This blog is contributed by guest author Joy Ditto. Joy is an influential leader in the power industry and is a stragic advisor to Industrial Defender. Prior to launching her consulting firm, Joy served as president and CEO at the American Public Power Association, president and CEO of the Utilities Technology Council, and has held influential roles throughout the US Government focusing on energy and national security.
October was Cybersecurity Awareness Month. Yay. I mean, not really “yay, yay” (because who really wants to have to worry about cybersecurity?). But “yay” because there are a lot of people who worry about it for us, and they should have a dedicated month to highlight that vigilance.
Heightened global tensions caused by the conflict in the Middle East only increase the need for ongoing vigilance, beyond October, of course. For example, according to many press reports at the time, the U.S. and Israel in 2010 jointly developed a malicious computer worm known as Stuxnet in order to disrupt the Iranian nuclear program. In 2012, Stuxnet was unleashed and reportedly destroyed a fifth of Iran’s nuclear centrifuges as well as spreading to other control systems around the world, causing hundreds of machines to physically degrade.
The governments of both countries never acknowledged the joint action, but experts subsequently learned that the Stuxnet worm was targeted at Supervisory Control and Data Acquisition (SCADA) systems and their programmable logic controllers -- industrial control systems (ICS) enabled by digital components. We don’t know how the Stuxnet worm was able to infiltrate Iran’s nuclear program exactly because many of these systems are “air-gapped” from the public-facing internet – there could have been an unknown internet access point or a saboteur could have taken an infected flash drive physically into the targeted facility.
Such cyber-warfare against critical infrastructure systems occurred prior to Stuxnet – once digital systems began to be used as an enhancement of electro-mechanical processes beginning in the 1980s, the possibility existed. But widespread deployment of SCADA and other ICS in the early 2000s unleashed the era of cyber-warfare in earnest. Stuxnet “proved the concept” that methodical penetration of ICS could impact operations. Subsequently, in 2015 Russia developed a malicious threat known as Sandworm that infiltrated Ukraine’s state-run electric grid and caused operational impacts – the first time such an attack had occurred on an electric system. As of this writing, U.S. electric utilities, working collaboratively, have avoided such a consequential attack.
The current geopolitical situation, therefore, directly correlates to what is highlighted in Cybersecurity Awareness Month here in the U.S. Cybersecurity professionals across the electric sector are always vigilant (semper vigilans), but they will continue to seek ways to bolster their defenses, especially now. While others across critical infrastructure sectors also must maintain strong cybersecurity, the electric sector is the only one of those 16 sectors that has mandatory and enforceable critical infrastructure protection (CIP) standards. These standards focus on the interconnected bulk electric system, where a problem in one location could cascade into other areas.
Securing U.S. Electric Infrastructure
The electric sector has worked since 2008 to develop, implement and revise a thorough set of mandatory cybersecurity standards for digital assets that, if compromised, could impact the bulk electric system. The standards focus on the most important assets first – those known as “high-impact.” While the high-impact assets are the crown jewels, the sector has also defined and categorized medium- and low-impact assets, implementing cybersecurity standards that consider the relative importance of such assets. This prioritization has been very helpful as the industry has sought to tackle the cybersecurity problem methodically over time.
As the industry has matured, our adversaries have as well. To effectively defend their infrastructure, the electric sector focuses on a broad range of cybersecurity efforts – the standards (known as NERC CIP) as well as activities that go beyond the standards such as information-sharing amongst utilities, other sectors, and the government, among other things.
Expanding Security Efforts Across The Grid – Substations, Low Impact & Distributed Assets
In the next stage of their efforts to scale across the vast electric landscape, utilities are now looking more closely at low-impact assets and how those might be better protected and monitored, whether subject to standards or not. Electric utilities do not want to be vulnerable to a cyber attack that results in operational consequences (outages or damage to grid assets), whether limited to local distribution assets or whether with the potential to cascade and impact other neighboring utilities/communities connected to the BES. Whenever there is an unexpected electric outage, it directly impacts people’s lives – their health and well-being, their ability to perform their work, or their businesses. This has been true for almost 100 years. In fact, when Thomas Edison died in 1931, many called for electric utilities to turn off their systems for one minute as an homage to the great man. President Herbert Hoover’s response was a resounding “no” because of the damage it could do to the health and welfare of the country – even then.
While we have not yet had a cyberattack resulting in outages in the U.S., we have seen physical attacks on substations resulting in unplanned outages. Whether due to physical or cyber-attack, the unknown element is markedly different than when a serious weather event causes an outage. With weather, the reason for the outage is known – maybe some of the specifics need to be sussed out, but the overall causation is clear. Not so with attacks – if a substation goes down, grid operators can tell immediately, but they may not immediately know why. The why matters in the delicate balance of electric grids. More damage can be done to the system if the response to a downed substation is not correctly calibrated -- operators may choose to allow an outage to protect the system and enable it to come back online rather than risk potentially overloading and causing physical damage.
The good news about digitalization is that it can enable greater situational awareness overall – better enabling electric utilities to prevent vegetation from causing outages or pinpointing damage done during storms to expedite restoration. It also enables customers more choice about how they consume and store energy. The challenge with such digitalization is, of course, ensuring cybersecurity. Now that the electric sector has spent 15 years implementing standards and undertaking other efforts to protect its high- and medium-impact cyber assets, it is time to focus on those low-impact cyber assets that might only have a nominal effect on the BES, but can have a big impact on communities. In so doing, the industry can prepare for those low-impact assets to become medium- or high-impact as grids continue to evolve and it can potentially eliminate the need for additional regulation.
This is the type of evolution and ongoing vigilance that Cybersecurity Month highlights and that the sector and its hardworking cybersecurity professionals undertake 24/7/365.
See how Industrial Defender can help you monitor your assets across your substations: https://www.industrialdefender.com/resources/data-sheet-scaling-ot-cybersecurity-practices-across-substations