When it comes to security vulnerabilities, it’s all-too-easy to double-down on alarmism and preach impending disaster. But when multiple sources regularly point out large lapses in security, its important to acknowledge their concerns and act to shore up protections. Cybersecurity concerns in the energy sector are certainly justified, with CEOs, data experts, and government officials alike agreeing that large vulnerabilities can and will be exploited absent comprehensive safeguards. A KPMG CEO Outlook report published in November found that 48 percent of power and utility executives believe that their company will inevitably face a cyber attack, with 59 percent identifying “cyber security experts as the most important new role” that would increase value-added at their firm.
These executives’ fears reflect repeated instances of cyber infiltration identified by the Department of Energy. In a report released in August of 2017 on “Electricity Disruption Incident Response Capabilities,” the Department notes that cyber adversaries such as foreign governments (i.e. China and Russia) as well as rogue individuals have become more aware of power plant and electrical grid vulnerabilities and can use malware to wreak havoc on America’s supply of electricity. While it’s hard to predict exactly what would happen in the event of a successful, large scale hacking of power plant operations, a 2015 incident in Ukraine involving three electricity companies gives a glimpse into the dire real-world consequences of seemingly-minor security lapses.
The attackers spent at least half a year studying their targets, utilizing open-source information available on the internet on remote terminal units and the interface of control networks. Once they had a thorough understanding of how the companies connected their hardware with plants’ central control systems, they sent emails to employees with corrupted Microsoft Word files urging users to enable macros. Unsuspecting employees followed these instructions, in turn enabling the “Trojan Horse” of BlackEnergy3 malware to let hackers into the infected system and grant themselves administrative privileges on web systems. By systematically gaining control and using the control to open circuit breakers, the hackers were able to cut off electricity access to more than 200,000 consumers for up to 6 hours.
While Ukraine may have weaker overall infrastructure and greater exposure to a variety of security threats, the same family of malware has been found in the United States and other developed nations. In fact, BlackEnergy3 “evolved” from BlackEnergy2, which was able to gain access to American networks as early as 2011 via Human Machine Interface (HMI) products produced by prominent brands such as Siemens and General Electric. Just as hackers used limited successes as a case study to launch a more sophisticated attack on Ukraine, cyber-criminals are likely using the 2015 Ukraine attack as a trial for a far more disruptive attack on the US grid.
But how can US electricity companies battle determined, oft-invisible foes? The Department of Energy urges energy companies, having critical infrastructure, to develop incident response playbooks and share best-practices with other industry players to ensure that cybersecurity policy is proactive instead of reactive. As Forbes Technology Council contributor Michael Zaic notes, many companies use text messages or email as the second factor for authentication, yet many hackers can execute strategies such as a SIM swap to gain access to company phone accounts and breach security. Zaic argues that, “rather than depending on texting, emails or calls, the codes should be generated by either a dedicated device or an application such as Google’s Authenticator app.” Strong, commonly-held cybersecurity principles are a must for utilities, energy-sector asset owners and other energy related firms. While security preparations may be difficult to juggle with more immediate business concerns and regulatory challenges, Ensight Energy offers comprehensive technical advisory services to evaluate your existing cybersecurity plan to determine resiliency and soberly assess any weaknesses. For expert advisory services during every stage of your energy project’s lifecycle, feel free to contact us via email at firstname.lastname@example.org or by phone at 720.648.6554.