Utilities look back to the future for hands-on cyberdefense
The aftermath of the cyberattack in Ukraine on Dec. 23, 2015, produced two unexpected lessons that U.S. grid operators have started to take to heart.
After cutting off power to nearly 250,000 homes and businesses in western Ukraine, the cyber terrorists delivered a final punch to the gut. The hackers wrecked some of the digital controls the operators needed to restart the system remotely. An aptly named cyber weapon called “KillDisk” hidden inside the Ukraine system erased parts of the operators’ startup software.
But substations across the Ukraine utilities’ grid networks still had Soviet-era manual controls, so crews were able to restore power by hand within six hours.
“It was the folks who got in trucks and knew where to go and drove out and found the breakers that had been tripped through the remote access tools,” said Suzanne Spaulding, undersecretary of the Department of Homeland Security’s National Protection and Programs Directorate, in a blog interview.
Now, some leading U.S. grid officials, members of Congress and security experts are warning that old-fashioned protection might be needed for the more advanced U.S. power grid. Fail-safe cyberdefenses cannot be assumed in the age of the smart grid.
“We had this rush to automation over the last 15 years or so, on some level almost blind to security risks we are creating,” said Scott Aaronson, executive director for security and business continuity at the Edison Electric Institute, which represents large, investor-owned utilities.
“It is good we have automation, which gives us better situational awareness. But it also increases the attack surfaces,” he added, referring to the proliferation of sensors and controls that rely on software and connect to the virus-infected internet.
“Automation is driving incredible benefits,” said Michael Assante, a director of the SANS Institute, a leading cybersecurity training firm. “We’ve consolidated and centralized a lot. You just need to keep in mind it also lets the bad guys do the same thing.”
The brutal KillDisk finale in Ukraine demonstrated how attackers could conceal destructive malware that could re-emerge unless operators effectively cleansed their control systems. The Ukraine operators failed this test, experts agree.
The Ukraine attackers unleashed a second weapon that has jarred U.S. cyber strategists and corporate executives: the hacker’s ability to take down the utilities’ electric power distribution system and also attack at least one of the utility’s telephone call centers. The denial-of-service attack flooded the call center with counterfeit phone calls, preventing customers from getting through to report the loss of power, sowing more confusion and alarm among the grid operators.
“The attack in Ukraine gave us a taste of the threat to come,” said Paul Stockton, managing director of Sonecon LLC and a former U.S. assistant secretary of homeland defense for the Defense Department. “That is just a small hint of the kinds of cross-sector attacks that may confront the United States.”
The danger of such a one-two punch is a top-level conclusion in a new report to DHS Secretary Jeh Johnson by a cyber subcommittee of the DHS Homeland Security Advisory Council of corporate, academic and military and local government leaders.
Johnson ordered the subcommittee to address a major gap in federal cyberdefenses by finishing the DHS National Cyber Incident Response Plan (NCIRP). An interim draft of the plan was issued in 2011 but has never been completed. The lack of a final plan left key questions unsettled about how the federal government would respond to a major cyberattack on critical infrastructure, including how DHS and DOD duties would be divided, said Robert Dix Jr., a vice president for policy at Juniper Networks Inc., a Virginia-based network security firm.
The subcommittee released proposals last month calling for closer coordination of recovery plans by the communications, electricity and financial sectors. And it called on governors to work closely with federal agencies in the wake of a large-scale cyberattack.
“What we focused on was the wake-up call that the Ukraine attack should provide to the United States, in that it reflected a simultaneous attack on the communications and energy sectors,” said Stockton, a co-chairman of the DHS advisory council subcommittee.
“It is the kind of attack that will require very intense cross-sector collaboration, of the sort that the new NCIRP needs to help be able to provide,” Stockton said.
The case for simplicity
The assault in Ukraine dramatizes a crucial difference between the fallout after a natural disaster damages parts of the grid and the debilitating impact of cyberattacks that leave undetected but active malware hidden inside power systems.
“That is one of the big things about the Ukraine incident,” Assante noted: If other utilities are attacked, how would they know that other malware isn’t still lurking after the initial attack ends?
“If they were hiding in other places, they could still be there,” Assante said. “If we didn’t trust our electric substations and devices anymore, how do we deal with that? How would we bring it back? Those contingencies need to be considered.”
Assante and two colleagues are among the experts arguing for a return to older control methods to safeguard the most important grid operations.