Security Experts:

U.S. Electric Grid - America the Vulnerable

Electric Substation

In the new digital age, the threat of cyber attack reaches every part of modern society.  Electrical power runs just about every aspect of life for most people, and most are not prepared when the power source is interrupted or goes away. A public announcement could be made one week ahead of time, and the majority of people would still be in the same vulnerable position if the power were to go away abruptly.  

Last year Lloyd's published a report titled "Business Blackout" where they shared their analysis and findings of an imminent cyber attack on the U.S. power grid. In their attack scenario, attackers were able to inflict physical damage on 50 of the 700 generators on the electrical grid on the east coast where there is a substantial population of people in major cities that includes New York City, Washington D.C. and Boston. In this situation, 93 million people were affected by a blackout.  

There would most certainly be mass chaos among the population, and the total impact to the USA in the Lloyd's report is estimated at $243 billion dollars and rising to over $1 trillion in extreme cases. In an already fragile and recovering economy, an attack like this could cripple the country and most certainly disrupt any momentum the economy had been able to gain.  

Not only is this scenario possible, I believe it is imminent. Based on existing intelligence, it is reasonable to assume that nation-states already possess all the information they need to launch such an attack on the U.S. power grid - they choose not to because of political implications. I also believe the USA possesses the same capabilities. It isn't just nation-states that we need to be concerned with, as radical terrorist groups are highly motivated to bring harm to the American people and economy.  

Current State of Affairs 

The U.S. power system is outdated, and it was never designed with network security in mind. Experts have described the U.S. power grid as decrepit and seriously out of date. By connecting U.S. electric plants to the Internet, a new and bountiful supply of attack points and back doors have been opened up to attackers.  

Further complicating the security challenges in the new digital frontier is hundreds of contractors create and sell software and equipment to the energy companies. This software and hardware has weaknesses that can be exploited. The companies themselves serve as a portal into the electric grid because they are connected their customers.  

Just three months ago, the Ukraine power grid suffered a cyber attack and the outage impacted 225,000 people. This is the first time the U.S. Government officially recognized that a blackout was caused by a malicious cyber attack. Security researchers attribute the attack to a Russian hacking group known as Sandworm. Malicious software was used in this attack to remotely switch off breakers controlling the power to the public. A coordinated attack was launched by the criminals that aimed at keeping legitimate customers from reporting their power outages. We know based on history with malware, once the software is out in the wild, it can be modified for future attacks and with a high degree of success. We have seen this pattern in other industry verticals such as the financial sector. 

Within the energy sector, here are just a few examples of reported attacks or attempted attacks:

• In 2012 and 2013 Russian hackers were able to successfully send and receive encrypted commands to the U.S. power generators.  

• The Department of Homeland Security (DHS) announced last year that unauthorized cyber hackers were able to inject malicious software into the grid operations that allowed spying on U.S. energy companies.  

• In October of last year, US law enforcement officials reported a series of cyber attacks that were attempted by ISIS targeting the U.S. power grid.  

• In December 2015, the Associated Press reported that "security researcher Brian Wallace was on the trail of hackers who had snatched a California university's housing files when he stumbled into a larger nightmare: cyber attackers had opened a pathway into the networks running the United States power grid."

Home Security Deputy Secretary Alejandro Mayorkas acknowledged in an interview, "we are not where we need to be" on cybersecurity. 

There are a variety of reasons for the challenge we face in securing our grid, and none of them are easily solved. We know based on the avalanche of successful attacks on private industry and the U.S. government, nothing can be totally protected, and if a focused adversary wants in, they will be successful. A proactive intelligence-based approach must be part of the solution. With the outdated power systems being brought online and an increasing level of new access points in conjunction with an expanding attack surface, it is only a matter of time before a major incident happens in the United States.  

The Good News – And Practical Tips to Reduce the Threat Surface

The impact to the U.S. electric grid would most likely be regional and contained at this time, but it isn't because of the reasons you might expect. The disjointed nature of the electric grid works in our favor, at least for now, as the grid is a collection of different types of systems and software. - making a widespread attack much less likely. For now our dysfunction and lack of efficiency may work in our favor.

But we can’t count on that to last too long, so here are some recommendations for power companies to consider (and the themes here are usable across all industries):

• Dissect the Ukraine cyber attack and model this intelligence against your systems and operations. It is important to use this type of information because it is not theoretical. Have an outsider lead the exercise if possible.

• Ensure that your organization is fully taking advantage of the ISAC products and services. Then, move beyond your ISAC membership and form a threat intelligence solution where a broad spectrum of stakeholders can gain visibility into the current threat landscape.

• Make investments in current staff and/or hire people if you can find them to go deep on data science and analytics. It is impossible to protect everything and organizations are unable to hire enough resources to continue with a defensive-based strategy.

• Establish or strengthen relationships with DHS resources. The threat landscape is rapidly changing and keeping current with DHS is a good idea to take advantage of the most up-to-date resources.

It is time for all invested parties to come together, share intelligence, and coordinate a holistic security strategy.

Related: Learn More at the ICS Cyber Security Confernece

view counter
Tim Layton is Chief Intelligence Officer at SurfWatch Labs. Before joining the company, he held senior leadership roles with Cisco, EMC, and Wells Fargo. At Cisco, he was a Principal for Cisco’s Global Enterprise Cybersecurity Theatre. Mr. Layton was a Principal for EMC’s Security & Risk Management practice and before that served as Vice President for Wells Fargo where he specialized in enterprise cyber risk across all business units and third-party risk management. He received an MBA and BA from Lindenwold University, and has earned several security-related certifications including CISSP, SANS GSEC, GCIH, GCFW, GREM, ECNE, CCNA, SCO ACE, MCSE.