Spear-phishing email attacks, malware and viruses have been identified as a way hackers aim to gain access to power plants, oil and gas firms and steel mills. When it comes to cyberattacks and data breaches, most people think about computer network security. But it is important to realize cybercriminals can – and do – target virtually any digital device or system, including power and electrical systems. When it comes to our nation’s electric, water and power utilities, cybersecurity needs to be a priority. It is a complex and complicated infrastructure and plays a pivotal role in the delivery and performance of so many of our daily functions and processes.
It is not uncommon to hear about high-profile data breaches impacting major financial or health care institutions. For example, TechCrunch contributor Stephen Boyer recently pointed out, earlier this year, a handful of attackers who were associated with the Iranian government conducted cyberattacks on numerous banks between 2011 and 2013. While these types of cybersecurity incidents are not entirely unheard of, there was one particularly concerning detail: Among the areas cybercriminals targeted was the Bowman Avenue Dam in Rye Brook, New York. Through the cable modem, the hacker was able to gain control of the system’s operations. This incident could have led to a flood that would have impacted nearly 200 residents’ homes.
Cybersecurity for utilities comes with its own unique challenges.
Cyber threats in utilities
The Bowman Avenue Dam incident is far from the first, or likely last, example of such a security breach seen in the electric power industry. In 2005, equipment malfunctions caused issues with the remote monitoring of a dam in St. Louis, Missouri, which resulted in the release of 1 billion gallons of water. In 2008, the CIA confirmed that a cyberattack in New Orleans led to a power outage spanning multiple towns. This brought to light concerns of utility breaches involving extortion which could have been attributed to power equipment disruptions in a number of areas outside the United States. Boyer listed several other examples of such events, like the 2015 malware attack on a power grid in Ukraine, which caused a blackout in over 100 cities throughout the area.
“Security attacks on the electric power industry threaten the physical safety of individuals.”
In addition to the sensitive data and information at risk, cyberattacks on utilities threaten the distribution of power throughout regions, as well as the function of operational processes at the individual, business and government level. When it comes to electric, water and other utilities, cybersecurity isn’t about preventing just digital disruptions; it is also necessary to prevent the kind of physical damage that could be experienced during a natural disaster.
Regulatory structure of the electric power industry
Ensuring the cybersecurity of power and electric grids is imperative. To understand what steps must be taken to improve the security of the industry, we should first understand its current state. Following the Energy Policy Act of 2005, the electric power sector must adhere to the mandatory cybersecurity standards and regulations set forth by the Federal Energy Regulation Commission. The FERC and the North American Electric Reliability Corporation work to create and implement enforceable standards that ensure the safety, reliability and security of utilities. However, just because there are certain guidelines and policies in place does not mean organizations are necessarily enforcing, monitoring or updating them adequately.
The utilities industry uses the Supervisory Control and Data Acquisition system (S.C.A.D.A.) to monitor and control tasks, processes and operations in a wide variety of settings, including chemical and electrical power generation plants, water treatment plants and dams. The NERC, Critical Infrastructure Protections (CIP), and Industrial Control System Computer Emergency Response Team (ICS-CERT) regulate these automated systems. And while SCADA systems have been helpful in addressing known vulnerabilities and risks, they do not seem to advance with the same rapid maturity and sophistication as cyberattacks. The increased digitalization of electric power infrastructure results in a number of attack vectors for cybercriminals to use, including:
- Ethernet cables
- Commercial hardware for Master Terminal Unit and Remote Terminal Unit platforms
“The risk to energy and other public services worldwide, including in the U.S., will be greatly accentuated as more control systems are modernized and brought online,” Boyer pointed out in his article for TechCrunch.
Furthermore, as more organizations start to implement smart grids and leverage sensor and wireless technologies and software, this sector’s cybersecurity landscape is going to grow only more complex.
The next steps
Last month, the FERC urged companies and agencies in the utilities industry to take more action in ensuring a strong cybersecurity defense, such as developing better security standards, Energy Central reported. And while refining regulation practices and standards is certainly a necessary component of improving electric power critical infrastructure safeguards, the organizations themselves need to be proactive as well. How?
- Upgrade legacy systems or implement new technology and tools that will ensure sufficient monitoring, detection and notification processes
- Use multilayer cybersecurity strategy
- Develop an updated incident response plan
- Establish a long-term security improvement strategy
It is also imperative these organizations prioritize cybersecurity training and awareness programs. Not only does education minimize the risk of security breaches attributed to human error, but it also helps ensure the best practices and methodologies are being used. At the National Cybersecurity Institute, we offer a range of IT certification preparation courses and programs that assist professionals to gain the latest training, expertise and skills needed to excel in cybersecurity, such as the one designed for the EC-Council Certified Chief Information Security Officer.
Burnett, P. W. (2015). The Dams Sector and the Water and Wastewater Systems. In J. LeClair (Ed.) In Protecting Our Future: Educating a Cybersecurity Workforce (Vol. 2) (pp. 114). Albany, NY: Hudson-Whitman/Excelsior College Press.