The Cybersecurity Threat for Critical Infrastructures

Aug. 19, 2016
The U.S. energy sector needs to better prepare for attacks, according to a new report from the Institute for Critical Infrastructure Technology.

It’s pretty easy to sensationalize the kind of havoc that a cyber attack could potentially inflict on an electric grid—images of a city, state or whole country brought to its knees by a malware attack; people dying from the cold or heat; communications brought to a halt. This level of mayhem is unlikely with the U.S. power grid simply because of the complexity of the network. But there’s still reason to be concerned.

“The interwoven networks of utility companies, transmission networks, distribution hubs and other facets are too complex for any one attacker to wholly dismantle,” says a new report from the Institute for Critical Infrastructure Technology (ICIT). “The grid depends on multiple parties who all operate different infrastructure that is configured differently. Redundancy systems and physical failsafes protect the grid from catastrophe.”

And yet the energy sector is plenty vulnerable nonetheless, according to ICIT’s James Scott, senior fellow, and Drew Spaniel, researcher, who authored “The Energy Sector Hacker Report” to provide details on the threats and vulnerabilities.

“Following the cyber attack on the Ukraine power grid [in December 2015], there were reports that pointed out that an important vulnerability within the U.S. is that, unlike Ukraine, our power grid typically does not have manual backup functionality,” Juan Espinosa, ICIT fellow and senior project manager, Parsons, is quoted as saying. “This means that if automated systems controlling our utility power grid were to be attacked, it would take much longer for the response teams to restore power.” The failsafes cannot prevent disruptions, which could affect homes and businesses, and even impede law enforcement and security.

As the report points out, the American electric grid was built to be reliable, flexible and economically competitive. It was not designed for cybersecurity. The industry certainly did not envision then an electric grid that would use the Internet to ease the management and maintenance of critical systems.

Many utilities rely on legacy industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems that are well beyond their intended lives and were certainly not designed with cybersecurity in mind. Although new technologies have been combined with the legacy systems, the report’s authors note, “the security added to the preexisting systems is often mismanaged or inadequate to the task of securing the underlying critical infrastructure systems.”

Part of what makes the U.S. power grid vulnerable is its reliance on only about 2,000 high-voltage and extra high-voltage (EVH) transformers, which are large, expensive, and difficult to replace. A cyber attack could strategically target one or more transformers, causing months of outages and hundreds of billions of dollars in damages. “Depending on the duration of the outage, lives could be at risk,” the report says. “While modern critical infrastructure, such as hospitals, have backup generators or micro-grids, average households likely lack the alternate means to refrigerate food, heat or cool homes, or otherwise comfortably survive. The longer an outage lasts, the greater the crime rate and the greater the burden on emergency response services.”

Of course, many of the EHV transformers are monitored or directly controlled by ICSs. And if malware, ransomware or other cyber threats target those systems, the resulting damages could be as severe as a solar storm. “The least extreme prediction of damage from a CME solar storm leaves 15 million people without power for up to six months and results in $217 billion in direct economic damages, $202 billion in indirect damages, and $474 billion in damages worldwide,” the authors note, later pointing out, “Unlike a theoretical CME storm, which might occur once every century, targeted cyber attacks can occur multiple times every second.”

Although cyber attacks against energy infrastructure are often categorized as low risk, severe impacts, the ICIT report contends that the control systems—ICS, SCADA, HMI, etc.—are much more vulnerable and at risk than is commonly supposed. Organizations often believe that they are air gapped from broader networks, but that is easier said than done. At this year’s Def Con Hacking Conference, researchers from Trend Micro’s Zero Day Initiative showed that ICSs and SCADA systems are rarely as isolated as operators believe. Unsecure credential management—such as a lack of encryption or the use of default passwords—is a common problem, as is default settings in systems that were never designed to be secure.

“When adversaries such as Hail Mary threat actors begin targeting energy systems with intent, easy-to-achieve, severe consequences will inevitably follow,” the ICIT experts note, also adding, “Critical energy systems are too vulnerable and the exploit lifecycle is too long. Even with a reliance on analog failsafes and manual backup systems, the potential impact or loss of efficiency is too great for energy organizations to ignore. Security and resiliency should be assured before systems are connected to networks or openly accessible devices.”

ICIT experts will present their findings Aug. 24 in Washington, D.C., and identify solutions to protect the nation’s critical infrastructures. Find more information and register here.

About the Author

Aaron Hand | Editor-in-Chief, ProFood World

Aaron Hand has three decades of experience in B-to-B publishing with a particular focus on technology. He has been with PMMI Media Group since 2013, much of that time as Executive Editor for Automation World, where he focused on continuous process industries. Prior to joining ProFood World full time in late 2020, Aaron worked as Editor at Large for PMMI Media Group, reporting for all publications on a wide variety of industry developments, including advancements in packaging for consumer products and pharmaceuticals, food and beverage processing, and industrial automation. He took over as Editor-in-Chief of ProFood World in 2021. Aaron holds a B.A. in Journalism from Indiana University and an M.S. in Journalism from the University of Illinois.

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...