The U.S. Department of Energy on Wednesday made public an August 2017 report that concluded there are more than a half dozen "capability gaps" in the power sector's ability to respond to a cyberattack on the electric grid.
A power outage due to a cyberattack has never happened in this country, but hacking attempts are on the rise and a recent focus on industrial control systems (ICS) by would-be intruders has upped the ante.
Secretary of Energy Rick Perry issued a statement alongside the now-public report, saying the administration "recognizes the growing security risk of cyber threats and has prioritized overcoming these challenges." Along with the assessment, DOE also recently created the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), to boost the agency's role in responding to grid threats.
DOE undertook the assessment of cyber security and response capabilities at President Trump's direction, part of an executive order issued in May 2017. The report warns that while the power sector has experience dealing with outages, restoration following a cyberattack "could be more challenging than previously experienced," in part due to the unprecedented nature of an attack.
From staffing problems to supply chain coordination, security experts tell Utility Dive that all of the security shortfalls represent potential weaknesses against a growing threat.
The "capability gaps" identified in the report include:
- cyber situational awareness and incident Impact analysis;
- rules and responsibilities under cyber response frameworks;
- cybersecurity integration into state energy assurance planning;
- electric cybersecurity workforce and expertise;
- supply chain and trusted partners;
- public-private cybersecurity information sharing;
- and resources for national cybersecurity preparedness.
Among the recommendations, DOE suggested that in coordination with the U.S. Department of Homeland Security, the agency will work to support research into and development of system architectures and components "which help minimize cyberattack surfaces, prioritize key elements of electricity generation and delivery to isolate from internal and public networks, and enable system recovery."
The agency also wants to develop a national laboratory testing program to consider grid components, assess cybersecurity supply chain posture and examine cyber malware impacts in a simulated environment.
Experts say staffing, supply chain vulnerabilities are top concerns
John Cassidy, CEO of King & Union, an Arlington, Va.-based cybersecurity firm, told Utility Dive the DOE's report highlights issues of communications between energy companies and subsidiaries.
"The energy sector remains stovepiped, unable to work quickly with a wider group of organizations, especially when it comes to high side indicators," Cassidy said in an email.
PAS CEO and founder Eddie Habibi said that the report's analysis of the supply chain gap includes a call for more collaboration between industry, the federal government and vendors of industrial control systems (ICS) "to enhance vulnerability awareness and response." And it calls for “enhanced background checks for critical private sector employees that enhance security from insider threats,” which Habibi said is a good proactive measure.
"While the focus of the document is incident response, I am happy to see a few elements of preventive measures that would help mitigate cyber breaches proactively," he said in an email. "After all, internal threats from inadvertent human error and disgruntled employees and contractors pose a far great cyberthreat to the critical infrastructure than nation-states."
Reported Cyber Incidents by Critical Infrastructure Sectors, 2016
Wherever that attack comes from, there is a growing focus on industrial control systems (ICS).
A 2015 cyberattack in Ukraine resulted in a prolonged outage that impacted close to a quarter million people. That incident served to boost fears and awareness in the United States, while also signaling a new phase of sophistication in hacking efforts.
Later, cybersecurity firm Dragos determined the malware used in the Ukraine attack could be modified by its Russian developers to target the United States.
Dubbed "CrashOverride," the Ukraine malware was only the second ICS-tailored weapon to target physical industrial processes, according to Dragos. The first was Stuxnet, believed to be designed by the United States and Israel to disrupt Iran’s nuclear program, and identified less than a decade ago.
Since the Ukraine incident, hackers have also been able to penetrate the safety systems of a petrochemical plant in Saudi Arabia, in part by taking advantage of an older device made by Schneider. DOE's report acknowledges the challenge in guarding the grid against these types of attacks.
Joe Stuntz, vice president of cybersecurity at One World Identity, said the ICS issue is key, partly due to older technology on the grid. The power sector "must deal with legacy technology and challenges around upgrading" that mean security enhancements may be difficult, Stuntz wrote in an email.
"Depending on the ICS, there are only so many options that will be interoperable with the rest of the systems," Stuntz said. DOE's report finds ICS technology has been a boon to reliability and resilience for utilities, but also offers up a new swath of vulnerabilities.
The systems, which utilize two-way flows, automation and centralized controls, "have resulted in new vulnerabilities related to cybersecurity, even as utilities adopt increasing levels of protection for their businesses and operations networks," the report found.
Compounding the issue, the report also notes workforce development issues that experts have warned about.
"The electric subsector faces challenges in recruiting and maintaining cybersecurity experts with strong knowledge of cybersecurity practices and the requisite knowledge of ICS used to operate the electric grid," DOE concluded.
"It is a well-known problem that there are not enough experts in cybersecurity, but a much smaller subset of security experts also understand industrial control systems," Stuntz said. "So the electric sector is unable to hire from the already too small pool of security talent, but must hire from a specialized subset of that pool."
According to Habibi, that workforce issue is likely to have the greatest impact of all DOE's noted gaps — and there is currently a shortage of almost 1.5 million cybersecurity subject matter experts, he said.
"The four recommendations for this gap look mostly to the federal government to address the shortage of qualified cybersecurity expert," Habibi said. "A more effective approach would be to engage academia and industry."