Reports that the U.S. electric grid was penetrated by foreign spies may on the surface seem shocking. But as Brightfly Managing Director of Research Brandon Dunlap knows, attempts at cracking the networks of U.S. utilities are not new. Brightfly is a consulting company specializing in advising on security and governance, risk and compliance.
“While I was running the information protection program at Constellation Energy, we expanded our sensor network dramatically, on the order of 800 percent, allowing us to get very granular and expansive information about malicious activity,” Dunlap recalled. “What struck us almost immediately was the sheer volume of activity originating from well beyond our national borders. Many of these events were coming from foreign universities and large corporations.”
As lawmakers decide how best to improve U.S. cyber-security, Dunlap noted cultural issues at play within the utilities industry that affect its security posture and extend beyond the reach of government regulation.
“Over the past few years, I have had the privilege to speak with numerous utilities across the U.S. and I have found that most NERC [North American Electric Reliability Corporation] CIP [Critical Infrastructure Protection] efforts seem to be driven from the plants and wires sides of their businesses,” Dunlap explained.
“This is a holdover from the days when the utilities kept plant systems segregated from corporate IT resources and when information security operations were relegated to dealing only with corporate-level systems and functions. As the industry has moved to more and more off-the-shelf hardware to run plant controls systems, as well as the trend in increased data sharing, this functional line has blurred.
“While the network borders have become more porous between plant and corporate systems, the old lines of operational activity [have] largely remained as they were years ago,” he continued. “This has resulted in less information sharing between plant operations and information security, which I think is a tragedy since both sides have a lot of knowledge that can be shared. In my opinion, this is a cultural phenomenon and one that cannot be addressed by government intervention. It has to start from within the utility companies themselves.”
Just how wide the scope of regulations aimed at securing the nation’s infrastructure should be is the subject of debate on Capitol Hill. News of the electric grid hack comes as lawmakers consider the Cybersecurity Act of 2009, which calls for, among other things, a threat and vulnerability assessment of government systems and of the corporations that own the nation’s utilities, energy and transportation infrastructure.
Security researchers from IOActive briefed the Department of Homeland Security in March on vulnerabilities in “Smart Grid” infrastructure. According to IOActive, Smart Grid technology is vulnerable to well-known issues such as protocol tampering, buffer overflows and rootkits. Still, the nation’s utilities have largely signed on to the concept of the Smart Grid and are already installing millions of automated home meters across the country, the first phase of Smart Grid deployment.
The Right Moves for U.S. Cyber-security
Ozzie Diaz, CEO of wireless security company AirPatrol, said the Obama administration is making the right moves by bringing the seriousness of cyber-security to the forefront.
“The next initiative is to establish a solid and accountable partnership between the public and private sector around innovation and solving the U.S. electric grid issues and those that will come in the future,” Diaz said. “Today, bureaucracy inhibits results because the public and private sectors don’t communicate as effectively as they should.”
There are a few trends that have led to the nation’s infrastructure being exploited by an advanced and persistent threat, said Jeff Nigriny, program manager for the TSCP (Transglobal Secure Collaboration Program).
“This increased exposure, for systems often assumed not to be on the Internet, arises from the fact that such critical infrastructure networks are interconnected and interdependent with other networks, e.g. service provider corporate networks, the Internet and ‘SCADA’-like networks,” Nigriny said. “One common finding of recent network audits [is they] show overly open and unmonitored gateways to be critical penetration and exfiltration points. In this way, an operator opening an e-mail, and they always will … [enables] these networks to be subject to the same attacks we read about every day, whether they are coming from state-sponsored or individual hackers. The U.S., other governments and critical infrastructure providers have been struggling to adapt and improve under increasing demands for higher returns on invested capital.”
The cost savings imperative has also led to a related and arguably multiplicative threat vector-the convergence of computing networks and critical infrastructure networks, he added.
Rather than increased regulation, Nigriny advocated more cooperative efforts such as TSCP, which is a partnership between the government and the aerospace and defense industries.
“A single government providing the perfect regulatory environment alone … will not help solve this problem,” he said, adding that very few networks exist only in one country. “Governments must be willing to address these weaknesses with some degree of unity, but this is exceedingly rare as national infrastructure protection is seen as a matter of national defense. TSCP … is one of, if not the only, example of a multigovernment and industry consortium working to define a common approach to securing critical resources.”
To Dunlap, energy companies need to look at three key areas to improve their overall security. The first involves more sharing of ideas between plant operations and IT or information security. Another is tighter integration between physical security, information security, IT, plant operations and other groups as more technology is pushed down to the meter level. Finally, he said, companies need to do more than merely meet the minimum regulatory requirements that do exist.
“Too often I have heard from people, who have the best intentions, mind you, that they want to know what the minimum amount of effort that can be applied to regulatory mandate is so they can check a box on their list,” Dunlap said. “When you are talking about the largest piece of machinery in the world [the electric grid], you should have an equally big picture view of how you are going to protect and manage it. This means taking into consideration the various pieces of the grid that may be beyond your direct sphere of control, but well within your sphere of influence.
“Reach out to your peers in other companies, share ideas. Push your vendors to incorporate security into their control systems; band together for a stronger voice if you can. I have sat in on a lot of conference calls with various utilities and there seems to be a certain air of defensiveness among many of the members. They seem reluctant to share beyond a certain point. We need more collaboration.”