Could the electric grid really be taken down with a $50 device secreted in the bottom of a coffee cup as some researchers have claimed? Perhaps. But the more likely threat comes from bad actors with markedly improved capabilities who’ve ramped up their attacks on critical infrastructure and utilities.
Consider that 70 percent of industrial controls system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely, according to a report from Claroty, a problem that has grown more acute since the pandemic forced ICS-driven facilities to rely even more on work-from-home personnel, leaving networks further susceptible to unauthorized tampering.
Claroty said the energy, critical manufacturing, and water and wastewater infrastructure sectors were by far the most impacted during the first half 2020 based on the analysis of 363 ICS vulnerabilities published in the National Vulnerability Database (NVD) and 139 ICS advisories affecting 53 vendors issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Compared with the first half of 2019, ICS vulnerabilities reported by NVD increased by 10.3 percent from 331, while ICS-CERT advisories increased by 32.4 percent from 105. More than 75 percent of vulnerabilities were assigned high or critical Common Vulnerability Scoring System (CVSS) scores.
Claroty claimed its latest operational technology (OT) data suggests fully air-gapped ICS networks that are isolated from cyber threats have become vastly uncommon, noting remote code execution (RCE) accounted for 49 percent of vulnerabilities. Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water & wastewater had 171. Compared to the first half of 2019, water and wastewater experienced the largest increase of CVEs (122.1 percent), while critical manufacturing increased by 87.3 percent and energy by 58.9 percent.
Security experts tell SC that the threat to the grid is real, not only orchestrated by nation-states, such as documented attacks in the past decade on power plants in Iran, Saudi Arabia and the Ukraine, but other parties could also cause a potential blackout for an extended period.
“Previously, the threat was always perceived to be nation-state interference,” said Mark Kedgley, CTO at New Net Technologies (NNT). “However, we have seen recently with the EKANS/Snake ransomware reports that critical infrastructure now appears to be a target for the organized-crime end of the hacker spectrum.” Being able to cut off utilities for a population of several hundred thousand citizens, he added, is a pretty strong hand in a ransom negotiation.
Not all critical infrastructure attacks aim to take the grid down or darken a city, agreed Eran Fine, CEO of NanoLock Security. “With financial attacks, bankrupting a utility or creating lack of trust can also create harm,” Fine said. Indeed, a June 2020 research report conducted by Northeast Group reported electricity theft and fraud total $96 billion per year globally.
Utilities’ “smart meters” are especially vulnerable to attack, which could erode the trust of its customers, Sjoerd Hulzinga, IoT security product manager for KPN Security, pointed out.
“It is crucial that connected utility devices such as ICS, controllers, smart meters, sensors, etc., be hacker-proofed throughout their entire life-cycle, starting from the production line, through the supply chain to field operation and remote SW updates, until end-of-life,” Hulzinga said, adding that an insecure meter that’s an IoT device potentially could become part of a botnet when hit with Dark Nexus malware, for example.
And then there’s the evidence presented at the recent Usenix Security 2020 conference by researchers at the University of California, Irvine (UCI) that a spoofing mechanism tucked into a disposable coffee cup could generate a 32 percent change in output voltage, a 200 percent increase in low-frequency harmonics power and a 250 percent boost in real power from a solar inverter.
“Without touching the solar inverter, without even getting close to it, I can just place a coffee cup nearby and then leave and go anywhere in the world, from which I can destabilize the grid,” said Mohammad Al Faruque’s research group in UCI’s Henry Samueli School of Engineering.
But Brandon Hoffman, CISO at Netenrich, doesn’t believe utilities are more vulnerable than previously thought.
“There have been significant strides in this space to shore up defenses where possible,” Hoffman said. “The biggest challenge we see in this space is a lack of consistency in protocols used for communications between these devices.”
To protect utilities and the grid, the U.S. government has placed considerable stock in it new Critical Infrastructure Protection (CIP) Security Compliance Standards: NERC Critical Infrastructure (NERC-CIP) standards soon to go in effect, as well as a U.S. presidential executive order, will help secure bulk power systems.
Kedgley said detailed security standards, such as NIST 800-53 and NERC CIP, are comprehensive, but requires a baseline configuration.
Compliance to such standardization is the goal of a new organization, Asset to Vendor Network Power Utilities (A2V), to help North American utilities share information on cybersecurity risks among themselves, the vendors that serve them, and third parties with whom they work.
According to Tobias Whitney, vice president of energy security solutions at Fortress Information Security, which created A2V, the organization is focused on securing the entire energy supply chain. It currently consists of 20 utility/critical infrastructure members representing a quarter of the electric grid, “including three of the top five,” as well as 100 vendors, Whitney said.
And even as the number of attacks – and techniques used – have increased and become more sophisticated, industry awareness of the risks combined with an evolution in the technology and process available to protect critical infrastructure also have risen, said Chris Morales, head of security analytics at Vectra. “How well that technology and process has been broadly adopted is the question,” he added.