Last week, the Kentucky Office of Homeland Security hosted an exercise simulating attacks on the power grid and government computer networks. Participants included law enforcement, first responders, and private sector representatives engaged in health and security.
The exercise centered on how the state would react if hackers were able to take down Kentucky's energy grid while simultaneously engaged in the exfiltration of information from government computer networks. The goal was to provide a gap model and develop best practices that can be utilized by other states and by the federal Department of Homeland Security (DHS).
Also last week, InfraGard of the National Capital Region announced a partnership between the FBI and the private sector to protect critical infrastructure and provide a comprehensive effort to recognize and support National Critical Infrastructure Security and Resilience Month. The initiative supports the DHS' National Protection and Programs Directorate's (NPPD) Office of Infrastructure Protection mission to raise awareness around critical infrastructure protection during the month of November. The energy sector has been a key area of attention for the NPPD.
And perhaps the most concerning of news activity was the announcement by head of the United Nations nuclear watchdog, International Atomic Energy Agency Director Yukiya Amano, that a nuclear power plant in Germany was hit by a "disruptive" cyberattack within the past three years. Amano was quoted by Reuters as saying: "This issue of cyberattacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg." And he noted that this is " not an imaginary risk."
It should also be noted that in 2014, a computer in the control room at Monju Nuclear Power Plant in Tsuruga, Japan, was subjected to malware, but possibly by accident. And in 2015, South Korean hackers targeted Korea Hydro and Nuclear Power Company, but luckily to no avail. Most cyber experts believe that North Korea was behind the attempted cyberattack. These incursions are a wake-up call as there is a very real and growing fear that a future cyberattack on a nuclear plant could risk a core meltdown.
Non-nuclear power plants have also been subjected to intrusions and breaches. A hack in Ukraine was held up as a prime example. In December 2015, hackers breached the IT systems of the electricity distribution company Kyivoblenergo in Ukraine, causing a three-hour power outage.
Refineries, dams and data centers are all potential targets of cyber incursion. According to a report released last month titled "The Road to Resilience: Managing and Financing Cyber Risks," oil and gas companies around the world could face costs of up to $1.87 billion in cybersecurity spending by 2018.
There have been attempted cyberattacks on grids and utilities, many via phishing and ransomware, and some have been successful. Adm. Mike Rodgers, head of the National Security Agency and U.S. Cyber Command, has stated that only two or three countries have the ability to launch a cyberattack that could shut down the entire U.S. power grid and other critical infrastructure.
Much of our grid still relies on antiquated technologies, and more investment in defenses are needed. As technology exponentially advances and as threat actors (including cyber mercenaries) gain tools via the dark web, that number of potential state-sponsored adversaries could expand in the near future.
In 2013, President Barack Obama issued Executive Order 13636, "Improving Critical Infrastructure Cyber-security," which called for the establishment of a voluntary risk-based cybersecurity framework between the private and public sectors.
, R-Ariz., chairman of the congressional EMP Caucus, and considered the foremost expert in Congress on electromagnetic pulses,
has introduced legislation ( HR 3410) called the Critical Infrastructure Protection Act. The law would enable DHS to implement practical steps to protect the electric grid by training and mobilizing first responders for possible EMP events.
Along with Franks and Peter Prye, who heads the Task Force on National and Homeland Security (a congressional advisory board), several noted industry and policy experts, including former CIA Director Jim Woolsey; Frank Gaffney, former deputy secretary of defense and president and CEO of the Center for Security Policy; and Michael Del Rosso, former chairman of IEEE-USA Critical Infrastructure Protection Committee have been especially active in alerting the public to the critical need to find near-term solutions to protect the grid.
Clearly the entire energy critical infrastructure is justified in garnering the attention of DHS, states, regulatory organizations and the many subject-matter experts on the topic of cybersecurity.
While the threats are complex and the threat actors varied among hackers, state sponsors, organized criminal enterprises and terrorists, there are several themes to adhere to mitigate risk. These include:
- Remain vigilant and continually analyze and game the energy cyberthreat landscape, as the methods, means and malware variants are constantly morphing.
- Share and communicate cybersecurity information between the public and private sectors (a majority of the energy infrastructure is owned by the private sector). The government and industry are currently using pilot programs including Cybersecurity Risk Information Sharing Program and the Trusted Automated eXchange of Indicator Information to facilitate rapid sharing of security information. DHS NPPD has established an active and successful program in the area. DHS’ Cybersecurity Emergency Response Team responded to 295 cyber incidents in the energy sector in 2015.
- Follow industry protocols, especially related to Supervisory Control and Data Acquisition (SCADA). Power companies use SCADA networks to control their industrial systems, and many of these networks need to be updated and hardened to meet growing cybersecurity threats.
- Maintain robust access management control and cyber incident response programs. This includes following National Institute of Standards and Technology, North American Electric Reliability Corporation, Federal Energy Regulatory Commission and U.S. Nuclear Energy Regulatory Commission cybersecurity protocols.
- Invest in next-generation security controls and cybersecurity technologies.
The World Energy Council says countries must raise their game in combating cyberattacks on nuclear and other energy infrastructures. They note that the frequency, sophistication and costs of data breaches are increasing. The expanding cybersecurity focus on energy infrastructure by both the public and private sectors is certainly a welcome development.
Charles "Chuck" Brooks serves as the vice president for government relations and marketing for Sutherland Government Solutions. He served at the Department of Homeland Security as the first director of legislative affairs for the Science and Technology Directorate. Find him on Twitter at @ChuckDBrooks.