The U.S. Electrical Grid has been basking in the warmth of false security for some time now, due in part to our geographic isolation from conflict zones in the Middle East and the former Soviet Union where critical infrastructure regularly comes under attack.
Given very recent threat incidents abroad however, we believe our electrical grid may be in more peril than we realize, despite all the attention and funds applied in response to the 2013 Metcalf attack. A recent cyber attack in Ukraine on electrical substations and the more recent detonation in North Korea of a Nuclear Device may be signs that what happens “over there” could come “over here.”
Ukraine Substations Cyber-Attack
On December 23, 2015, suspected Russian hackers attacked three key Electrical Substations causing widespread blackouts across Northwest Ukraine. Approximately 700,000 homes were left without power for several hours.
This attack really caught our attention, for two reasons. First, “Suspected Russian Hackers” attacking critical infrastructure in a politically-disputed area are likely not cyber criminals. Since the Russian invasion of Georgia in 2008, the Russian military’s doctrine has increasingly incorporated a cyber warfare attack as a precursor to invasion on the ground. The same tactics were used when the Russians invaded and annexed Crimea, and are likely currently being used against Ukraine’s eastern region. Second, the software that was found on the networks of Ukraine’s power company was also used in a targeted campaign against power facilities in the U.S. in 2014. The U.S. Department of Homeland Security (DHS) released a memo in the spring of 2015, urging utility companies to disconnect any control systems that were still connected to the Internet in light of this attack.
The attack in Ukraine, whether initiated by Russian Security Services proxies or trained Russian military hackers should be very much the “canary in the coal mine” for U.S. and European Security Professionals. Today Ukraine, tomorrow it could be the Baltic States of Estonia, Latvia and Lithuania, or Poland. Russian leadership has indicated a clear desire to bring the states of the old “near abroad” back into the fold – if not willingly, then through military force using asymmetric cyber warfare as a first strike. Western countries like the U.S. could become victims as well if Russian military hackers opt to turn their attention this direction following their successful initial attacks.
Electromagnetic Pulse (EMP) Threat
On January 5, 2016, North Korea announced that it had detonated a small yield hydrogen bomb. The yield of the bomb indicates that it could be a miniaturized H-Bomb, small enough to be placed on top of an intercontinental ballistic missile. Although not confirmed as a hydrogen bomb and doubted by some “experts”, atomic or hydrogen bomb capability represents a similar threat. The test detonation was witnessed by Iranian nuclear officials, who have helped North Korea develop the miniaturization technology. Some informed observers note that North Korea has become the de-facto nuclear testing grounds for the Iranian nuclear weapons program. Such a missile could reach the west coast of the United States from North Korea, or Europe from Iran.
A miniaturized nuclear weapon detonated at 300 miles over the west coast of the United States would generate an EMP burst that could effectively destroy the electrical generation and distribution system along with all electronics in the western part of the United States. This would include the electronics in cars, rendering all transportation instantly inoperative. Additionally, a missile launched by Iran from a ship off the Florida coast (yes, the Iranian Northern Navy Fleet just last year operated in the Atlantic off our eastern coastline) would destroy the same for the central and eastern United States. Some have postulated that the recovery period would be more than a decade, leaving the entire United States in the dark ages for that time. Since anarchy pressure would mount within days or weeks, the effective difference between a 6-month and 10-year recovery period is mostly academic. Again, the “canary in the coal mine” is sending a message.
The Need for New Thinking
That sense of false security to which we alluded has bred a sense of complacency about critical infrastructure security. This is particularly evident with our electrical grid. For the last six decades, Security has typically been siloed into three separate approaches: IT Security, Physical Security and Operational Security. Historically, the departments operating these three approaches rarely talked to each other, leaving unknown vulnerabilities. This uneven “convergence” is well known in the industry.
The energy industry’s general approach to dealing with security threats has been to treat them as a compliance problem. Many energy providers have taken the NERC-CIP-5 (IT Security) and NERC-CIP-14 (Physical Security) compliance standards as security gospel and then sat back in the chair with their hands behind their heads, satisfied that they have done everything necessary (required by the government) to deal with security threats. We have actually witnessed energy industry CIO’s put “Do Not Cross” red tape around their servers, and declare that “compliance” was met. The attitude from industry is essentially “anything to satisfy the regulators” while the regulators seek “anything to fulfill the metrics of mission accomplished and certification.” A mutually satisfying, but wrong-headed approach.
Mr. Ross Johnson, Capital Power Senior Manager for Security and Contingency Planning, has a different take on this that is worth considering. Mr. Johnson states that “Compliance is like Base Load Power and Disruptive Risks are like Peaking Power. A company established a base load power generation program to deal with daily power needs and a peaking generation program to deal with overload needs. Similarly, energy companies should consider the Compliance Security Program as dealing with their baseline security needs (those incidents that occur regularly), and develop a Disruptive Risk Security Program to deal with “Black Swan” incidents (Terrorism, Activism, etc.).”
The time to consolidate the IT, Physical and Operations Security Plans into a comprehensive woven cloth to deal with all threats from all vectors has passed. In all practicality, there is no longer any segregation between IT, Physical, and Operational Security. They are all one. Physical Electronic Security Systems now reside on IT Networks that must themselves be secured against very high threat levels. Operational threats from Social Engineers place the IT Network at risk. A loss of the IT System places both Physical and Operational Security at risk.
Can we secure the power grid against Ukraine-style Cyber and EMP attacks?
Ukraine-style Cyber Attack: The attack vector used in Ukraine is a known vector (KillDisk), with known countermeasures. Numerous products exist that can monitor the IT and SCADA networks for ongoing attacks and disrupt these attacks. NERC-CIP-5 includes effective protection measures.
EMP Attack: The now-disbanded Congressional EMP Commission spent eight years developing a plan to protect all infrastructures from EMP that would also mitigate threats from cyber-attack, sabotage, and natural disasters. They estimated that it could be implemented in 3-5 years at a projected cost of $10-20 billion, including a 2008 estimate of $2 billion to harden the grid’s critical nodes. (http://www.empcommission.org/docs/empc_exec_rpt.pdf and http://securethegrid.com/emp-technologys-worst-nightmare/)
Baseline Operational Security Risks and Disruptive Risks can be dealt with using a combination of NERC-CIP-5 and NERC-CIP-14 and a Security Plan that is based on a holistic and comprehensive risk analysis, coupled with real-time threat analysis, using products such as Butchko’s bSMART risk management software suite.
Drive the Solution
It’s time for a re-think. The old way leaves too many vulnerabilities that, when exploited, will leave energy customers in the dark and energy sector C-Level executives looking for other work.
The canary in the coal mine is showing us that serious threats to our electrical grid loom on the horizon…. no one can say we were not warned.