Why Securing the Electrical Grid Is Generating So Much Buzz
Today’s electrical grid faces three basic threats: Acts of nature. Acts of terror. Acts of complacency. Focusing on the last two, let’s look at how cyber-terrorism may target known vulnerabilities in our aging electric grid using malicious software, and the glacial pace at which these risks are being mitigated. An increasingly computerized "smart grid" must be designed with security in mind.
The U.S. electrical grid is the nation’s most vital and strategic asset. Comprising a vast combination of public and private electrical generation and distribution systems, it is the infrastructure component that has the greatest impact on the quality of our daily lives. Aside from heating and cooling our homes and providing the basis for food preparation and storage, it also supplies the necessary power for clean water, transportation, communications, life-saving services at hospitals and more. Reliable electricity is essential to commerce, air traffic safety, defense systems and national security.
That’s the good news. The bad news is that the electrical grid has proven highly vulnerable in the face of devastating storms such as Katrina and Sandy. Even more alarming, the greatest threat to the grid is likely to strike without warning and with the potential for far more widespread destruction than any hurricane. That threat, of course, is cyberterrorism. Its prime targets are the countless embedded systems that make up our electrical grid.
More Worms are Surfacing
In recent years, cyberweapons have moved from the pages of spy novels to the front pages of newspapers. The Stuxnet worm generated a flurry of media attention and speculation in 2010, when it attacked several facilities around the world, including Iran’s nuclear enrichment infrastructure. Stuxnet took over programmable logic controllers (PLCs) that control the automation of mechanical processes, causing Iran’s uranium centrifuges to spin out of control.
Since then, discoveries of more advanced variants of the same malware have been reported around the world. In a survey on critical infrastructure security by McAfee and the Center for Strategic and International Studies (CSIS), nearly half of the respondents from the energy sector said they had found Stuxnet on their systems. Security experts who deconstructed the worm deemed it to have a level of sophistication that could only be achieved with a multimillion- dollar budget and “nation-state support.” In addition, more recent examination provided some shocking insights – namely, that the ultimate sophistication of Stuxnet lies in the worm’s ability to conceal the maker’s identity. Worse still, creating the actual cyber payload is not that difficult given today’s prevalence of malware rootkits.
An apparent descendant of Stuxnet called Duqu has also been reported in energy facilities in at least eight countries. Duqu probes for sensitive information and weaknesses that could be exploited in future attacks. More recently, a virus dubbed Shamoon has been discovered by security experts. It targets the infrastructure of the energy sector by wiping critical files from operational computers and overwriting master boot records, rendering the machines useless.
The Mother of All Systemic Failures
Today’s leading security experts believe the next catastrophic electrical failure may have more to do with Father Time than Mother Nature. Why? During recent decades, the focus of energy innovation has been to modernize energy distribution and make it safer, cleaner, more efficient, less costly and open to more alternative forms of production – all viable goals.
These goals are being achieved by adding intelligent devices to the grid and connecting them via the Internet to other operational systems, thus enabling utilities to gain greater operational control of systems. However, over the course of time, this effort to automate and integrate previously disparate and largely proprietary systems has produced a grid that is far more vulnerable than ever before. Here are three key contributors to this vulnerability:
- Outdated systems – An estimated 70 percent of the existing energy grid is more than 30 years old. Security has largely been an afterthought while connecting these aging systems to the Internet.
- Automation – Moving systems from manual processes to ones that are Internet-connected gave energy grid operators real-time information while allowing administrators to telecommute and field workers to manage and program systems from remote locations. However, linking industrial control systems (ICS) and system control and data acquisition (SCADA) eliminated built-in system security air gaps, making them accessible to the outside world through the Internet.
- Interconnection of embedded systems – The third and perhaps most alarming cause of vulnerability is the proliferation and increasing interconnection of embedded software and devices directing the flow of energy. More and more of these devices are being built with off-the-shelf rather than proprietary software, making them increasingly generic, in need of patching and vulnerable. As such, embedded systems are the prime targets of intruders seeking to control or disrupt the delivery of energy.
These trends and their resulting vulnerabilities are readily apparent to Paul Stockton, assistant secretary for Homeland Defense. On July 26, 2012, Stockton told the Aspen Security Forum of his concern about the possibility of a terrorist attack on the U.S. electrical grid that would cause a "long-term, large-scale outage."
Reconnaissance Attacks Are Under Way
Beginning in 2009, a series of attacks known as "Night Dragon" were launched against the global energy, oil and petrochemical sectors. This espionage campaign (either corporate- or state-sponsored) gained access to web extranets, desktop PCs and servers by capturing user names and passwords that could then be used to extract sensitive proprietary data, intellectual property and confidential communications.
According to the McAfee/CSIS study, the leading cyberthreat reported by the energy sector is extortion, affecting one in four interviewed companies. This alarming practice has become commonplace in some countries – 60 percent of executives surveyed in India and 80 percent in Mexico reported extortion attempts. Worldwide, hundreds of millions of dollars are being paid in ransom, according to some estimates.
According to Jason Healy, director of the Cyber Statecraft Initiative at the Washington-based Atlantic Council, "Stuxnet should have been the wake-up call. Now that we know the Internet has been weaponized, what do we need to do before we push too far and too fast on the smart grid? We have to bake security in from the beginning."
Healy’s views are shared with other cybersecurity experts such as Gary McGraw, chief technology officer at software security consulting firm Cigital. McGraw insists that most modern control systems are so poorly designed from a security perspective that they are vulnerable to attacks devised more than fifteen years ago. According to McGraw, securing these systems requires "security engineering – building security in as we create our systems, knowing full well that they will be attacked in the future."
Building Security Intelligence into the Smart Grid
As it turns out, hardening the energy grid is not only possible, it’s highly plausible using a wide range of technologies that currently secure medical devices, industrial control equipment, point- of-sale systems and other embedded devices. These technologies range from antivirus and anti-malware protection to firewalls, advanced encryption and application blacklisting and whitelisting. Whitelisting technology is particularly useful in hardening distributed devices. It ensures that embedded devices will only accept commands from a known, recognized, authorized, and trusted application. If a piece of malware succeeds in getting through the system interfaces and into the device itself, the virus commands are ignored and the intrusion is reported.
With the help of parent company Intel, McAfee, the world’s largest dedicated security company, has applied its computer security expertise to protect embedded systems. McAfee addresses data security within the electrical grid with a viable, highly effective, low-overhead solution that secures and manages virtually any embedded system – including critical infrastructure for process control, SCADA devices and electrical transmission components. McAfee understands the need to integrate real-time security oversight into every embedded device on the system.
Building security intelligence into the smart grid is a necessary step to ensure efficient and reliable electrical service delivery. Cybersecurity analysts recommend the approach adopted by McAfee, and design engineers already possess the skills and knowledge to implement effective solutions based on McAfee technologies.
Michael Cioffi is a solutions architect at McAfee. He is responsible for management of the worldwide technical sales team within the OEM sales organization. Cioffi’s focus since 2006 has been enhancing endpoint security through the utilization of embedded security such as whitelisting. He has designed and applied the key principles of whitelisting at well-known organizations including Siemens and Phillips Medical and spanning numerous verticals such as medical, industrial automation, retail, and transportation.