Assessing cybersecurity of the US power grid

On August 19, 2006, operators of the Browns Ferry nuclear power plant in Alabama manually shut down the plant’s unit three reactor after its two main coolant pumps – whose continuous operation is needed to prevent a meltdown – simultaneously failed. Investigators later determined that the pumps had failed because of a ‘data storm’ on the plant’s internal computer network. For reasons that remain unclear, but that may have included a hardware glitch or faulty design, excessive traffic flooded the network, which is based on the same standard Ethernet technology found in many homes and offices. That, in turn, overwhelmed the two industrial controllers that ran the pumps, forcing the shutdown, according to an official report from the US Nuclear Regulatory Commission (NRC).

Nobody was harmed in the incident, the NRC found that Browns Ferry operators acted appropriately and the plant’s owner – the Tennessee Valley Authority (TVA), a US government agency – says it has reinforced its security to prevent such a scenario from happening again. But the incident has joined a growing catalogue of evidence that the US electricity system is vulnerable to cyber threats. “The Browns Ferry shutdown presents a possible attack scenario,” one researcher wrote last year in Strategic Insights, a journal published by the US Naval Postgraduate School’s Center on Contemporary Conflict. And next time, experts worry, the threat could come from malicious hackers targeting US infrastructure.

Cybersecurity has jumped to the top of government and corporate agendas in recent months. Robert Mueller, director of the US Federal Bureau of Investigation (FBI), recently said that he expects cyber threats to surpass terrorism as the country’s number-one national security concern. Meanwhile, the US Department of Energy (DOE) has published a roadmap¹ for securing the power grid against cyber attack by 2020 and issued guidelines² for how utilities should improve their approach to cyber risk management. Many power companies say they now consider cybersecurity to be as important a goal as reliability of service.

But cyber threats are a highly challenging issue for risk managers at utilities, not least because the nature of the risk is rapidly changing, while the probability and the cost of a potential attack are still a matter of intense debate. Some argue that the consequences of a successful cyber attack could be catastrophic, pointing to the Stuxnet worm, which targeted Iranian nuclear facilities and caused severe physical damage to machinery. “An ambiguous and uncertain threat is difficult, if not impossible, to quantify,” the DOE says in its roadmap. “Understanding and properly categorising the threat is a major challenge. In addition, the ability to assess the extent to which a risk has been mitigated remains a difficult task.” The report urges utilities to adopt a “culture of security”, in which cyber risk-awareness permeates the industry and companies can respond swiftly and nimbly to this emerging threat.

Avenues of attack

An attack on the power grid is certainly a much bigger threat now than in the past. Two decades ago, it would have been unthinkable, because the technologies underpinning the electricity industry were sealed off from the rest of the world and they usually used obscure hardware and software components that had little in common with those used by personal computers. But the rise of interconnected networks, such as the internet, and the industry’s use of popular standards such as Ethernet, have opened the window to cyber threats.

If a sophisticated, nation-state attack occurs, we will most likely not be aware. We still do not know what a control system attack really looks like

The core technologies which form the ‘brains’ of the power grid – industrial control systems (ICS) and supervisory control and data acquisition (Scada) networks – are still much tougher for hackers to reach than, for example, a company’s web server. But researchers note that utilities often connect ICS and Scada devices to their internal corporate networks that may include computers running Microsoft Windows, which are in turn connected to the internet, providing an avenue of attack for intruders. Even sealing off networks from the internet may not be enough to prevent cyber attacks, since such networks can often still be accessed through back doors such as dial-up modems, field devices or infected USB drives that unknowing employees attach to corporate computers.

Threats delivered by e-mail that exploit human gullibility are among the most insidious risks facing electricity firms, says Tim Roxey, chief security officer at the North American Electric Reliability Corporation (Nerc), the power sector’s self-regulatory organisation. “It’s the e-mails that people tend to open, and click on those attachments, which I wish weren’t there,” he says. “That’s really the simplest, easiest way for someone to get access to your system – through e-mail. And that [applies to] home systems, electric power systems… the electric sector, water sector, oil and natural gas. It covers the gamut. It’s really a pretty significant problem.”

Hacker attacks against US critical infrastructure, including the power grid, are on the rise, according to officials. This month, the US Department of Homeland Security (DHS) said that in the period from October 2011 to February 2012 there had been 86 reported attacks on computer systems that control US critical infrastructure, compared to 11 such incidents in the same period one year earlier – a nearly eightfold increase. The impact of those attacks is unclear and the DHS did not say whether they were successful.

Utilities contacted by Energy Risk agreed that threats are growing, although none would comment on specific incidents because they did not want to disclose vulnerabilities or details of their companies’ cyber defences. “Outside threats continue to increase and range from hackers trying to get identity theft information to threats against our system and electric service,” says Pablo Vegas, vice-president and chief information officer of American Electric Power (AEP), a major investor-owned utility based in Ohio.

The government has been keen to demonstrate that it is on top of the problem. The administration of President Barack Obama, along with a bipartisan group of senators, is promoting a bill to toughen cybersecurity standards for companies that manage US critical infrastructure. To help promote the bill, the White House held a classified briefing for some four dozen senators in early March, where officials demonstrated how a potential cyber attack could cripple the New York City power grid, according to media reports that have emerged from the briefing.

Industry seems to be paying attention. In January, when DOE launched a new initiative aimed at improving cyber risk management in the power sector, the conference room allotted for the event was “standing-room only”, recalls Samara Moore, a senior policy advisor in DOE’s Office of Electricity Delivery and Energy Reliability. Moreover, the issue has broken through to chief risk officers and other top executives at utilities, not just the IT bosses who handled it earlier, Moore believes. “There is significant engagement at the senior level,” she says. “There is more awareness of the cybersecurity threats to the grid and that awareness has definitely increased across the sector.”

Utilities’ growing focus on cybersecurity, however, may be motivated more by financial concerns than by a patriotic desire to comply with government initiatives. Last year, the US Securities and Exchange Commission released new guidance for publicly traded firms, instructing them to disclose material information about cyber risks to investors. As a result, electricity companies across the country inserted hair-raising disclosures into their financial statements. To give a typical example, Con Edison, the utility that provides power to New York, revealed in its latest annual report that it “may face a heightened risk of cyber attack”. If targeted in such an attack, Con Edison and its affiliated businesses “could have their operations disrupted, financial and other information systems impaired, property damaged and customer information stolen”, the company said, adding that this could result in a “substantial loss of revenues”. Con Edison did not respond to a request for comment for this article.

Defending the grid

Faced with the potentially costly threat of cyber attacks, electricity companies have had little choice but to bolster their defences and hire more security personnel.

Cyber insurance policies, which have gained some popularity at technology and health care companies in recent years, have not really caught on in the electricity industry. “Companies in the utility and energy sectors seem to be less excited about cyber insurance,” says Larry Ponemon, chairman of the Ponemon Institute, a private research organisation based in Michigan, which studies cybersecurity issues.

The key problem, he says, is that cyber insurers are scared off by the prospect of a catastrophic attack on power grid infrastructure; they are more comfortable insuring against the risk of data theft and the potential lawsuits that could arise.

“They have a hard time estimating risk around an industrial control system failure,” Ponemon says. “The monster issue from an insurance perspective is, how do you insure against a catastrophic attack?”

TVA, which provides power to 9 million people in seven southeastern states, has focused its efforts on securing its vital industrial control systems and raising awareness of cyber threats among its 12,000 employees, says Michael Tallent, the agency’s director of enterprise information security and policy. “The end-user is often the weakest link when it comes to organisational cybersecurity,” he says. With that in mind, TVA conducts annual trainings for all of its employees, contractors and interns to hammer home the point that they must be vigilant about cyber threats.

AEP, meanwhile, has boosted security around its most important control systems and periodically tests them for vulnerabilities, says Vegas. “We have different levels of security and firewalls pertaining to critical systems and non-critical systems,” he explains. “Our goal is to utilise the best available security technology to protect systems. We perform periodic threat assessment reviews against our critical systems to identify and close potential gaps.”

Outside experts, however, fear that smaller industry players with fewer resources may be falling short in their cybersecurity efforts. Utilities have traditionally been behind firms in other industries – notably the financial services sector – when it comes to investing in cybersecurity and hiring the most qualified personnel, says Michael Assante, president and chief executive of the National Board of Information Security Examiners (NBISE), an Idaho-based organisation that trains cybersecurity professionals. “Quite honestly, you can see the difficulty in attracting people with cybersecurity skill sets to work in this field,” he says. “If you’re really good, you work for a bank at some point in your career, because you can make more money and are closer to serving the customer.”

Assante, a former US Navy intelligence officer who has also worked as Nerc’s chief security officer, also worries that the industry is failing to keep up with the rapidly evolving threats posed by malicious and well-resourced hackers. “What utilities do is they study the regulations,” he says. “And if you look at those, it’s very clear that the controls the government and industry have adopted best address the cybersecurity challenges of a couple of years ago. They are very network-centric; they are focused on establishing electronic security perimeters. They don’t necessarily reflect how attacks and intrusions are happening today.”

The regulatory framework for power-grid cybersecurity is Nerc’s Critical Infrastructure Protection (CIP) programme, which sets standards for how utilities should secure critical assets, report cyber incidents, train personnel and so on. Critics of the Nerc CIP deride it as weak and claim that it lets companies get away with the least possible effort to address cyber risks. “The Nerc CIP is a minimum bar that would not have prevented the cyber-related outages that have already occurred,” says Joe Weiss, managing partner at Applied Control Solutions, a California-based consultancy that advises companies on how to secure industrial control systems.

Critics say the current version of the Nerc CIP leaves huge swathes of the US power grid unprotected because it lets utilities decide whether their power plants are “critical assets”. Since the owners of critical assets face a tougher compliance burden than owners of non-critical assets, companies have an incentive to claim that their plants are not actually ‘critical’, according to Weiss and other experts.

Roxey, Nerc’s chief security officer, admits that the present standards include “some subjectivity”, but he argues that the situation will improve once the next iteration of the Nerc CIP, version four, comes into effect. Under version four, any power plant that can send at least 1,500 megawatts (MW) into the grid through a single interconnection is automatically considered critical.

But even with that improvement, power plants representing a total of 500 gigawatts of generating capacity – roughly half the North American power grid’s base load – will still be classified as non-critical, since so many plants generate less than 1,500MW, according to Andrew Ginter, a Canadian cybersecurity expert based in Calgary, Alberta. “While cybersecurity standards are improving, as a consumer of power in Nerc’s jurisdiction, I would be happier knowing that a clear majority of generating assets were covered by cybersecurity standards,” says Ginter, who works for Waterfall Security Solutions, an Israeli company that sells security equipment to utilities.

Some experts also accuse the industry of under-reporting hacker attacks, especially intrusions that don’t affect critical infrastructure, but nonetheless reflect weaknesses in companies’ defences. The Nerc CIP encourages utilities to report attacks through a mechanism called the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), but the rules allow leeway for firms to decide whether an unsuccessful attack needs to be reported. “The bar is set pretty high for when a report is required,” says Brent Kesler, an independent cybersecurity researcher. “There are a lot of smaller incidents that happen that don’t get reported.” Weiss says one utility he has worked with suffered a targeted cyber attack in 2004 that took down its Scada system for nearly two weeks, but the company did not report the incident to the ES-ISAC or the FBI due to loopholes in reporting requirements. He declines to identify the utility, citing a confidentiality agreement.

Weapons of war

How bad could a cyber attack on the power grid be? Could it really lead to widespread physical damage?

In 2007, researchers at Idaho National Laboratory, which is overseen by the DOE, showed that a targeted attack could actually destroy a generator. In a demonstration of the so-called ‘Aurora’ vulnerability, the researchers sent signals to the control system of a diesel generator, changing its operating cycle and causing it to lose control. Technical details of Aurora have not been publicly released, but a video of the test – which was broadcast on CNN and can now be seen on YouTube – shows the large green generator shaking violently, emitting smoke and finally shuddering to a halt.

If the Aurora test proved that the power grid contains theoretical weaknesses, the Stuxnet worm, discovered in 2010, showed that such vulnerabilities can actually be exploited to attack a country’s infrastructure. The independent researchers who decoded Stuxnet concluded that it was a sophisticated cyberweapon designed to cripple the centrifuges that Iran uses to enrich uranium, even though the worm has also infected computers in Indonesia, India and elsewhere. According to those researchers, Stuxnet targets a specific kind of industrial controller manufactured by Siemens, which is used in the Iranian centrifuges, causing them to spin out of control while sending signals to the operator that everything is normal. Iran has admitted that Stuxnet was a major setback for its nuclear programme, while media reports have suggested that US and Israeli intelligence created the worm.

Many cybersecurity experts view Stuxnet as a wake-up call for the electricity industry. If US and Israeli spies can attack Iranian infrastructure, what is preventing Russian or Chinese hackers from striking North America? “The potential consequences of cyber attacks can’t be ignored and Stuxnet has helped make that apparent,” says Kesler. “It’s not just stealing data.”

Compounding the danger is a lack of good forensics capabilities that would allow real-time monitoring of threats. According to Weiss, many older control systems have very rudimentary logging systems, which makes it difficult to determine when an attack is under way or to reconstruct an incident after the fact. “If a sophisticated, nation-state attack occurs, we will most likely not be aware,” he warns. “We still do not know what a control system attack really looks like. Stuxnet was in the wild for more than a year before it was discovered.”

TVA’s Tallent worries that his agency’s infrastructure could be targeted by a Stuxnet-like attack – particularly if it uses a vulnerability that researchers have not identified yet. “I’m confident we have addressed the known problems in a proactive and timely manner,” he says. “It is the unknown that keeps me up at night. In other words, I am concerned with the zero-day threats that have been identified by our adversaries to which we are blind. These zero-day threats allow for delivery of new variants of exploits or even more complex ‘Stuxnet-like’ exploit tools, which target industrial control systems.”

¹ Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011, Energy Sector Control Systems Working Group, US Department of Energy

² Electricity Subsector Cybersecurity Risk Management Process, March 2012 (Draft for Public Comment), US Department of Energy