Attacks on control systems for critical infrastructure have risen by more than 250% over the past four years in the US, as web linked communication systems have proliferated and nation-states seeking geo-political and economic supremacy added to the incidence of amateur hacking. Of all the critical infrastructures targeted, power grids have become the ripest target because most or all sectors of economy depend on them: cyber attacks on power grids can be exponentially effective by crippling vast swatches of the industrial and commercial sectors. Furthermore, the absence of power paralyzes many national security systems, making physical terrorist attacks much more effective and more likely.
The Crippling Costs and Risks of Cyber Attack in Power Generation, Transmission, and Distribution
The US power grid has recently suffered three major cyber attacks. In 2012 and 2013, Russian hackers were able to successfully send and receive encrypted commands to U.S. power generators. In 2015, unauthorized cyber hackers injected malicious software into the grid operations that allowed spying on U.S. energy companies. And also, in 2015, US law enforcement officials reported a series of cyber attacks that were attempted by ISIS targeting the U.S. power grid.
The costs of these cyber attacks are massive. A cyber attack targeted at 50-100 generators that supply power to 15 Northeastern United States, including Washington D.C., would leave almost 93m people without electricity and cause $62 billion to $228 billion in economic losses in the first year. Damage to turbine generating power plants and metering systems would cost $1 billion to $2 billion. Loss of electricity revenue would cost the utilities $1 billion to $4 billion. And loss of revenue to electricity consuming customers of the utilities would cost $60 billion to $222 billion. If recovery takes longer than a year, these costs would multiply. This damage assessment is according to a study by the Centre for Risk Studies at the University of Cambridge.
The U.S. power system is more vulnerable than most. It was never designed for network security. Moreover, since U.S. power plants are now connected to the internet as a part of setting up advanced grid and metering infrastructure, a wide range of new attack points are now available to attackers. Finally, the US electrical grid is also a decentralized network owned by numerous local operators, and security standards vary from utility to utility. More permanent damages, such as those inflicted by the Stuxnet virus in Iran’s nuclear program, cannot be ignored.
However, attacks are taking place in other countries, too. On December 23, 2015, three Ukrainian electricity distribution companies suffered power outages due to a massive cyber attack. The attackers used BlackEnergy and Killdesk malware to disable both control and non-control system computers. The attackers simultaneously flooded the utility call centers with automated telephone calls, impacting the utilities’ ability to receive outage reports from customers and decelerating the response effort. Altogether 30 substations were disconnected for more than three hours, causing approximately 225,000 customers to lose power across various areas. BlackEnergy malware had first appeared in the Russian underground for use in distributed denial-of-service attacks. An evolved version of it, BlackEnergy3, is a distinctive tool and has only been used for cyber espionage.
Areas of Particular Vulnerability
All three segments of the power sector supply chain are vulnerable to cyber attacks:
- Generation: SCADA systems in power plants are vulnerable through hardcoded passwords, weak authentication solutions, firmware vulnerabilities and ladder logic. Viruses such as ‘Stuxnet’ can be used to exploit these vulnerabilities to execute cyber attack on the computerized control systems in a well-targeted manner. Some of these sophisticated malwares can cover hide its presence until well after the damage is done.
- Transmission: Transmission systems have been the most targeted sub-system in the power system value chain..The relays on the transmission sub-system are time sensitive, and delays of even a few milli-seconds can negatively impact the performance of power transmission. The common cyber attacks in this area include Distributed Denial of Service (D-DOS), which can cause the network and communication channels send delayed responses and cause the malfunction of the Smart Grids.
- Distribution: Smart meters, which are increasingly common in network infrastructure, connect to the central control or Network Operating Centre (NOC) room of the utility to transmit and receive data. Poor security implementations in the smart meters could make it possible for an unauthorized third-party to intrude the NOC. The consequence can be disastrous if the meter has the “switch off” capability. Given the scale of utilities, which for large utilities could run into millions of smart meters, security vulnerabilities in this area can lead to widespread damage.
The four most vulnerable types of attack to anticipate are: 1) Intrusion in the intelligent electronic devices through false data injection attack, making SCADA send wrong information to the control systems. This can take place at the site of power generation; 2) Attacking power system control centers (PSCC), typically called DoS (denial of service) attack which causes de-synchronization and delay in the PSCC’s ability to take optimization decisions. Power generation and transmission are most prone to these DoS type of attacks; 3) Crippling electronic AC transmission system which controls power transmission capability of the power network. Both transmission and distribution networks are exposed this type of risk. ; and 4) Use of malwares to steal power network data which could be at the generation, transmission, or distribution points, where data is continuously being stored with respectto peak loads, voltage variations etc.
Supply Chain and Procurement: The Weakest Link
The infrastructure supply chain is particularly vulnerable. Malicious components enter into the supply chain nearly two years before an attack occurs, according to the Cambridge study. Even a slight oversight in procurement could bring the whole system down. Cyber attacks at the supply chain can occur when hardware and software have been counterfeited, tainted, or compromised, resulting in failure of components as designed. Components fitted with rogue malware entering into the supply chain and eventually in the utility, compromising the security mechanisms.
For example, a malicious code could be inserted into software that compromises security or kill-switches/backdoors, enabling attackers to steal data or disable the system. Maintenance and repair activities-software upgrades or equipment services, whether done onsite or remotely, could also allow hackers to corrupt or compromise systems. These compromised components could enter the supply chain from the secondary suppliers or contractors, which are less visible to the utility operators.
Major utility companies are now becoming aware of the risks that cyber attacks pose, and are investing capital to get their systems more secure to attack. Utilities are most vulnerable to cyber threat from a third tier supplier, which has no direct connection to the utility and supplies the equipment through a third party vendor or a distribution channel. The second tier suppliers also carry the same risk but are more visible and vetted.
What Power Companies Need to Do
Taking into account the above scenarios, the second and third tier suppliers of components and services have to be examined and assessed more strictly.
There are already a number of mandatory standards and requirements for supply chain integrity led by both vendor and government organizations such as NIST, ISO, Common Criteria, and OTTF. While these standards need to become more robust given the growing sophistication of cyber attacks, the least companies can do is to seriously adhere to the existing standards and guidelines.To begin with, the power companies must disclose all features and disable what is not required, limit user capabilities, and block all unauthorized accesses.
As a part of the supply chain cyber security risk mitigation plan of action, the next most important step is to manage procurement risk. This includes joint development of procurement process with representatives from sourcing, legal, technical, and functional subject matter experts.The vendor pre-qualification criteria and all RFPs must clearly specify compliance to vital security standards.
Given the high cyber security risk emanating from second and third tier suppliers, the power companies must make good use of third party certification and accreditation for the vendors, and must also initiate audits as well as scheduled and unannounced inspections for pre-qualified vendors.