InfoSec and the Electrical Grid: They Go Together Like Peas and Carrots

by lg0p89

This article is for conversation purposes and to provoke thoughts on the topic.

InfoSec and the electrical grid/utility companies are clearly in two different industries.  The definition, active application, and need is self evident.  There is no need for an explanation.  To rattle on regarding this would be as necessary as writing a treatise on why we need oxygen.  With the electrical grid, we all need and use the product.  The electrical grid is much like our hemoglobin as it is necessary for our work.  The electricity feeds our beloved systems and servers.  Without this, the users would simply have boat anchors on their respective desks.

These two industries seemingly are not related, other than a loose indirect link of the computer.

Power Outage

Here is the thing, though.  If there is no electricity, there are no computers processing after the auxiliary batteries are run down, unless the entity has a natural gas generator that just happens to be hardwired in.

For those of a certain age, we lived through and vividly remember the power outage of 2003.  On August 14, 2003, just prior to the close of business, Ontario, Canada, and a good portion of the Midwest and Northeast U.S. lost power.  No notice.  No backup plan.  No nothing.  No gas, as the gas pumps need electricity.  The power was out for two days.

This disrupted everything - literally.

Forty-eight hours does not seem like an eternity until you have to live through it.  As an example, people could not buy gas to get to work or buy groceries, as the gas pumps require power and the grocery stores need this for the lights, registers, coolers, etc.  Also, people and businesses could not operate their A/C.  Imagine this for two days in the hot summer and trying to keep the server room at an acceptable temperature.  I personally lived through this in southeast Michigan.  This brief period was no fun.  On the Kelvin (K) scale of enjoyment, this was an absolute zero (0° K).

The power outage was due to several factors.

Two of these included not balancing the supply and demand for electricity and the other involved a bug in their software that paused the alarm system in the control room for more than an hour.  The alarm would have alerted the control room staff of the issue and potentially stopped the cascading of errors.

Nexus

It is well established how important electricity is to our work and way of life.  As noted via the power outage of 2003, the electrical grid is at certain points fragile and vulnerable.  It's not as solid as we think.  The grid can go down.

The connection is relatively simple.

A lack of InfoSec has the propensity to open the utility companies up for issues.  Issues as a rule of thumb are bad for the community.  There is a distinct need to tie InfoSec with the electrical grid.  There is a need to protect the grid from its own, self-imposed vulnerabilities.

It has been known in the industry that utility companies are lacking as it relates to cyberattacks.  The focus has not been on cyber-security, but securing more energy to sell and economizing operations.  There are reports that the electrical grid had been compromised previously by non-U.S. entities.  Some even say the Russian and Chinese have done this.  The issue has been, as the systems become more advanced, that these systems have become less secure.

An example of this is the control system getting, over time, less secure as a matter of convenience.  The systems used to be more separated, so the IP-based system could not transfer data or communicate with the control room computers.  There is a clear issue with potential accessibility.

Why This Is Important

Here is something to think about.

Billy works in the control room of the plant at the utility company.  Once he arrives home on Tuesday from work, he sits down and checks his Gmail account.  He sees an email from "Adriana21", opens it, and clicks on the link for her private photos which are just for him!

In short, Billy has become a victim of spear phishing.  Billy, in the lack of infinite wisdom, then logs into his work email account.  He then has infected the utility company's system and everything attached to it.  When senior management finds out where this issue came from and how it was introduced, Billy is going to have a bad day.  This equates to an Resume Generating Event (RGE).  With the specific utility, malware may have access to the control room's system.

The direct issue involves the network control software.

A portion of the packages unfortunately have this as a default and have the other software bundled with the options to run web servers, remote access, and wireless access.  This is very convenient for operations, but is an access point for deviants.  These issues provide additional inlets for the deviant to work at in order to hack into the company.

To access these vulnerable systems does not take the state of the art software packages costing over $60 million.  All this takes is a little social engineering and a well-directed spear phishing attack.  In our example with Billy, the simple yet enticing email simply has to have as a payload the appropriate malware or a link to a malicious website.  The plant control network logically should be completely separated from the outside access.

With utilities, there is a certain level of importance.  Whenever the power goes out, even for half a day, people get very excited very quickly.  This is not a seasonal issue, as people are upset in the winter and summer months.  This is clearly different and there is a greater level of security with a utility versus a local dollar store.  Not that there is anything right or wrong with a dollar store; this is just used as a comparison.

Warning Will Robinson!  Warning!

Please note, this section's title is for a certain demographic.

Back to the focus.  The issue is not new.  These warnings started in at least 1999.  This was also clearly stated in 2004 with the warning that using IP networks was an issue.  Further evidence of the issue, if it was even needed, was demonstrated at the 2008 RSA Conference.  A security-oriented person showed specifically the ease of breaking into a power plant through malware accepted via employee phishing.  The examples go and on.  This is a function of the relatively easy access.

The utility companies justify the inaction and complacency as there being business uses for having the systems available on the Internet.  They also say this is a convenience.  Many of these utilities don't understand or care to understand the threats and their implications.  A study released in 2011 even suggested a government agency should be created or tasked with protecting the electrical grid.

It is that important.

Think of it this way.  An attack on the electrical grid, if successful, would cause an immediate and significant issue.  If the electrical grid not working for two days for portions of the Midwest, Northeast, and Ontario caused a massive amount of stress, think about the effect of just one seaboard not having electricity.  This would be very stressful for the people.  This would also be stressful for the utility company as they attempted to reboot the system and remove any detected malware.

Summary

We all hope this is a lesson we don't have to learn firsthand.

It is by far better to use common sense and fix the issue now and be prepared.  To act takes less time and effort than to react.

References
Return to $2600 Index