The Ukrainian Power Grid Hack – Two Years Later
Here we are almost two years after the Ukrainian power grid hack, and what have we done to make sure the same or worse doesn’t happen? Is the power grid in Dubai more secure? How about in England, Spain or the United States? The Ukraine attack was a nation state attack and it is my belief that many power operators will think that they are not likely to be the target of a nation state attack and, so, haven’t made any changes.
Those that do worry about nation state attacks may train staff to counter phishing e-mails but will probably do little to improve security by looking systematically at control systems and implementing segregation between IT and OT, until there is more evidence of nation state-style attacks which are not as politically motivated as the Ukraine one was.
In the USA, we like to think that NERC makes us more secure. Our control systems are not connected to the Internet. We only hire trustworthy people, so we cannot be hacked from the inside… or could we? In October, it was reported that North Korea was attempting to hack critical infrastructure in the United States. Their efforts could disrupt air service and affect the business side of many electric utilities.
When governments realize that their exposure to cyber-attacks is as critical as terrorist attacks, they will create programs like NIST or even FERC/NERC. There are currently 16 different industries that are classified as critical infrastructure industries. Most of them are wide open for attack.
Over the coming years, nation state-style attacks (see the Ukraine power attack) will be accessible to lower levels of criminals as these types of attacks are monetized via the Dark Web. The ability of nation states to impact energy supply capacity has been well proven. The ability to perform such attacks with little evidence of detection is likely to lead to further such attacks taking place, and to take place in other countries. Political changes over the coming years may introduce nation state threats to new countries who would normally consider themselves relatively distant from such attacks.
This means that organisations in the critical infrastructure sectors must become more resilient to a wide range of attacks, including blended attacks, which use a variety of approaches – such as a combination of social engineering and phishing to compromise a target.
The release of exploits, originated by nation states, to standard systems such as Windows operating systems will become more widespread. Significantly more focus will need to be placed on ensuring that systems include the latest patches. This will require quicker turnaround of patch implementation to reduce the window when systems are vulnerable, which can be achieved by the implementation of more detailed reference systems on which updates can be tested and greater use of automated testing.
The existence of such exploits, targeting traditional IT systems, means that it is even more important to ensure the necessary segregation between IT and OT systems, and to ensure that necessary levels of segregation are implemented within IT and OT systems to limit the extent of any compromise. Care must be given to maximize usability while minimizing the opportunity for attackers to access all parts of a network without having to perform further compromises. Implementation, for example, of 2 Factor Authentication should be considered for access to important elements of networks, such as Active Directories or similar means of managing access. While 2 Factor Authentication systems can also be spoofed, this dramatically increases the difficulty in implementing an attack and provides an additional barrier which is hard for most attackers to breach.
The use of such advanced attacks will drive the need for better monitoring of networks, so that unexpected traffic can be identified, or patterns of unexpected audit log entries can be identified; which will drive the need for better analytics relating to monitoring and logging.
The move towards smart meters, smart homes, and smart cities increases the attack surface for those wishing to do harm to our critical national infrastructure and provides multiple access points into networks. Decentralized generation in the electricity market is already providing more ways for criminals to attack electrical systems, for example, subverting management channels used to control PV and battery storage systems. While gas is less likely to suffer from the decentralized problems, there may still be avenues of attack where attackers could seek to falsify energy usage figures leading to falls in revenue for gas suppliers.
Where gas is used to generate electricity, of course, there will still be potential impacts from corruption of electrical usage data on the gas networks. For example, usage, or predicted, electrical use figures could be manipulated to predict a surge in demand – which may lead to the use of a gas generating plant to supplement base load. This could force the price of gas up and could leave the energy market susceptible to arbitrage opportunities.
Energy suppliers must, therefore, adopt improved methods of identifying attacks – through knowledge of the planned communications volumes and types, and through comparison of expected to actual communications volumes and types. This will require analysis of expected traffic flows and a means of comparing actual with expected; including the analysis of audit logs produced by various parts of the energy management system.
The development of AI techniques to assist in the management and analysis of audit logs, will help to simplify the identification of malicious activity, or trends in activity which may be a result of the implementation of low level attacks. Energy suppliers should consider investing in the development of such tooling to help support their secure operations.
Many of these issues have been addressed in the USA and solutions have been developed. However, they have not all been implemented due to various issues. Quick implementation of security patches has been implemented by NERC, but if the security patches are not properly tested, they can cause problems. The solution to this is isolating critical assets and not implementing a security patch before it is proven good. This has become the rule.
Monitoring and isolating incoming communications has also been addressed and has encountered failures. In one case that I am familiar with, the critical status of field elements looked suspicious, and since they were not included during the monitoring process and the manual effort to remove them from quarantine took too long, the operations personnel were unable to act quickly enough and the electric grid was negatively affected.
Distributed computing adds vulnerabilities and more available attack vectors. Distributed cyber assets that are exposed, or potentially exposed, to hackers cannot be allowed to be part of critical systems and must be isolated from those critical assets.
In the United States, isolation has become the first rule in NERC environments. Utilities must identify critical cyber assets using a bright line criteria. Then critical assets are isolated from the outside world using intermediate servers. Once this is done, then they move forward with the implementation of:
- Security Management Controls
- Personnel & Training
- Physical Security
- System Security Management
- Incident Reporting and Response
- Recovery Plans
- Configuration Change Management
- Vulnerability Assessments
- Information Protection
These items are all what we consider best practices and we all know that they are needed, but without isolation of critical cyber assets, cyber security of these systems becomes very difficult. Isolation provides for the flow of data while keeping out unwanted threat actors. Our mantra should always be “keep the footprint small,” which refers to physical as well as the number of people having access to systems. Once a utility realizes what isolation and footprint means, security gets a lot easier. Then the challenge becomes how to ensure cyber assets that are associated with smart meters, fuel supply, etc. – assets that currently are not considered critical cyber assets are cyber and physical secure.
What can you do to protect your critical systems? DNV has a global team of cybersecurity experts that can help you harden your network against attack. We can train your employees to make them more cybersecurity aware. We can also perform cyber vulnerability or penetration testing on your network, to show you where your problems are.
Contact craig.reeds@dnvgl.com or (480) 524-4840 to learn more.