In October 2008, an assassination attempt against exiled former Pakistani Prime Minister Benazir Bhutto was carried out by al-Qaeda operatives in the form of a roadside bombing of her caravan. The first sign that an attack was about to occur, according to witnesses, was the sudden switching off of public streetlights along the roadway. That attack claimed the lives of nearly 140 people and serves as a morbid example of how modern terrorists are taking a much more sophisticated approach. Now more than ever, the public infrastructures of nations are at greater risk to be penetrated, infiltrated and controlled by unsanctioned individuals or groups looking to do harm.
Some might look at the example of a Pakistani terrorist attack and dismiss it as a regional anomaly – that could never happen in the United States, right? Consider this: in March 2014, the North American Electric Reliability Corporation (NERC) released the results of its GridEx II exercise, carried out in November 2013. The report revealed that nearly all the 2,000-plus utilities that participated in a two-day drill testing the preparedness to withstand cyber and physical attacks were deemed “insufficient.” This included utilities in North America, Canada and Mexico. And in May 2014, the Department of Homeland Security (DHS) confirmed that there had been a cyberattack attempted against an undisclosed U.S. public utility that succeeded in compromising its control system network.
Just as companies are required to protect their networks from internal and external security threats, the smart grid must be secured from rogue forces seeking to disrupt the safe distribution of power. This is where the NERC’s Critical Infrastructure Protection (CIP) rules fit in.
NERC’s CIP standard specifically focuses on the security of the power supply, which can include the grid infrastructure itself and power generation facilities like wind farms, nuclear power plants, and more. The NERC CIP standard is important because it was designed to reduce cyber threats by proactively managing the technology of the smart grid. It outlines six key requirements for transmission stations, transmission substations and their associated primary control centers.
- Risk assessments must be performed on a periodic basis to identify critical transmission stations and substations, as well as the primary control center for each.
- An unaffiliated third party must verify that risk assessment.
- Transmission owners must give notice of its identification and obligations to a transmission operator that controls a primary control center.
- Transmission owners and operators must conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each identified critical facility.
- Transmission owners and operators must develop and implement a documented physical security plan that covers each of its identified critical facilities.
- An unaffiliated third party must review the physical security plan developed by the owner and operator.
When looking at these six key requirements, companies seeking to do business with smart grid utilities, transmission owners, operators and any technology partners might be wondering who is required to take precautions. Currently, NERC is focused on the “big guys,” such as the bulk power system owners, operators and users. However, we see several specific areas where NERC will eventually need to provide additional guidance for cyber and physical security.
First, the electricity providers have to follow best cybersecurity practices. In other words, they need to know who has been granted access to systems that install, upgrade, and manage the smart grid technology. They also need to check regularly to ensure the networks controlling these devices are not breached, and they must select high-quality technology with built-in protections. There are benefits and risks to rolling out systems that can automatically and seamlessly communicate with each other. The benefit is that it creates a smoothly operating grid. But remember that smart grids are digital, and if best practices aren’t followed for things like password protection, weak points in the grid can cause far-reaching problems.
Secondly, the energy industry uses contractors heavily, both for office work and for installation, upgrades, and maintenance to the infrastructure itself. As numerous data breaches in the enterprise and government sectors have demonstrated, contractors can often be a weak security link. Contractors need to be properly vetted and trained and must adhere to the same security practices with controls in place to make sure they do not have too much access. Most importantly, their access to network architecture and systems must be removed immediately when their work or contract period is finished.
Third, buildings and businesses that sign up for digital regulators from their power companies should also have a backup plan. Keep in mind that if a utility has the ability to turn power off remotely, it is possible that someone could intercept the connection and cause havoc.
In 2013, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of DHS, responded to a total of 256 cyber incident reports against federal systems. More than half of these attacks were aimed at assets in the energy sector. That is nearly double the agency’s 2012 caseload. While there was not a single incident that caused a major disruption with the smart grid, there is clearly a trend at work among cyber criminals, and the law of averages suggests that the more attempts are made, the more likely one of them will succeed. The energy sector will need to rely on IT security best practices to decrease those odds and keep the positive energy flowing.
By Kevin Jones, Information Security Architect, Thycotic Software