×

Utilities and their business partners play an unintentional role in increasing the electrical grid’s vulnerability to cyber attack.

On Dec. 10, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released a troubling update about an ongoing, sophisticated malware campaign that had compromised “numerous” industrial control system environments inside utilities and companies in other sectors. Several organizations working with ICS-CERT identified the malware, known as BlackEnergy, on a variety of human-machine interface (HMI) products connected to the Internet.

Electric utilities use HMIs to help monitor and operate the grid; they also act as a user interface to the industrial control systems that generate, transmit, and distribute electricity.

ICS-CERT’s analysis of the malware campaign suggests the actors behind it targeted organizations running specific HMI products vulnerable to cyber attack and executed the campaign to discover and compromise unpatched systems. While ICS-CERT had not identified any attempts to damage, modify, or otherwise disrupt the compromised systems at the time it released its update, the team noted intruders could potentially expand their access beyond the compromised HMIs into the underlying control systems. For utilities running vulnerable HMIs, this means attackers could conceivably gain access to the bulk electric system (BES) that runs the grid.

The BlackEnergy malware campaign underscores the complexity and sophistication of many of the cyber threats facing the grid. It also illustrates a major point of entry for attackers—specifically, security flaws in device software.

Widespread use of legacy systems and the variety of equipment in some power companies’ environments can make it hard for utilities to stay on top of newly identified security flaws and patch management. While manufacturers routinely issue software patches for the industrial control systems, supervisory control and data acquisition (SCADA) systems, and other operational technologies in use among utilities, the need to maintain smooth, day-to-day business operations typically limits how promptly or consistently they apply them. But as attackers increasingly target the grid, the risk of unanticipated disruption caused by a cyber attack may significantly outweigh the risk of limited disruption caused by a controlled patch management process.

Security flaws in device software are among three major vulnerabilities at attackers’ disposal. As in other industries, adversaries take advantage of basic lapses in IT and physical security controls, such as misconfiguration of firewalls, intrusion detection systems, and other perimeter devices. Weak password practices and poorly defined user access policies make it easier for hackers to masquerade as legitimate users. Ill-designed segregation of networked assets (like industrial control systems devices) can allow attackers to access substations and distribution systems once inside the corporate environment. Meanwhile, lapses in physical security may literally leave doors open for intruders, allowing them to walk into facilities and plant malware on systems with simple USB devices.

While not a vulnerability per se, the digitization the power industry is pursuing also opens it up to greater cyber risk, as is the case with many other industries. As utilities adopt more digital technologies inside substations, implement smart meters, modernize grid systems, and integrate back-office systems, new avenues for accidental and malicious disruption emerge.

Factors like digitization, lax controls, and flawed devices have made attacking the grid from thousands of miles away exponentially easier for both well-organized, well-financed nation states and for individual hackers that use crude, pre-built crimeware tools to execute their attacks. With just a few keystrokes and invisible bits of code planted on substation devices, attackers could remotely unleash malware that destroys equipment, causes widespread outages, creates unsafe facility conditions, and ultimately threatens public safety and results in substantial economic costs. Shrouded by the relative anonymity of the Internet, attackers may skirt law enforcement agencies’ efforts to find and prosecute them.

Today’s cyber attacks rarely consist of a single action or event. Advanced persistent threats may lurk undetected for weeks or months inside organizations lacking adequate monitoring capabilities. Therefore, addressing threats to the grid requires a combination of activities and initiatives, including executive engagement, information sharing, advanced monitoring, an industrywide commitment to device security, and perhaps above all, a risk-oriented, multifaceted program focused on being secure, vigilant, and resilient.

—by Sharon Chand, director, Deloitte & Touche LLP; Steve Livingston, principal, Deloitte & Touche LLP; and David Nowak, senior manager, Deloitte & Touche LLP

Related Content



“Preparing Utilities to Respond to Cyber Attacks”

“Cyber Security, Critical Infrastructure, and Obama’s Executive Order”