On March 15, the U.S. Computer Emergency Readiness Team, an internal group within the Department of Homeland Security, released an explosive report outlining numerous instances in which hackers working for the Russian government targeted critical American infrastructure, including the national power grid. The strikes covered in the document were not experimental in nature. Data security analysts for US-CERT seem to have found incontrovertible evidence that state-sponsored cybercriminals could, at any time, essentially paralyze power delivery structures nationwide. Industry leaders who reviewed the findings supported this conclusion, The New York Times reported.
“We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage,” Eric Chien, the security technology director for the cybersecurity firm Symantec, told The Times. “From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation.”
The US-CERT findings and their implications have re-ignited discussions about the fragility of the U.S. power grid. However, this new information changes the discussion, as it seems the digital threats with the potential to shut down power generation and distribution operations across the country are no longer abstract; these hazards are real and have, quite possibly, already been introduced to the backend systems they are designed to take down.
Addressing crumbling electrical infrastructure
Power companies and other industry stakeholders are well aware of the numerous issues hampering the national power grid, which often takes center stage during conversations on declining American infrastructure – and for good reason. U.S. households experienced more than 3,800 power outages in 2016, each of which lasted an average of 48 minutes, according to research from power technology provider Eaton. These service interruptions affected an estimated 18 million Americans and unfolded across all 50 states. This figure continues to increase as the condition of power delivery structures worsens. Why?
A vast majority of the transmission and distribution lines circulating the country were installed during the 1950s and 1960s, according to the American Society of Civil Engineers. These fixtures were fabricated to withstand up to five decades of use, meaning most have surpassed their original life expectancies. These T&D lines stretch across 640,000 miles of territory and fuse America’s three primary electrical grids – the Eastern Interconnection, the Western Interconnection and the Texas Interconnection – into one cohesive nationwide installation. As each of the filaments fail, this massive mega grid weakens, resulting in power outages and operational inefficiencies that facilitate electrical leakage. For example, from 2005 to 2006, power providers relinquished roughly 239 million megawatts of energy due to dilapidated T&D lines, a loss the cost the American economy more than $19 billion, according to research from National Electrical Manufacturers Association. These operational trends are simply not sustainable long term. Sadly, replacing T&D equipment nationwide is simply not an option either, the ASCE reported. An influx of $112 billion is needed to complete this work. So far, private and public stakeholders have managed to generate only $45 billion.
In lieu of outright T&D line replacement, power providers, with the help of state and federal governments, have attempted to stabilize the national power grid via so-called smart technology. Intelligent meters are the most visible result of this adoption drive. These devices allow electric companies to collect energy usage data remotely. This information is used to optimize operations and improve customer service. Utilities have installed more than 70 million smart meters nationwide, according to the Energy Information Administration. In addition to putting these devices into place, power companies are also bolstering their operations via sophisticated outage management tools and mobile applications. Combined, these technologies improve grid resilience and allow electric utilities to potentially recoup losses linked to power leakage.
While this computerization has certainly improved service reliability, it has complicated matters, making an already dilapidated grid vulnerable to hackers, Scientific American reported.
Understanding the latest attacks
The US-CERT report demonstrated just how weak portions of the national electrical delivery system have become in the wake of modernization. More worryingly, the cybercriminals that spearheaded the strikes managed to infiltrate the American grid using older code, Vox reported. The U.S. data security professionals that compiled the US-CERT report discovered that nefarious programmers leveraged a classic hacking strategy called spearphishing to enter power control systems. This tactic normally involves sending email messages that link to powerful malware delivered through automatic downloading. The Russia-linked hackers also used a technique called waterholing. Cybercriminals using this methodology alter popular industry websites so that user details – including backend login credentials – are surreptitiously collected. In addition to these strategies, hackers have been authoring seemingly valuable word documents embedded with malicious software that allow them to take over the computer of anyone who opens them.
Despite obtaining complete access to mission-critical power delivery systems, the hackers discussed in the US-CERT report did not catalyze shut downs or smaller service interruptions. Instead, they used this access to gather information on the inner-workings of the American electrical grid, including nuclear energy facilities. This widespread scouting has led data security experts to believe more sustained, impactful attacks are in the works.
There is precedent for such fears. In December 2015, hackers leveraged a strain of malware called Crash Override to shut down the power grid serving residents living in the Ivano-Frankivsk region of Ukraine, Wired reported. The attack knocked 30 substations offline and darkened half of Ukraine’s capital Kiev. In the end, crash override managed to trigger an outage that impacted 230,000 people. However, these were not the most disturbing details of the strike, as data security researchers later learned. Crash Override executed these actions without much assistance from its human handlers, who essentially introduced the malware into the pertinent machines and watched it work. On top of this revelation, it was a rushed job.
“Looking at the data, it looks like they would have benefited and been able to do more had they been planning and gathering intelligence longer,” Robert Lee, president of the data security firm Dragos Security and a former U.S. Air Force cyberwarfare operations officer, told Wired. “So it looks like they may have rushed the campaign.”
The strikes covered in the US-CERT report seem to follow the pattern Lee discusses here: detailed reconnaissance, followed by an outright onslaught using an advanced technology, such as Crash Override.
Dealing with active digital threats
With dangerous, potentially state-sponsored online entities gearing up for an attack on the American power grid, how are electric companies and other critical industry stakeholders supposed to respond? Soon after the release of the US-CERT report, the Edison Electric Institute published a statement outlining its efforts to collaborate with government groups to address grid security in the short term while configuring more expansive plans designed to protect this key piece of infrastructure well into the future. The organization also released resources for utilities wanting to take localized action in the wake of the grid hacking revelations.
“Following the announcement of sanctions against Russian government cyber actors, the Electricity Information Sharing and Analysis Center provided additional indicators and other technical data to ensure electric companies in North America are prepared to protect and defend their networks,” an EEI spokesperson explained. “This information sharing is representative of the strong industry-government partnership, which exists through the Electricity Subsector Coordinating Council, and is vital to guarding the energy grid from all possible threats.”
Power providers of all sizes are indeed capable of leveraging EEI resources and other best practices to protect their digital infrastructure and, by extension, improve grid defense. For example, utilities using mobile devices and other Wi-Fi-enabled fixtures can swap Wired Equivalent Privacy and Wi-Fi Protected Access protocols for Wi-Fi Protected Access II, a new more advanced alternative data security configuration capable of protecting internal wireless networks, Power Engineering International reported. In addition to granular solutions such as this, utilities must promote improved digital awareness within their industry, as only 50 percent of sector leaders consider cybersecurity an essential concern, the online magazine reported. On-the-ground operators need buy-in and support from their executives to effectively implement data security programs.
Of course, this work takes time. How are utilities supposed to embark on these long-term fixes when hackers seem to have access to critical systems and the ability to shut them off at any time? In this scenario, the advanced age of the American electrical grid works in the country’s favor, Scientific American reported. Older electrical fixtures can be switched back on manually in the event that cybercriminals knock the systems that control them offline. In short, decrepitness may be the grid’s saving grace, at least for the time being. With digitization moving forward, it is likely that common operating systems will soon replace these elderly manual controls. At the same time, the seasoned electrical professionals who know these older systems in and out are leaving the workforce.
The US-CERT report should be a wake-up call to utilities lagging on the technological front. Power providers need to update their technology and work with industry experts to implement bleeding-edge data security best practices in preparation for more concerted digital strikes. Here at DataVoice International, we help utility companies of all sizes modernize their operations using the latest sector-specific innovations. Our outage management system allows utilities to develop and deploy advanced management and emergency protocols, while the DataVoice mobile suite strengthens internal communication channels and empowers linemen, dispatchers and managers via the on-the-go tools. Together, these products can streamline field and office workflows, leading to service improvement and operational savings. On top of this, our offerings are made to stand up to modern cybercriminals, making them ideal for power providers looking to modernize and maintain strong data security protocols.
Connect with us today to learn more about our weather-tested products.