Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Smart Grids Need to be Updated, Rebuilt With Security to Reduce Vulnerabilities

Security Vulnerabilities in Smart Grid

Smart grids were not designed with security in mind, making the entire infrastructure highly vulnerable, McAfee said in a recent report.

Security Vulnerabilities in Smart Grid

Smart grids were not designed with security in mind, making the entire infrastructure highly vulnerable, McAfee said in a recent report.

Outdated systems, lack of automation, and the proliferation of interconnected embedded systems are some of the reasons why legacy smart grids are vulnerable to cyber-attacks, McAfee wrote in its Getting Smarter About Smart Grid Cybertheats report, released Wednesday. Attacks include espionage and sabotage, and defending against them is a challenge because attempts come from different sources. Utilities have to protect themselves from organized criminal enterprises, commercial competitors, and governments, all with disparate tools and goals, McAfee said.

Extortion is also a prevalent threat to the global energy sector, as criminals break into utilities and demand a ransom in exchange for not causing any damage. The ransom amounts are in hundreds of millions of dollars, according to McAfee. One in four power companies globally said they had been victims of extortion, McAfee said. In some countries, extortion attempts are even higher, hitting 80 percent in Mexico and 60 percent in India.

“We need to better understand the threat landscape, whether it’s international, domestic, external, or even posed by insiders,” Philip Craig, a researcher in the Department of Energy’s Pacific Northwest National Laboratory, said in the McAfee report.

Energy systems have been historically separated into three distinct domains, McAfee said. Industrial control systems run heavy-duty equipment, system control and data acquisition (SCADA) systems allow administrators to monitor ICS systems, and the internal IT network contain the databases and applications the employees need to get their work done. In recent years, these domains have become interconnected, making it possible to transfer data across systems. While this improved efficiency and provided more useful intelligence, it also increased the system’s overall vulnerability, McAfee said.

“Bridging the air gaps between IT, SCADA, and ICS meant that an intruder could gain access to all three domains simply by entering any one of those,” McAfee wrote in the report.

The “most alarming cause of vulnerability” is tied to the increasing popularity of off-the-shelf embedded systems, McAfee said. While each of these systems perform a single function, many of them use off-the-shelf software and are essentially generic. Criminals can analyze one system and be able to gain control of other systems and disrupt processes. 

Advertisement. Scroll to continue reading.

The industry is interested in automation to take care of repetitive tasks and free up employees to work on other things. Connecting the systems to the Internet allowed administrator to work remotely and to collect real-time information. However, as many of the older systems were connected to the Internet without using encryption, the systems were exposed to the outside world.

“Security needs to be built into grid components at the planning and design phase,” said Tom Moore, vice-president of embedded security at McAfee.

No one intentionally set out to build a bad smart grid, but the current energy infrastructure has all three elements that make a “perfectly bad system” that could have “catastrophic consequences,” Jason Healey, director of the cyberstatecraft initiative at the Atlantic Council, said in the report.

“First, it would all be interconnected, so that failure in any one area would affect all others. Second, it would connect real things made of concrete and steel, not just silicon, so that failure would cause real physical damage—fires or explosions. And third, we’d connect it to the Internet, knowing that intruders could get into it because they’ve already tried and succeeded,” Healey said.

McAfee estimated that 70 percent of the existing energy grid is more than 30 years old. Updating components and integrating with newer systems have been a challenge and “security has largely been an afterthought,” McAfee wrote in the report.

Cyber-criminals could debilitate a major city by targeting the energy grid and compromise lights and appliances in residents, life-saving equipment in hospitals, and impacting air defense systems, according to McAfee.

The full report from McAfee is available here.

Related InsightHow to Make the Smart Grid Smarter than Cyber Attackers

Related Insight: Smart Power Grids a Prime Target in Cyber Warfare

Related Insight: The Increasing Importance of Securing The Smart Grid

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).