The electric grid continues to be cyber vulnerable and susceptible to catastrophic impacts

March 20, 2018

The Russians have been in the US electric grids since at least 2014. The Defense Science Board stated the US critical infrastructure doesn’t have the ability to prevent damage. What is happening to provide resilience and recovery?

March 15, 2018, the Trump administration announced Thursday sanctions against Russian entities for a multitude of actions, including persistent attempts to break into the US elctric grid. Consequently, Friday March 16th, I wrote a Linked-in note asking why the interest now since the Russians have been in our electric grids since at least October 2014. As of Monday evening March 19th, I have received more than 4,500 reads and counting. As a result, I am providing a brief history and rationale for why we should be concerned about the cyber threats to the electric grid from Russia, China, Iran, and North Korea.

Why do we care about cyber security of the grid? The grid has been susceptible to many natural threats such as earthquakes, floods, hurricanes, tornadoes, and solar flares. Generally, these natural events, with the possible exception of solar flares, are short term outages lasting hours to days. Cyber attacks can cause short term outages such as the 2015 and 2016 Ukrainian cyber attacks, but the real concern should be that cyber attacks can cause long term outages lasting 9-18 MONTHS or longer. Unfortunately, there has been inadequate response by DOE, DHS, NERC, and the utilities to address the long-term cyber threats to the grid. As stated by the Defense Science Board’s Task Force on Cyber Deterrence dated February 2017: “First, major powers (e.g., Russia and China) have a significant and growing ability to hold US critical infrastructure at risk via cyber attack…Although progress is being made to reduce the pervasive cyber vulnerabilities of US critical infrastructure, the unfortunate reality is that, for at least the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the US’s ability to defend key critical infrastructures.  Second, regional powers (e.g., Iran and North Korea) have a growing potential to use indigenous or purchased cyber tools to conduct catastrophic attacks on US critical infrastructure.”

In the early 2000’s a SCADA system directly connected to the Internet was compromised. SCADA was lost for about 2 weeks. The forensics showed a “hop” to Eastern Europe before the trail was lost. However, compromising SCADA does not mean that power is lost which is why this event was not reported to local law enforcement, the ES-ISAC, or the FBI.

The Aurora vulnerability was demonstrated in March 2007 by destroying a diesel generator. However, there continues to be a lack of understanding of the Aurora vulnerability, the relevance of the March 2007 test, and lack of implementing the required Aurora hardware fixes, even though they have been available since the late 2007 time frame. Making the Aurora vulnerability more problematic, in July 2014 DHS declassified more than 800 pages on the Aurora vulnerability which made its way to hacker websites. Aurora is real as there have been actual Aurora events that have damaged mechanical equipment. At the 2016 ICS Cyber Security Conference, an Aurora hardware mitigation device (SEL751A) was effectively turned into an Aurora initiation device. As Aurora is not malware, threat hunting may not be successful. Yet, DOE still won’t address Aurora.

November 2011, a hacker identified as 'pr0f' provided evidence of a successful penetration of South Houston's water supply network with similar screen shots from the recent DHS disclosure.

US CERT traced supply chain attacks affecting the electric grid back to 2012.  In October 2014, Isight Partners (now part of Fireeye) gave a presentation at the 2014 ICS Cyber Security Conference that the Russians had downloaded the BlackEnergy malware onto the US electric grids and the malware compromised several major control system vendors’ products. In December 2014, DHS “announced” a series of classified briefings on BlackEnergy. The May/June 2015 DHS ICS CERT Monitor states: “Some asset owners may have missed the memo about disconnecting control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cybersecurity issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without properly implemented security measures. The BlackEnergy campaign took advantage of Internet connected ICS by exploiting previously unknown vulnerabilities in those devices in order to download malware directly into the control environment. Once inside the network, the threat actors added remote access tools, along with other capabilities to steal credentials and collect data about the network. With this level of access, the threat actor would have the capability to manipulate the control system.” This was the approach used in the 2015 Ukrainian cyber attack.

At the 2015 IAEA Nuclear Plant Cyber Security Conference, the Vice President of Korea Hydro & Nuclear described how the North Koreans hacked into South Korean nuclear plants. Given that the South Korean nuclear plants have similar equipment as US nuclear plants, this should be of direct interest to US nuclear plant operators.

Also in 2015, NATO discussed Russian cyber threats against control systems in “Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine” by Jen Weedon. According to Jan, “Is Russia preparing for future cyber attacks on Western critical infrastructure? This is difficult to prove, but the Sandworm group has reportedly targeted supervisory control and data acquisition (SCADA) equipment, which is used in industrial and critical infrastructure settings, with the BlackEnergy toolkit. The victims were pro­duction systems, not vendor-owned prototypes or systems that contained financial information, intellectual property, or political intelligence. Given the targets seemed to be production systems, there would likely be no benefit from an espionage per­spective to infect these systems. Rather, the actors using the malware may have been looking for weaknesses to exploit in a future disruptive scenario. In addition, the use of a crimeware toolkit offers a degree of anonymity or plausible deniability for actors with more destructive purposes.”

The December 2015 Ukrainian electric distribution attacks included equipment used in US grids. The attackers remotely opened the electric substation breakers resulting in a multi-hour outage (step 1 of the 2 steps of Aurora). The attackers did not reclose the breakers (step 2 of Aurora) which would have resulted in hardware damage leading to long-term outages. However, DOE, DHS, and NERC claimed this type of attack couldn’t happen here and NERC stated they would not change the NERC CIP cyber security requirements to address the Ukrainian attack vectors.

The December 2016 Ukrainian transmission attacks also included equipment used in US grids and also included the remote opening of electric substation breakers. Ironically, December 30, 2016, the Washington Post broke the story that Russian hackers penetrated the US electricity grid through a laptop in a Vermont utility.

In 2016, Iran hacked the Bowman Dam in Rye NY. Iran has demonstrated knowledge of Stuxnet, safety systems (I have reviewed papers on both) and the lack of security in process sensors, actuator, and drives (a “Like” on my Defcon presentation on lack of security of Level 0,1 devices).

Finally, the Triconex safety system cyber attack in Saudi Arabia applies to fossil and nuclear power plants, refineries and chemical plants, water treatment facilities, etc. (there has been no attribution of this attack to date). The Triconex attack resulted from the mixing of control and safety systems which should not be able to happen in US nuclear plants as control and safety systems are not allowed to be mixed. Unfortunately, this requirement does not extend beyond nuclear plants (safety systems are outside scope of the NERC CIPs).

What should be of great concern is that attackers have been doing reconnaissance on the US electric grids for years. As a result, attackers can be expected to be aware of the cyber weaknesses in the grid to cause damage as well as interconnections that can make outages more widespread. Consequently, the electric grid is at risk for wide-spread, long-term outages.

Since our critical infrastructures may not be able to be secured, there needs to be more focus on resiliency and recovery including appropriate training.

Joe Weiss