• September 30, 2016

Lights Out: Energy Security and the Enterprise

Grid security is threatening the enterprise ecosystem.

In December 2015, an attack on the grid in Western Ukraine knocked out power for 225,000 people. Hackers cut power by remotely gaining access to and opening breakers in multiple substations.

This type of attack is worrisome not just for those in the energy and utilities industry, but for all enterprises. Energy is a critical component of the digital economy. Data simply doesn’t flow without the raw power to generate zeros and ones. Yet due to the expansion of connected infrastructures, the power driving these digital streams is increasingly at risk. Efficiencies wrung from smart pipelines, grids, plants, and oil and gas fields connected to networks dramatically expand vulnerabilities.

As recently as 2014, virtually all electric utilities in the U.S. still relied on Windows XP. At the same time, oil and gas companies, along with electric utilities, reported a spike in cyber attacks in the 12 months leading up to November 2015, according to the digital security firm Tripwire.

More than 75 percent of energy sector information technology professionals surveyed reported their firms experienced at least one successful breach from November 2014 to November 2015, Tripwire says. More than 80 percent predicted a cyber attack would cause physical damage to operations in 2016. More than 70 percent believe critical infrastructure providers are more susceptible to ransomware attacks than other enterprises.

Expanding Attack Surface

While cyber attacks are not a new threat, the escalating scale of their impact is new. The proliferation of connected devices and systems that share and process data vastly expands the landscape of devices that hackers can compromise. Add to this the emergence of malware specifically engineered to target assets through industrial control systems.

It doesn’t take a criminal mastermind to shut down utility systems. Researchers have recently demonstrated that low-skilled hackers can wreak havoc on industrial systems by attacking variable frequency drives readily accessible over the internet. These digital devices maintain the electrical frequency fed to motors, controlling the operation of fans, pumps, and air compression systems. Many have read-and-write capabilities that do not require authentication to reset critical motor speeds. By resetting the maximum speed beyond the upper limits of motor capabilities, hackers can shut down critical water, power, and industrial systems by remotely damaging critical equipment.

The Ukraine attack affected “low voltage transmission and distribution” systems that are excluded from NERC Critical Infrastructure Protection Standards (CIP). This means that if these substations had been in the U.S., they would not have been required to have cybersecurity protections as they are beyond the scope of CIP requirements.

Emerging Demand for Engineers With IT Prowess

This landscape has two components: IT systems that support enterprise functions and operational assets that are rapidly becoming integrated with digital technologies. The challenge is that these operational and industrial domains were not engineered to be cybersecure, nor were they designed to be accessed remotely in a secure way.

All enterprises depend on secure industrial systems and an electric grid that provides the basic infrastructure of commerce. Safeguarding these systems will require close collaboration between IT security professionals and industrial engineers. Yet it is becoming increasingly difficult to find a workforce with necessary engineering and IT prowess to address this challenge. Developing a cadre of skilled engineers versed in analytical and visualization tools is a must.

Like this story? For better security, read more about how to think like a bad guy.