Examining the cybersecurity landscape of utilities and control systems

According to a federal indictment announced March 24, 2016, seven attackers with links to the Iranian government executed cyberattacks against dozens of banks from 2011 to 2013 that disabled their websites and interfered with hundreds of thousands of customers’ ability to access their online accounts.

Public announcements of cyber incidents against the financial system allegedly carried out by foreign actors are undoubtedly areas for concern. However, this announcement included an unusual twist that warrants potentially even greater worry: The attackers also targeted a small dam near New York City.

One of the alleged attackers is accused of repeatedly gaining access to the control system of the Bowman Avenue Dam, a small flood-control structure in Rye Brook, about 20 miles north of New York City, through a cable modem.

According to government officials’ disclosure, the attacker was able to obtain information about the dam’s operations, including its water level, temperature and sluice gate, and could have sent water pouring into the city of Rye if the gate had not been disconnected for maintenance when the intrusion occurred. Though it’s one of the lesser-known of the 75,000 dams in the United States, a successful cyberattack on the dam could have threatened a neighborhood of more than 200 residents, where 3,000- to 5,500-square foot homes sell for more than $1 million.

The Bowman Avenue Dam incident illustrates a growing and disturbing reality: While online breaches such as Target, Home Depot, the IRS, the U.S. Office of Personnel Management, Staples and Healthcare.gov have grabbed the spotlight the last few years, and understandably so, attackers are extending the threat from the online and virtual to the physical world, in which damage could be even more severe.

Recent history is painfully demonstrating to us that hypothetical attack scenarios are now today’s breach victims.

It is important to understand Bowman was not the first cyberattack on critical infrastructure, and it is unlikely to be the last, with other utilities and key infrastructure operators as potential targets. The following are other recent examples:

  • In what is believed to be the first cyberattack to take down a power grid, hundreds of thousands of people in more than 100 cities and towns in Ukraine suffered an hours-long blackout on December 23, 2015 following a sophisticated attack that used destructive malware to damage computers and control systems for parts of the country’s power grid.
  • In December 2014, the German Federal Office for Information Security reported that a steel mill in the country suffered massive damage after a cyberattack. According to the report, the attacker used spear phishing (email spoofing) to gain access to the steel mill’s office network, then manipulated and disrupted control systems to the degree that a blast furnace could not be properly shut down.
  • In July 2014, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (CS-CERT) asked critical infrastructure operators to review their computer networks to see if they were infected with a malicious piece of malware called “Energetic Bear.” CS-CERT said it was analyzing information associated with a malware campaign that used phishing emails to redirect to compromised websites and Trojan-horse update installers to attack industrial control systems. If an Energetic Bear attack is successful, the attackers get nearly unrestricted access to the servers at power plants and complete control over their operation.
  • In 2012, the computer network of Saudi Aramco, Saudi Arabia’s national oil and gas firm, was struck by a self-replicating virus, known as Shamoon, that infected as many as 30,000 of its Windows-based machines. Although the attack did not result in an oil spill, explosion or other major fault in Aramco operations, it affected the company’s business processes and took two weeks to repair.

Utilities and other industries such as manufacturing and transportation rely on an automated system known as SCADA (supervisory control and data acquisition) to control processes and equipment from remote locations. These SCADA systems tend to be older systems that weren’t built with the authentication and encryption technologies that have become standard in today’s internet-connected systems.

Given the known vulnerabilities, SCADA operators typically work to sever or limit connections between these systems and the outside world. In many cases these separations are effective; however, recent attacks have shown that vulnerabilities do indeed exist and are being exploited.

The risk to energy and other public services worldwide, including in the U.S., will be greater accentuated as more control systems are modernized and brought online. As companies embrace smart grids, which harness a new generation of sensors, wireless technology and software applications to manage the grid and energy usage, the attack surface and system complexity will only increase.

The industry is starting to take notice. After the Ukraine attack, a quasi-governmental U.S. electric industry group — the Electricity Information Sharing and Analysis Center, or E-ISAC — urged members to review network defenses and do a better job implementing multiple layers of defense against potential cyberattacks.

In July, the Federal Energy Regulatory Commission pushed for utilities to do more to thwart cyber intruders. FERC said it wanted the North American Electric Reliability Corp., the nonprofit that oversees the power grid in the U.S., Canada and part of Mexico, to develop new security standards.

Another government entity, the Office of Electricity Delivery and Energy Reliability, says it has been working closely with the Department of Homeland Security, industry and other government agencies to reduce the risk of energy disruptions caused by cyberattack.

The increased awareness and regulatory action are all positive steps toward progress. However, much of the responsibility will fall on the individual utilities to implement and execute sound cybersecurity programs. Recent history is painfully demonstrating to us that hypothetical attack scenarios are now today’s breach victims.