous areas where continued progress is most needed,” including improved incident reporting and information sharing, workforce training and education, addressing “supply chain risk” — finding cyberthreats embedded in software and hardware from multiple vendors — and “developing new tools to support continuity of operations during a cyber event,” that is, recovering from a worst-case cyberattack.
But utilities aren’t prepared to manage these threats yet, DOE’s report indicates. In a 2016 survey of 200 energy security professionals, Tripwire reported that more than 80 percent of respondents believed a cyberattack could cause physical damage to critical infrastructure. In a 2015 survey of 150 energy sector IT professionals, more than 75 percent reported an increase in successful cyberattacks in the previous 12 months, but fewer than 20 percent said they were confident that their organization could detect all cyberattacks, implying that many incidents go undetected.
Cybersecurity is as much about individual and organizational behavior as it is about technology
DOE’s five-year plan is organized into three goals: strengthen preparedness; coordinate response and recovery; and accelerate RD&D of resilient energy delivery systems. Of the three, the first two are organized primarily around methods, organizations and technologies already in place, but not yet in wide enough use.
This is a common refrain in the cybersecurity field, where unlocked doors, unattended laptops and unprotected passwords are so often hackers’ entree into utility IT systems, and failure to share real-time data on threats can allow pinprick penetrations to expand across networks. DOE’s checklist on these fronts includes “continuous improvement in existing processes,” while ensuring “cyber hygiene” and standards compliance.
Today’s cybersecurity practices need updates
DOE has some catching up to do itself. For example, the report says it’s planning to update its Cybersecurity Capability Maturity Model, published in early 2014 to “encourage private-sector adoption of best practices and to help energy companies prioritize their cybersecurity investments."
Michael Magrath, director of global regulations for VASCO Data Security, noted in an email that DOE could adopt new standards, such as the National Institute for Standards and Technology Digital Identity Guidelines, which apply “biometric adaptive authentication technologies to protect the nation’s energy sector."
DOE is also pledging to expand participation in its Cybersecurity Risk Information Sharing Program (CRISP) which now has 26 utilities, accounting for 75 percent of U.S. electricity customers, voluntarily sharing cyber threat data in near-real-time with U.S. intelligence agencies, and receiving machine-to-machine threat alerts and mitigation measures.
DOE is also beefing up CRISP’s analysis capabilities through its Cyber Analytics Tools and Techniques project, while its Cybersecurity for the OT Environment project is “adding distinct OT threat analysis capabilities and evaluating OT data analysis methodologies specifically for the industrial control systems operational environment.”
"Game-changing" cybersecurity technology is a DOE specialty
DOE has been a major backer of R&D into cybersecurity technologies, both through ongoing work at national labs and via big public-private funding like the 2013 Cyber Energy Delivery System program, which directed $210 million to "collaborative cybersecurity research and development projects among industry, universities, and national labs.” Some of these technologies are just in the early stages of development, while others are already in use, although not as broadly as DOE might like.
In the category of existing technologies, DOE highlighted several aimed at improving real-time visibility and data analytics across the digital grid environment. One such example was Vencore Labs, which uses passive sensors to monitor the radio frequency traffic of smart meter and grid device networks to detect anomalies and possible intrusions that the devices themselves might not notice. Vencore now has several major utilities using its technology, including Baltimore Gas & Electric, according to demonstrations the company was making at this year’s Distributech conference in February.
Several of these technologies were brought to commercialization through DOE’s national labs. NexDefense acquired the rights to Sophia, a tool developed at Idaho National Laboratory to passively monitor communications between control system components to detect anomalies and intruders. And Oak Ridge National Laboratory’s Hyperion tool, which examines how an executable file will operate without running the file to detect malicious code or unexpected functions from new software, was licensed to R&K Cyber Solutions in 2015.
Securing the OT side of the environment was another major focus. For example, Schweitzer Engineering Laboratories led DOE’s Watchdog and Software Defined Networking projects, which resulted in the energy industry’s first software-defined networking devices — essentially digital versions of analog control technologies that allow for far more advanced cybersecurity features. Schweitzer had already introduced an SDN flow controller (SEL-5056) and a substation-hardened SDN switch (SEL-2740S) to market, and last year launched an effort to expand the technology to broader control systems applications.
Swiss grid giant ABB is also working on OT cybersecurity, by embedding its equipment with the intelligence to deny any orders from control systems that would disrupt the electromechanical operations of the grid. This is a tricky task, considering that it has to be done in real time, while allowing all legitimate commands to pass through.
DOE’s Collaborative Defense of Transmission and Distribution Protection and Control Devices against Cyber Attacks project, launched in 2015, tested the technology at the transmission grid scale with the Bonneville Power Administration. A report on the results was published in March 2017 (PDF). Meanwhile, ABB is leading the next stage of research on the technology’s use in high-voltage direct current systems, where the physics are much different.
On the emerging research front, DOE’s report highlighted the following projects:
- Qubitekk is leading a research partnership that will help prevent cyber incidents by decreasing the cyber attack surface through quantum key distribution for the energy sector. QKD enables secure exchange of cryptographic keys to prevent compromise of critical energy sector data, and detects attempted eavesdropping in real time.
- Iowa State is leading a research partnership to develop algorithms that continuously and autonomously assess and reduce the cyberattack surface, helping prevent a cyberincident across the EDS architecture, spanning substations, the control center, and the SCADA network.
- The National Rural Electricity Cooperative Association is leading a research partnership to develop technology to rapidly identify anomalies in utility control communications that can serve as indicators of a cyber-compromise and support utility operators in expedited mitigation.
- Schweitzer Engineering Laboratories, Inc. is leading a research partnership to detect spoofing of the precise, synchronized GPS time signals that are typically used for synchrophasor data to provide unprecedented visibility of grid operations across wide geographic regions. The partnership will also develop potential mitigations, such as shifting to an alternative precise timing source.
- Texas A&M University Engineering Experiment Station will develop algorithms to detect the compromise of precise synchronized timing signals throughout the power grid architecture.
This is all going to cost a lot of money
DOE’s report attempts to quantify the costs of cyberattacks in its report. A 2015 study by the Ponemon Institute estimates the annualized cost of cyber crime for an average energy company to be more than $27 million, while estimates of control system security costs for the electric transmission and distribution equipment market range from $150 million to as much as $800 million. “Simply put, the cost of preventing and responding to cyber incidents in the energy sector is straining the ability of companies to adequately protect their critical cyber systems,” it notes.
But funding the DOE’s expansive cybersecurity plans may also be a challenge. The report notes that its plans will provide the “critical foundation” to the newly created DOE Office of Cybersecurity, Energy Security, and Emergency Response, for which the Trump administration has requested $96 million in the 2019 fiscal year. But cybersecurity industry executives responding to the report noted that the true cost of achieving its goals will be far higher.
"We welcome the DOE raising awareness around critical threats to the energy sector and laying out a strategy,” Ray DeMeo, COO of security firm Virsec wrote in a statement. But “while the strategy pillars are sound, making them actionable will be challenging — largely in view of the inertia behind legacy systems. It's critical that we invest with speed and agility, and the roadmap’s goal to accelerate game-changing RD&D of resilient systems stands out. The administration’s funding request for $96 million is hopefully just a down payment, because protecting our infrastructure adequately will cost billions."
