Just weeks after federal officials confirmed the first known disruption caused by a hack of the U.S. electric grid, a new industry survey reveals that power providers are at a loss for how to respond to rapidly-evolving and ever more potent cyber threats.
Cyberattacks have evolved from sieges on information, like office files and data, to the types of attacks that once seemed relegated to Hollywood, imperiling critical infrastructure like substations, high voltage transmission lines, and even power plants themselves.
More than half of the world's electric utilities say they're ill-prepared to fend off such an attack, according to the survey released Friday by Siemens, which was conducted in the first half of the year. Roughly the same number reported that a cyberattack has forced a shutdown or loss of operational data – not just one time, but at least once per year. And a quarter have been hit by so-called "mega attacks" like the WannaCry ransomware attack, which had infected hundreds of thousands of computers at a cost of more than $8 billion.
"This is not just a theoretical issue, but is a very real national security issue," former Homeland Security Secretary Michael Chertoff said Friday while introducing the study's findings at the Atlantic Council, a think tank based in Washington. "The surface area for attacks is dramatically increasing."
The report comes just weeks after the North American Electric Reliability Corporation, a federal regulator, confirmed that a remote hacker – for apparently the first time – interfered with the U.S. electrical grid, disabling systems that had allowed an unnamed utility to communicate with and monitor crucial power sites in Utah, Wyoming, and California. The breach, first reported this spring by E&E News, did not cause any power outages, but it underscored the vulnerabilities facing an electric grid often hamstrung by outdated software, legacy equipment, and deep layers of regulation, even as it integrates decentralized energy resources like solar panels and wind turbines that demand ever more connectivity.
Attackers meanwhile have also flexed their muscles overseas: Successive cyberattacks have repeatedly brought down parts of the electric grid in Ukraine, robbing hundreds of thousands of homes of heat and power in the dead of winter. Last year, a sophisticated cyberattack apparently sought to trigger an explosion at a chemical plant in Saudi Arabia.
"In each of those cases, there's one common thread, and that is visibility: The operator didn't know at first if she or he was experiencing a cyberattack or if their core system was malfunctioning," said Leo Simonovich, global head of industrial cyber and digital security for Siemens Gas and Power, and the lead author of the company's report. "If we want to build confidence in the industry, we have to empower the industry with information, if they're operating blind they feel uneasy about this. Can you detect? Can you contain? Can you respond? [That] only 18 percent [of utilities are] using the right kind of tools is a proxy for this kind of problem."
Cheddar spoke with Simonovich about this evolving threat to utilities and other industrial sites, from petroleum refineries to petrochemical plants – what he called "the new risk frontier." The interview has been edited and condensed for clarity and brevity:
- What did you find in this study?
If you look at the frequency of attacks targeting the operating environment – and we're talking about power plants, substations, high voltage transmission lines – they are getting worse. And the industry is not well-prepared to address these challenges: 58 percent said that they're not well-prepared to address this challenge. And once an attack does happen, they're not well-prepared to respond – one-third do not have a basic incident response plan.
Digitization has driven enormous benefits: The grid has become more resilient, more intelligent, the upward production capacity from traditional fossil to renewables – there's enormous promise there. But that requires connectivity, a catch-22: the more connectivity you have, the more attack surfaces you have, the more opportunity for malicious actors to cause damage.
- This report is based on self-reporting from people inside the utility sector – do you think their responses are actually over-reporting or even under-reporting these incidents?
Many of those attacks are coming from nation-states, and utilities are faced with a perfect storm: They have to deal with machine-speed attacks on legacy assets that are interconnected, with security being an afterthought. And in many ways, they're not prepared to deal with that.
Some utilities don't know what assets they have. Others don't know whether an adversary is in their networks, is traversing their networks, and can activate and cause damage. It took something like 88 days for organizations to respond to a cyberattack. Only 18 percent are using any sort of artificial intelligence and analytics to do detection. In many ways, they're operating blind.
There's an enormous skills gap – a small organization may be lucky to have one to three, one to 10, people that do security. And the ones that do operational technologies are nonexistent. Who owns industrial security today? The job of operating plants has been with operations – the people who operate the controls that manage power. The job of security has been with the chief information officer. Those two groups don't speak the same language.
- This isn't the first time we've heard about the threat of cyberattacks to the electric grid. Why does there still seem to be such a disconnect between these types of alarming findings and the response from the industry?
We have to have a mindset change, and that is already happening. We are moving away from being based on compliance [with regulations]. We think compliance is important. It helps provide us a baseline, it provides hygiene, but what it doesn't do is protect against a changing adversarial environment, which is becoming more potent and more hard-hitting.
The energy value chain is becoming more compressed – there are oil and gas companies that are now the largest producers of power in the world. The good news is that there is real awareness of this problem
The report found that insider threats make up the majority of the attacks on this type of infrastructure. Why is that? It's not a question of who, it's a question of how. So nation-states may use someone – whether it's a negligent insider, or someone who brings a stick into the plant and then puts it into the control system, or brings in an iPhone and charges it in a system – and suddenly malware is introduced into the environment.
Some environments are air-gapped, they're not connected to the internet. And yet they are still vulnerable, and they're vulnerable because the way the adversary will work: They'll spread the malware on office networks, and then someone will bring it into the plant.
The flip side of that coin is when you're disconnected you can't see your operating environment. So the panacea of just unplugging, 'let's just go back to analog,' is not feasible anymore because it's not sustainable from a business standpoint and it doesn't give you security.
- Smaller organizations tend to have less of a capacity to respond to cyberattacks. What does that mean in this era of distributed resources, where we're seeing newer, smaller companies provide power from distributed resources like wind and solar?
[If] you and I put solar panels on our houses, we are now connected and we are connected to the trade system. So the idea of a castle and a moat as a way to protect yourself doesn't apply anymore. The value chain is distributed, it's decentralized, and it's hyper-connected.
Utilities spend 30 percent of their funding on compliance – it's a big number. Not that compliance is bad, but it has to be rationalized against the size and the ability of the utility. There has to be a way to pool resources for providers who specialize in operational security to address these problems that the threat environment is introducing.
- You've mentioned compliance a few times – what role should the government be playing?
The government has to encourage a risk-based approach and how we can pool resources together to address this wave. Regulation is not bad. It's been really important in lifting the middle and providing a key foundation for basic hygiene issues. But when you have regulation that's really prescriptive, sometimes it lags and sometimes it's really patchy.
The introduction of renewables into the grid, and the introduction of things like the cloud – we're only just beginning to see regulatory [action] around the cloud. Cloud has been around for a long time, and we're just seeing it with utilities.
Digitalization is core to the operating model. So how do we enable things like the Internet of Things to happen? How do we deal with these more sophisticated attacks? The government has an important role to play in establishing regimes, trans-Atlantic regimes that make sense for things like transfer of data, but helping to secure against these nation-state-based attacks.