Threats to today’s electric grid

Generation Sites

Across all potential attack vectors on the grid, generation plants are among the best protected. These sites often employ layered physical security, making it relatively difficult, though not impossible, to access. In addition, many of the systems that operate and control critical infrastructure are not connected to the public Internet. Such “air-gapped” systems are challenging to compromise remotely, usually requiring advanced knowledge and sophisticated skills. Even then, some experts question whether hackers possess the engineering expertise to exploit the specialized systems used to operate and control the power grid.

Still, vulnerabilities exist. Disgruntled or merely negligent employees present a difficult, yet significant, security challenge for any organization. For instance, recent news reported that the “DragonFly” (i.e. “Energetic Bear”) hacker group, believed by experts to be affiliated with Russia, allegedly makes extensive use of “phishing” emails. Such emails try to trick employees into opening booby-trapped messages or linking to infected web sites.

While some critical information systems are “air-gapped,” the Stuxnet attack on Iran’s Natanz nuclear facility proved the viability of this vector to attack, albeit primarily by well-funded, highly skilled nation-state actors. Project Aurora, a controlled hacking experiment overseen by the Department of Homeland Security at Idaho National Laboratory, vividly demonstrated how industrial control systems (ICS) can be compromised to cause physical damage to generation equipment.

Many “master” host ICS and supervisory control and data acquisition (SCADA) systems are housed at generation sites. These “master” host systems issue controls to other components of the grid, rather than merely gathering and reporting data. These systems could therefore be platforms for causing physical damage to infrastructure.

Aside from air-gapped critical systems, many information and communications systems at generation plants are connected directly to the public Internet, either as employee laptops and workstations or personal mobile devices. These systems can serve as beachheads into the network and pivot points to other systems and networks.

Finally, step-up substations and their ICS, which are often located on or very near to generation sites, present a particularly attractive target to attackers seeking to cause widespread disruption or damage. Again, some experts question whether hackers possess the engineering knowledge to exploit the underlying ICS systems.

Substations

Substations are difficult to physically secure because they are geographically dispersed, often located in industrial, commercial, or residential areas frequented by the public. In 2007 and 2008, as the price of copper reached record highs, thieves accessed substations to obtain scrap copper to sell. Some tried to steal pieces of energized equipment, with grisly results. More recently, at least one sniper fired 150 rounds at a California substation in Silicon Valley, knocking out 17 transformers.

Besides threats to physical security, substations are attractive targets to cyber attackers. Substations house ICS/SCADA systems, which contain widely publicized vulnerabilities. Some experts question the ability of cyber criminals or terrorists to exploit these engineering systems to cause physical damage. No one doubts that the systems are vulnerable to hacking. Proofs of concept have been published and demonstrated at security industry conferences.

ICS/SCADA systems are particularly vulnerable due to their exposure to the public Internet and the difficulty of patching systems. Even when vendors issue software patches for critical vulnerabilities, operators often do not implement them. This results in even known, critical vulnerabilities persisting in equipment throughout the grid.

Finally, ICS vendors are targets of attack. Hackers in the allegedly Russia-affiliated “DragonFly” (i.e. “Energetic Bear”) group have targeted ICS vendors with malware for espionage purposes. Unknown is whether attackers successfully compromised ICS firmware in development or already deployed. Some experts believe this to be a reasonable assumption, based on other evidence.

Research & Development Facilities

Research & development (R&D) facilities are particularly attractive to attackers because they house proprietary technologies, intellectual property, and possibly sensitive data. These sites may employ the same types of layered physical security and air-gapped systems as generation sites. However, R&D facilities house information and communications systems that may be interfaced to and integrated with other critical systems. This provides attackers with a potential beachhead and pivot point onto the broader network.

The biggest vulnerability in R&D facilities may be culture. Due to the laboratory environment, much of the staff and many of the systems are transitory. Systems interfaces, integrations, and configurations are temporary. Security is usually not prioritized, since experimentation, collaboration, and open communication are more valued in research.

Significant vulnerabilities include untrained employees who work daily on and with vulnerable technical systems that are in a constant state of flux. Such employees may be duped by targeted attacks – such as phishing emails that exploit a researcher’s desire to learn, share, and collaborate with others – or they may just make careless errors, such as failing to implement proper password management for sensitive accounts. Systems and security administrators in R&D facilities must be especially vigilant in enforcing strong password policies, best-practice account management, and effective “onboarding”/”de-boarding” processes and procedures.

Transmission & Distribution Infrastructure

Physical damage remains the primary threat to today’s transmission and distribution infrastructure. However, as grid components become modernized with “smart” technology, the threats to communications and digital components (e.g. automation software, sensors, etc.) will increase. (The next section of this presentation explores threats to smart grid technologies.)

Business Offices

Business and operations offices are among the most exposed vectors to outside threats. This partially results from lower physical security than is usually employed at generation and research & development sites. However, the primary vulnerabilities at these sites are not necessarily physical.

A recent industry survey revealed that security professionals inside utilities perceived data stored in applications, databases, storage devices, and servers (in that order) as the most vulnerable to compromise. Many of these systems are housed in corporate and operations offices. Another recent study reported that 69% of all security incidents at electric utilities involved web application attacks and malware. Most of a utility’s corporate web applications and servers are likely to be housed in business offices. Phishing and other methods of targeted attack, intended to spread malware, are carried out via information and communications systems used in corporate and business offices. Many, if not most, of the systems used to store, transmit, and process data are connected to the Internet. These threats, combined with vulnerable systems and untrained employees, present a significant risk.

Meters

The primary threat to traditional analog meters is physical. However, advanced metering infrastructure (AMI) that employs digital meters with integrated communications, a key component of smart grid technology, increases the threat to communications and cyber vectors. Going forward, utilities will increasingly face new threats at the meter. (The next section of this presentation explores threats to smart grid technologies.)