Power Companies Struggle to Maintain Defenses Against Cyber-Attacks

When experts rank U.S. industries’ abilities to ward off potentially damaging cyber-attacks, the electric utilities are normally near the bottom.

And that is troubling, these same network security professionals say. Taking down an electric grid, especially one that serves a major city, could do real damage to the economy and may indirectly cost lives.

One of the issues is that there is no sense of alarm. A terrorist group or nation state has heretofore not switched off a power grid.

That doesn’t mean that they aren’t vulnerable, said Curt Aubley, chief technology officer and North American vice president at McAfee.

“The good news is that the energy companies and power companies recognize this and they are putting plans in place and forming security partnerships,” he said in an interview.

But at this point, the industry is lagging, others interviewed agreed.

And new smart power grids, which will rely on Internet protocols to connect homes and businesses to the energy plants, may complicate matters.

Maria Horton, CEO and founder of EmeSec, a network security firm that works with the Department of Homeland Security and other government agencies, said part of the problem is cultural change.

The energy grid is one of the nation’s oldest pieces of critical infrastructure, she noted.

“Many of the folks who have worked in energy believe that they have designed a system that has worked very well for 40, 50, 80 years since the delivery of national electricity. They are not necessarily comfortable with modern day information systems,” she said.

The supervisory control and data systems, or scada — the specially designed computer programs that operate industrial machines — have been since their creation unconnected to networks. But they are being modernized through attrition, she said. Many of the technicians who operate the systems are reluctant to update the software because they don’t know what the full impact will be on the grids they run, she said.

Aubley said this is just how the industry grew over time. Power plants have separate network and control systems created just to operate that infrastructure.

To infiltrate such a stand-alone system, the perpetrator of an attack would have to physically install rogue software in the system, similar to what happened in Iran when the Stuxnet virus was allegedly placed by an insider in the scada systems that ran the centrifuges for that nation’s uranium enrichment program.

“In some ways that is a little safer because it is not connected to the Internet,” Aubley said. “But with the economic challenges that everyone has — and the fact that they want to expand their business — many power companies are starting to connect to the Internet so they can provide more automation and … more optimization of delivery,” he said.

They want to provide more value to customers, but once their systems cross that line, they are vulnerable, he said.

Vincent Berk, CEO of network security firm FlowTraq, said there is another problem that isn’t talked about: money. Utilities just don’t have big budgets to spend on cybersecurity.

“They are pinching pennies so hard the copper is coming off,” he said. “They have very little to spend. It’s not only an expertise problem. … They are trying to get by with the least amount of resources they have and do the best job possible.”

The industry relies on custom systems specifically created for managing an infrastructure. Operating systems built with off-the-shelf software such as Microsoft’s are harder to defend, Berk said.

Grids are built to last for decades. Employees forget to update the computer programs as time goes on.

Like the other experts interviewed, Berk said there is an increasing realization in the energy sector that it has a problem.

Awareness is key, said Aubley. “Everyone has got the message that they are a potential target for terrorists. While everyone isn’t perfect, the first step is being aware of what you have and that others may be interested in targeting you.

“Now, I am starting to see people putting it in their strategic plans that they do want to improve their security posture,” he said.

Berk likened it to buying insurance. “It doesn’t have to be too expensive, but you’re going to have to keep paying for it. When you really need it — hopefully you don’t — that is when it will really pay off,” he added.

Even as the power companies play catch up securing their old operating systems, the future has cybersecurity experts more worried. New smartpower grids are designed to send information both ways. In other words, consumers and businesses send information on consumption back to the companies, which can adjust their output accordingly. Homes can also automatically adjust their consumption to save energy, and money for consumers.

Google recently spent $3.2 billion to acquire NEST Labs, a startup that connects thermostats and smoke detectors to the Internet, Aubley noted.

Google sees that the “Internet of things” is a great potential market, he said.

But all these “things” that are connecting to the Internet are also new entry points for hackers. That includes smart-meters connected to homes and local area networks, Horton said.

The Chinese are the primary manufacturers of smartgrid components such as the meters installed in homes. “How qualified or confident are we that … those systems as we take them from the manufacturer are safe?” she asked.

“I would say that companies working to protect cybersecurity need to be aware where smartgrid capabilities exist [and] how they are going to deal with them,” she said. 

Aubley said when he explained smartgrids and how they work to his 12-year-old daughter, she asked if it would be possible for a burglar to hack into a home’s system and determine if someone was there based on how much electricity they were using.

“If my daughter who is 12 can think that up, what about someone with real nefarious intent?” he asked.

“Smartgrids make me so nervous,” Berk said.

“The moment someone has control of those communication channels, I can only imagine the kind of denial-of-service attack you can do. Simply switch on all the power hungry devices at once and overwhelm the power plant,” he said.

“It’s a whole new avenue of attack,” he added.

Manufacturers can design systems to cryptographically authenticate a refrigerator, air conditioning unit or other power hungry devices. But the average fridge is intended to last 15 years or more. “Are the security mechanisms that are good today going to work 15 years from now?” Berk asked.

Some consumers can’t even take the time to update the security on their home computers. How many of them will bother to do so for their thermostats and refrigerators? he wondered.
“That is a very hard problem to solve,” he said.

Baking security in at the core of the system from the start is important, “but you can’t design security and hope nobody breaks in. You have to keep watching this,” Berk added.

Horton said, “We have seen changes in the Department of Energy for the good. They are managing this. They are being proactive.”

But change must happen within companies. That entails “change management,” a process of transforming corporate culture.

“From the perspective of a cybersecurity provider, it means you must deal with the energy sector through change management as well as cybersecurity transformation of an organization, system or process.” It can take time to turn a company’s culture around to where its workers are comfortable enough to move to modern capabilities. It can be a years-long process, she noted.

Meanwhile, new information sharing regimes can be helpful, those interviewed said. But legislation designed to goad the energy sector into doing more to secure its systems would be less so, they added.

“You can make them liable and more compliant with the law, but it doesn’t necessarily make them more secure,” Horton said.

Berk said: “You can make a law forcing them to have better security. … That is not particularly helpful for these guys. It’s a hard problem, and they don’t get the resources to work on it,” he said.

The National Institute of Standards and Technology through an executive order this year will be setting up voluntary information sharing mechanisms for all the nation’s critical infrastructures.

The defense industrial base and financial services sectors, which are said to do cybersecurity better than others, already have such systems in place.

Generally, they work by the participants sharing information on attempted or successful network intrusions with each other.

Horton said information sharing can be a double-edged sword. Those participating have to know how much of the information is shared and how much of it is protected. They can inadvertently reveal weaknesses in their systems.

“It’s good, but you must be cautious of how you are going to share,” she said.

A bigger question is how much of their resources should power companies put into this problem? Everyone wants cheap electricity. The public may be asked to pay more to make the systems secure.

But is it fear-mongering on the part of security firms, or is the threat real?

Peter Singer, Brookings Institute scholar and the co-author of the recent book, Cybersecurity and Cyberwar: What Everyone Needs to Know, said cybersecurity is at its heart a people problem.

“If you want to understand why things are happening and why they are not, you have to look at the people, the organizations they are in, and most importantly, their incentives,” he said.

“This is why finance companies are good at cybersecurity and power companies are quite horrible at it,” he added.

Financial institutions are attacked every day. They have plenty of incentives.

So far, despite all the newspaper and magazine articles sounding the alarm over cyberterrorism, no nation or group has launched such an attack through the networks, and there has never been an injury or fatality caused by one in the United States, Singer said.

“I’m not saying terrorists don’t want to, or there never will be a terrorist cyber-attack,” he added.

Nevertheless, McAfee is putting its own research-and-development dollars into efforts to help secure electric grids, said Berk.

Horton said it may take some big event to make the industry really take notice.

The 9/11 attacks sparked a dramatic change in the mobile communication infrastructure when the system became so overloaded people couldn’t communicate, she said.

“I think you will see something similar happen — whatever the act is — that generates some kind [of response],” she said.

Topics: Cyber, Cybersecurity, Homeland Security, DHS Policy