It''s no exaggeration to say that without access to electricity, almost every developed nation on earth would grind to a halt. A well running, and well protected, electrical grid is crucial for normal day-to-day life, in schools, hospitals, homes and businesses. It is this ubiquitous need for electricity that drives the very real possibility of a cyberattack targeting the national electrical grid – arguably the most crucial piece of national infrastructure in a modern economy- and drives the security industry to make sufficient progress to protect it.
This makes the electrical grid something of a holy grail for cybercriminals and nation-state actors, who could use a widespread blackout for financial and political gain in many ways. We can ascertain confidently that the threat is real, but what about the response from the utility industry, and from the security industry? Are we prepared for large-scale attacks on the national infrastructure, and if we aren’t, how can we be?
A global survey released earlier this month by Accenture revealed that 63% of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electrical distribution grids in the next five years. It is a sobering thought that such a high percentage of people within the utility industry believe this is feasible. Revealed in the same report, and even more sobering, is that only 27% of executives suggested that they design specific protection for key assets and 37% that they manage cyber incidence recovery programs.
This shows that the utility industry is yet to take the threat presented by malicious actors targeting their key assets seriously. The technology to protect utilities exists, and has done for some time. As updating, repairing, and modernizing the physical infrastructure of electrical grids is clearly a priority for these organizations, to neglect security entirely represents a catastrophic underestimation of how devastating an attack could be.
Possibly the most worrying facet of this report is that it is not new information. In 2014, the Poneman Institute published results of a survey that indicated 67% of critical infrastructure companies had suffered some sort of cyberattack. Of course, without the details, we can’t definitively assess whether these attacks are applicable to production environments; however, recent events such as the attacks in Ukraine have shown us that transitions from enterprise networks to operational networks are a very real possibility.
According to the 2016 Verizon Data Breach Investigations Report (DBIR), 24 utility-related breaches were included in their analysis, with many more spanning industrial environments from mining to healthcare. So, we know that throughout the last few years, security professionals and industry surveys have indicated that critical infrastructure could be at risk. But when was the possibility first raised?
In the United States, the concept of protecting the electrical grid from cyberattack was put into motion seriously in 2006 and has been the topic of executive orders and government initiatives for the past decade. More work is still to be done, as many of these systems were not developed to be cyber-resilient. Operators are continuing to develop policies, procedures, and technical requirements to meet cybersecurity goals. Vendors of these systems are continuing to improve them to incorporate cybersecurity as a stakeholder, but as mentioned earlier, their core priorities are increased efficiency and affordability.
The effort to improve efficiency and lower cost is driving the technical requirements for converged networks and increased data transfer requirements, as much of the proposed technologies enable efficiency through advanced analytics and increased connectivity. In addition, operators need remote support for more advanced systems, including support for information security requirements, also increasing the need for connectivity to (sometimes) previously non-IP-connected systems.
With this increase in connectivity comes an increase in risk. Anytime new pathways to these systems are added, they must be properly secured based on their individual characteristics following a risk-based approach. Requirements and guidance for security can be found in several publications developed by professionals in both information security and operational environments.
With the increase in risk, the opportunity for directed cyberattack also increases. Potential attackers range from hobbyists to nation-states disrupting infrastructure. Now, the actual risk versus the perceived risk to a given organization is complete speculation and is about as difficult to predict as the next location lightning will strike. That said, the precedent for infrastructure disruption as a powerful means of attack has already been set globally.
Though the United States has been pursuing critical infrastructure protection (CIP) initiatives for several years through regulation, much of the world is not at the same level of maturity and is just now beginning to delve into the operational technology cybersecurity realm. This is particularly true in the Middle East, India and the Asia Pacific region, as a significant increase in awareness has led to security initiatives in these areas.
What we can take away as a positive is that utility executives are aware of the potential risks, and we can hope they are actively pursuing remediation programs to improve the security of their operations, keeping our core infrastructure safe.