Following an uptick in threats targeting energy and critical infrastructure sectors, the U.S. government, along with private regulatory organizations, are pushing for increased security measures to protect the power grid from potentially devastating cyberattacks. These measures include forcing compliance with existing regulations, expanding awareness of cyber threats, identifying vulnerabilities, and bolstering security efforts.
Details
The successful 2015 Ukraine power grid cyberattack, as well as more recent events including the March 2019 attack on the U.S. power grid reported by NERC, and the LookBack phishing campaign targeting power utilities, have been a wakeup call for officials in the energy and critical infrastructure sectors.
As part of October’s National Cybersecurity Awareness Month, utility companies, government entities, and private organizations are working to increase awareness of, and protections against cyber threats. According to the U.S. Government Accountability Office (GAO), cybersecurity threats from threat actors who seek to infiltrate industrial control systems are of primary concern.[1] In order to address these concerns, officials in this industry are taking action. A non-profit organization named Protect Our Power has launched research studies into potential vulnerabilities in current regulations and in the energy supply chain. A summit meeting hosted by the Pennsylvania Public Utilities Commission was held in August to discuss emerging cyber threats, cybersecurity auditing, and risk management. The goal was to provide utility companies with the resources they need to adhere to cybersecurity best practices, including a new Cybersecurity Manual released by the National Association of Regulatory Utility Commissioners.[2] Members of the Edison Electric Institute (EEI) invested over $60 billion last year in support of critical infrastructure security efforts.
The surge in internet-connected devices including sensors, monitoring devices, and data acquisition devices related to grid analysis makes industrial control systems significantly more vulnerable to cyberattacks. National Institute of Standards and Technology (NIST) is soliciting cybersecurity vendors to help develop security solutions for the "Industrial Internet of Things."[3]
A challenge facing these efforts is the limited public-private information sharing in these sectors as well as a lack of visibility into the vulnerable systems. Recent audits by the Federal Energy Regulatory Commission (FERC) have revealed 'potential compliance infractions' by Bulk Electric System (BES) operators. Critical Infrastructure Protection (CIP) standards require that BES entities categorize their assets as High, Medium or Low Impact and "consider all generation assets, regardless of ownership, when categorizing bulk electric system cyber systems associated with transmission facilities."[4] The compliance issues identified by FERC were regarding improper categorization of cyber systems associated with transmission networks, which could put system reliability at risk in the event of a cyberattack or disruption.[5]
On an even higher level, the Department of Homeland Security has recognized the need for early warnings to utility companies as a means of mitigating cyber threats and their potential damages. DHS is now requesting that Congress to grant it broad subpoena power that would obligate Internet companies to share the names of organizations that are vulnerable to cyberattacks.[6] Many industry officials are concerned that this subpoena power could be abused by DHS and that it may violate companies’ privacy rights, however supporters feel that the benefits outweigh the potential overreach. The privacy issue could make this proposal a hard sell unless Congress can find a way to limit the authority though “transparency, record keeping, and oversight provisions, in order to make sure it doesn’t get used for other purposes.”[7]
Conclusion
Collaboration between cybersecurity experts, government entities, regulatory organizations and energy companies will be imperative as threat actors continue to target critical infrastructure. Although there are many opportunities for improvement, actions being taken to increase security measures are a step in the right direction. Wapack Labs offers analytic monitoring tools, such as RedXray, as well as weekly intelligence reports on cyber threats affecting the energy sector to foster this collaboration.
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Download Report: TR-19-291-001_Policy_Changes.pdf
[1] https://dailyenergyinsider.com/news/22203-industry-government-team-up-to-protect-electric-grid-from-cyber-security-threats/
[2] DailyEnergyInsider
[3] UtilityDive
[4] https://www.utilitydive.com/news/ferc-cybersecurity-report-identifies-potential-compliance-infractions/564679/
[5] UtilityDive
[6] https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/10/10/the-cybersecurity-202-there-s-a-fight-brewing-over-homeland-security-s-push-for-subpoena-power/5d9e146888e0fa747e6d520b/
[7] Washington Post