Can the power grid survive a cyberattack?
Stuxnet was able to take over the PLCs controlling the centrifuges, reprogramming them in order to speed up the centrifuges, leading to the destruction of many, and yet displaying a normal operating speed in order to trick the centrifuge operators. So these new forms of malware can not only shut things down but can alter their function and permanently damage industrial equipment. This was also demonstrated at the now famous Aurora experiment at Idaho National Lab in 2007.
Securely upgrading PLC software and securely reprogramming PLCs has long been of concern to PLC manufacturers, which have to contend with malware and other efforts to defeat encrypted networks.
The oft-cited solution of an air-gap between critical systems, or physically isolating a secure network from the internet, was precisely what the Stuxnet worm was designed to defeat. The worm was specifically created to hunt for predetermined network pathways, such as someone using a thumb drive, which would allow the malware to move from an internet-connected system to the critical system on the other side of the air-gap.
Internet of many things
The growth of smart grid — the idea of overlaying computing and communications to the power grid — has created many more access points for penetrating into the grid computer systems. Currently knowing the provenance of data from smart grid devices is limiting what is known about who is really sending the data and whether that data is legitimate or an attempted attack.
This concern is growing even faster with the Internet of Things (IoT), because there are many different types of sensors proliferating in unimaginable numbers. How do you know when the message from a sensor is legitimate or part of a coordinated attack? A system attack could be disguised as something as simple as a large number of apparent customers lowering their thermostat settings in a short period on a peak hot day.
Defending the power grid as a whole is challenging from an organizational point of view. There are about 3,200 utilities, all of which operate a portion of the electricity grid, but most of these individual networks are interconnected.
The U.S. government has set up numerous efforts to help protect the United States from cyberattacks. With regard to the grid specifically, there is the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) programs in which utilities voluntarily share information that allows patterns and methods of potential attackers to be identified and securely shared.
On the technology side, the National Institutes for Standards and Technology (NIST) and IEEE are working on smart grid and other new technology standards that have a strong focus on security. Various government agencies also sponsor research into understanding the attack modes of malware and better ways to protect systems.
But the gravity of the situation really comes to the forefront when you realize that the Department of Defense has stood up a new command to address cyberthreats, the U.S. Cyber Command (USCYBERCOM). Now in addition to land, sea, air, and space, there is a fifth command: cyber.
The latest version of the Department of Defense’s Cyber Strategy has as its third strategic goal, “Be prepared to defend the US homeland and US vital interests from disruptive or destructive cyberattacks of significant consequence.”
There is already a well-established theater of operations where significant, destructive cyberattacks against SCADA systems have taken place.
In a 2012 report, the National Academy of Sciences called for more research to make the grid more resilient to attack and for utilities to modernize their systems to make them safer. Indeed, as society becomes increasingly reliant on the power grid and an array of devices are connected to the internet, security and protection must be a high priority.
Michael McElfresh is Adjunct Professor of Electrical Engineering at Santa Clara University. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives.
