There are an increased number of threats and actors targeting utilities. These include nation-state actors looking to cause security and economic dislocation, cybercriminals wanting monetary gain, and hacktivists who want to publicize their opposition to utilities’ projects or agendas. In this blog, we’ll be discussing the importance of cybersecurity in power and electric sectors and why it needs to be better.
Utilities’ increasing attack surface comes from their geographic and organizational complexity, including the decentralization of many organizations’ cybersecurity leadership. The electric-power and gas sector’s interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational technology (OT) systems to stop multiple wind turbines, and even physical distribution.
The United States electricity grid is comprised of three functions: generation, transmission, and distribution. Generation and transmission make up the Bulk Power System. The Bulk Power System refers to (1) facilities and control systems necessary for operating the electric transmission network and (2) the output from certain generation facilities needed for reliability.
The reliability of the grid’s distribution, which carry electricity between the transmission systems and industrial, commercial, or residential consumers, is typically regulated by the states. However, the federal government is responsible for outlining a national strategy for critical infrastructure cybersecurity that includes the grid’s distribution systems.
When it comes to the generation function, legacy generation systems and clean-energy infrastructure designed without security in mind can cause disruption of service because of ransomware attacks against power plants and clean-energy generators.
In the Transmission function, physical security weaknesses allow access to grid control systems. This can cause large-scale disruption of power to customers.
Finally, disruptions of substations in the distribution function may lead to regional loss of service and disruption of service to customers. This is caused by distributed power systems and limited security built into SCADA systems.
With the obvious risk to our critical infrastructure, the United States senate decided to act with the Protecting Resources on the Electric Grid with Cybersecurity Technology (PROTECT) Act. This act incentivizes utilities to invest in technology that improves their cybersecurity. The goal is to allow utilities to invest in cutting edge cybersecurity technology while also strengthening the partnership between private industry and the federal government. Overall, the U.S. government is doing a good job addressing known cybersecurity threats. However, there needs to be more focus on how companies can secure information networks amid a growing threat to OT and ICS. Utilities’ focus on training employees is not enough to keep American utilities secure. It’s placing the responsibility in the wrong place and underestimates the sophistication of the threat actors.
Another issue is that the United States does not and will not select, endorse, or recommend any specific technology or provider as part of their Electricity Subsector Action Plan. While this plan is the first of sector-by-sector efforts to safeguard the Nation’s critical infrastructure, only about 150 electric utilities have adopted or committed to adopt technologies to further improve the security of OT and ICS that manage the United States’ electric systems. This means that only about 90 million Americans are actively being protected from the ever-evolving threat of cybercriminals.
System components often have to be taken offline so that owners and operators can apply security patches to address known cybersecurity vulnerabilities. However, this may not happen in a timely manner because the devices must remain highly available to support the reliable operation of the grid.
On top of that, grid operators often don’t use conventional IT vulnerability scanning because of perceptions that it can impact the availability of energy delivery systems. However, this belief is based off an outdated report from 2005. The DHS have already said that there are more recent national laboratory reports that have found that vulnerability scanning is not likely to have a negative effect on the safety and resilience of energy delivery systems.
The industrial control system (ICS) is one of the greatest threats to the electric grid. ICS is used to manage electrical processes and physical functions. Increasingly, these systems are merging with technology that connects to or relies on the internet. This connection to the internet enables remote monitoring and can improve cost and energy conservation.
However, it also creates more access points for threat actors. In 2018, the DHS and FBI issued an alert that for the first time publicly charged Russian government cyber actors with targeting and penetrating a variety of critical infrastructure facilities and sectors in the U.S.
Currently, energy companies have few tools to analyze OT systems for malicious activity and distribution systems are becoming more vulnerable to cyberattacks, in part due to the introduction of and reliance on monitoring and control technologies. After gaining access to industrial control systems, attackers may use other tactics to position themselves to achieve their goals. These tactics include running malicious code, avoiding detection, or moving through the industrial control system’s environment.
The grid’s distribution systems, including industrial control systems, may be vulnerable to these tactics as part of cyberattacks because of poor cybersecurity practices at utilities related to encryption, authentication, patch management, and configuration management.
Other vulnerabilities in the grid industrial control systems may also stem from older legacy systems not designed for cybersecurity protections, and the fact that safety and efficiency goals conflict with the goal of security in design and operation systems.
There are many different impacts of cyberattacks on ICSs. Some include:
Disturbances in GPS signals that phasor measurement units receive could limit visibility into system operations, which could result in unsynchronized measurements that could cause disoperation of equipment and power outages. In particular, GPS is susceptible to exploitation by malicious actors through jamming and spoofing.
These are devices that are connected to grid. For example, electric vehicles and charging stations, and smart inverters (a device that converts electrical currents from solar panels for consumers to use in their homes). Distribution utilities have limited visibility and
influence on the use of cybersecurity of these devices because consumers typically control them.
These are increasingly connected to the grid’s distribution systems. These devices include roof top solar unties and battery storage units. Distributed energy resources can make distribution systems more vulnerable because of their distributed nature, their control and communication requirements, and the larger number of devices and access point operating outside the utilities’ control. For example, companies that offer residential solar energy products can retain the capability to remotely monitor and manage the units. A threat actor may gain access and instruct compromised solar inverters to inject power into the grid to cause voltage and stability issues, potentially causing a power outage. This means that, as mentioned in the beginning of this blog, there are several different types of threat actors that pose as threats to the bulk power system. But what is the United States government doing about it?
Department of Energy (DOE) officials have stated that they are not addressing risks to grid distribution systems in their updated plans because they have prioritized addressing risks facing the bulk power system. Their reasoning is that a cyberattack on the bulk power system would likely affect large groups of people very quickly. However, even if a cyberattack on the grid’s distribution systems did not impact the bulk power system, such an attack could still have significant national consequences, depending on the specific distribution systems that were targeted and the severity of the attack’s effects.
In conclusion, the DOE, DHS, and other federal government agencies have provided resources to states and industries to help them improve the cybersecurity of distribution systems. However, the DOE’s plan for implementing national cybersecurity strategy for the grid does not fully address risks to these systems. Unless the DOE more fully addresses risks to the grid’s distribution systems in its updated plans, federal support intended to help states and industry improve distribution systems’ cybersecurity will likely not be effectively prioritized.
There are many downsides to software cybersecurity. One that is a constant nuisance is the constant need for updates, otherwise known as patches. When patches are needed to be installed into a software, the system that the software is protecting must shut down for that to happen. This downtime can cost companies millions of dollars. Because this can cost companies so much money, they often choose efficiency over security. So, they continue working within their systems without a software update or two. What’s the big deal? Those software updates can be the difference between loosing one million dollars and $20 million. If that seems like a risk you’re not willing to take then, we suggest you invest in hardsec cybersecurity.
Q-Net Security’s hadsec technology is single-purpose, requires no patches, and works with both operation technology (OT) systems and operating systems. As mentioned, one of the main reasons as to why the utilities sector is being targeted by threat actors is because there is a growing population of vulnerable endpoints. Q-Net’s Q-Box is an endpoint protection device. Simply place it in front of any endpoint you wish to secure, and that endpoint may only communicate with other, approved endpoints on the Q-Network. It also intercepts all network traffic and encrypts every single packet in the world’s most protective encryption key. If you are interested in what Q-Net has to offer, contact us today for a free demo!