Late in November, just days before the Thanksgiving turkey hits the dinner table, hackers will launch a coordinated assault on the North American power grid. They will target power generation plants, transmission towers, and distribution facilities in a show of force that will leave millions of homes without power and shut down infrastructure facilities.
The FBI, the Department of Homeland Security, and dozens of chief information security officers (CISOs) at major utilities will struggle to respond and keep the assault from spreading. Fortunately, they will have a direct line to the attackers and understand their motives: They want to protect us.
This attack scenario is part of a massive effort by the nation’s largest utility watchdog to stress-test the readiness of our energy system—to find its strengths and probe its weaknesses to a digital or physical attack. The North American Electric Reliability Corporation (NERC), the industry’s watchdog, will launch this simulated assault against hundreds of utilities on Nov. 16 and 17.
The stakes have never been higher. Last year, ransomware and supply chain attacks against utility networks more than doubled, according to a NERC study. In the two years since NERC’s last drill, in 2019, there’s been a global pandemic. Utility networks have ballooned under remote working, and new attack spaces for hackers have opened up as the number of worker endpoints has exploded.
NERC is leaving it to utilities to invite software developers to participate in the drill. But utilities don’t always do so, and that is raising alarm bells. Recent supply chain hacks of software provider Kaseya in July and SolarWinds last year underscore how important software suppliers are to many sectors, including utilities, federal agencies, and the nation’s critical facilities.
Security testing of utility networks is incomplete without the participation of the major players in those networks. So say experts like Tim Conway of the SANS Institute, a cyber-research and training organization. Conway is technical director of SANS’s industrial control systems (ICS) and supervisory control and data acquisition (SCADA) programs. Software developers play “a very important role in the real world as partners to their customers in continuous defense and detection of potentially malicious events,” he says. “They are essential to operations.”
Real alarm bells
The grid security exercise (GridEx), as NERC’s drill is called, has taken place every two years since 2011. In the first drill, 24 utilities took part. Intruders physically broke into substations and backup control centers and installed malware that disrupted key business processes. In 2019, simulated physical attacks on 254 participating utilities proved they could disrupt fuel supply, interrupt energy control systems, and cause damage to generation, transmission, and distribution facilities.
The 2019 simulation was split into four segments. In the first part, NERC’s shared cybersecurity risk portal—the Electricity Information Sharing and Analysis Center (E-ISAC)—alerted utilities to a possible imminent threat against the grid. It then shared information of a malware campaign targeting control systems, and the grid started to experience generation shortfall.
Identifying how software breaches impact systems is a critical part of protecting our networks.
The peak impact of the attack occurred in part two, knocking out power to 5 million homes and impacting water treatment plants. In the second and third parts, utilities and the government enacted response plans and coordinated next steps to neutralize the attack. ICS vendors released a software patch needed to repair the damaged systems, utilities installed the patches, and grid power was restored.
In the 2019 test, reliance on vendors to help utilities get the grid back online is clear. But in the drill, only three major supply chain vendors took part. And in the previous GridEx, in 2017, utilities invited no vendors at all. In its “Lessons Learned” report following the 2019 drill, NERC said some utilities “lacked the resources necessary to coordinate responses” to the simulated attack and concluded, “It is incumbent upon participating organizations to include supply chain partners in their response plans.”
As utilities have become more digitized and interconnected, their potential attack spaces have grown. These spaces increasingly include third-party players like software developers, whose product updates can be a back door for hackers. The security of utilities is becoming more dependent on the cyberdefenses of the companies they interact with.
NERC still maintains that it is not the watchdog’s responsibility to invite developers to the test. While NERC does “strongly encourage” utilities to include vendors, it believes that “participants are best at determining which vendors are critical to their operations,” says NERC spokesperson Rachel Sherrard.
At this year’s test, Sherrard says, NERC will allow some vendors to observe the part of the exercise designed for senior industry executives and top government officials. This invitation-only portion, known as the Executive Tabletop, comprises CEOs, COOs, and senior officials from agencies including the DHS, Department of Defense, FBI, and the White House’s National Security Council. Their task is to decide on and implement “high-level measures” needed to restore the grid after the simulated cyberattack.
Security of utilities is becoming more dependent on the cyber-defenses of the companies they interact with.
So at this year’s drill, some vendors will be involved at the request of NERC, while others will be there at the invitation of individual utilities, and it isn’t clear how many vendors will be taking part. Given that, it’s hard to see how the simulation can fully replicate a real-life cyberattack. For some in the industry, that’s not good enough.
“Identifying how software breaches impact systems is a critical part of protecting our networks,” says Anne Marie Corbalis, media relations manager for Consolidated Edison of New York.
When NERC began the tests, everything that utilities had in place, including cybersecurity software, was tested at the drills. Now, the industry’s networks are more fluid. At any given time, there are different third parties active on their online platforms, from software developers to vendors providing outsourced functions, such as HR, finance, and auditing. Utility networks aren’t standing still, and all these added elements need robust cybersecurity.
Conway says utilities should identify the developers who have a critical role in their security shields and specifically invite them to the GridEx drills. This will help developers and other suppliers spot and respond to real-life vulnerabilities.
Utilities need cyber hygiene
Whatever its flaws, the value of the biennial cyber-assault simulation can’t be doubted. But the dynamic nature of utility networks means that continuous monitoring, reviewing, and upgrading of cyberdefenses is equally important.
One of NERC’s recommendations to the utilities sector in its 2019 report is the need for a carefully crafted incident response plan, which is crucial to an organization’s cyber hygiene. Utilities must coordinate with federal, state, and provincial authorities in the event of a serious hack.
During the pandemic, the gold standard for secure interaction between endpoints has been zero trust. With this approach, any endpoint, device, or user is deemed untrustworthy until they are verified, and worker access is based on who is requesting the access, the context of the request, and the risk to the network.
Other cyber hygiene practices also go a long way to shoring up defenses. They include:
- Inventorying all endpoints Keeping track of all assets—laptops, PCs, tablets, even virtual machines in the cloud—allows you to gain complete network visibility, and to monitor endpoints in real time, which will help to reveal potential vulnerabilities and active threats.
- Software management tools These let you keep pace with apps, devices, software, software updates, and patching. A single platform can help utilities detect, monitor, and secure enterprise applications from one console.
- Multifactor authentication Requiring multiple methods of authentication, along with strong password maintenance, can provide a simple yet robust defense against hackers that might have prevented the Colonial Pipeline security breach.
- Cyber risk scoring A cyber risk score helps to evaluate internal vulnerability management and that of third-party vendors.
- Active threat hunting Searching for unusual activity allows you to monitor platforms as well as seek out and remediate threats before hackers have a chance to do any damage.