Biden executive order on power system cybersecurity leaves critical operations vulnerable, experts say
A Ukraine war-provoked Russian cyberattack on the U.S. power system has not happened, but experts agree the threat is real because of a key shortcoming in cybersecurity preparations.
The 2021 Colonial Pipeline shutdown that disrupted Eastern U.S. gasoline deliveries hinted at the danger of cyberattacks on the energy sector. A May 12, 2021, Biden executive order, requiring major power system cybersecurity actions, implicitly acknowledged that Russia’s 2015 attack on Ukraine’s power system can happen here. But current and planned responses to the Biden order may not be enough to protect electricity delivery, cyber specialists said.
Russia may have so far withheld cyber warfare against the U.S. and its allies because of “a balance of power issue,” OPSWAT operations technology and industrial cybersecurity expert Oren Dvoskin said. “If a cyberattack is stopped, whoever stopped it knows the adversary, which is why nation-states are careful about if and when to deploy cyber weapons,” he said.
But the cyber threat to the energy sector goes beyond attacks to communications networks like the recent headlined ransomware attacks, analysts said. Using the growing internet access of power system operations that allow companies to monitor and control engineering processes online, attackers could disrupt critical infrastructure to create environmental devastation, losses of life, and severe economic impacts, they said.
Power system “security and safety” depends on “the reliability and accuracy of sensor data that informs operations,” Applied Control Solutions Managing Partner and Cybersecurity Analyst Joe Weiss told Utility Dive. And “Russia, China, and Iran are aware of the lack of cybersecurity in process sensors and have access to them” in critical electric system operations, he said.
The recent discovery of cryptocurrency’s vulnerability is a reminder that cybersecurity requires constant attention. But threats can be minimized by first recognizing protections to internet technology networks are inadequate to protect operational technology hardware, and then putting the best people, processes and technologies in place to protect electricity delivery, cyber analysts said.
The Biden executive order recognized “persistent and increasingly sophisticated malicious cyber campaigns” and the need “to identify, deter, protect against, detect, and respond” to them. And protections must include systems “that run the vital machinery that ensures our safety (operational technology (OT)),” along with “systems that process data (information technology (IT)),” it said.
Threats to energy sector networks were apparent before the executive order. But vulnerability expanded with the “convergence of IT and OT systems” and the use of “common software and security systems” in monitoring and control, a November 2021 Congressional Research Service report said.
Shields Up, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, was launched in February by the Biden administration as a response to the Ukraine war’s increased cyber threat.
The May 2021 executive order required federal agencies, including CISA, to develop “Zero Trust Architecture.” A zero trust system design assumes that “anomalous or malicious activity” is “inevitable or has likely already occurred.” It eliminates “implicit trust in any one element” and allows online access only with “real-time” and “multiple sources” verifications, the order said.
But that leaves a shortcoming in cybersecurity, analysts said.
The federal approaches assume IT attacks are the concern, control systems engineer and cyberanalyst Weiss said. They overlook OT-focused cyberattacks, which “are not always easily identifiable or recognized at all,” and “can be mistaken for accidents or malfunctions,” he warned.
Former Federal Energy Regulatory Commission Chair Jon Wellinghoff, now CEO of power system consultant GridPolicy, agreed. “The executive order was a great step forward in coordinating federal agencies’ cybersecurity efforts under Homeland Security,” he told Utility Dive. “But there has not been enough progress on securing operations technology.”
The still unexplained August 2019 federal seizure of a Chinese transformer on its way to installation on the Western Area Power Administration system demonstrates the complexity of the OT threat, both Wellinghoff and Weiss said. It was diverted to Sandia National Laboratory for study when it was discovered to have unexplained electronics built into it, they said.
Transformer manufacturer JiangSu HuaPeng denied allegations of an effort to create a hidden backdoor to the U.S. power system, but there is no public report of Sandia findings confirming that, a September 2020 investigation by Motherboard reported.
“There are probably thousands of China-originated control devices in our electric and natural gas infrastructure that we can't be sure of,” Wellinghoff said. “The core of the problem is that the bulk of cybersecurity focuses on IT networks and not industrial control operations technologies.”
Even sensors in smart operations systems may have no capability for passwords, authentication or encryption, but nevertheless remain “the 100% trusted input to OT networks,” Weiss added.
Sensors without security capabilities make malicious and unintentional operational disruptions difficult to distinguish and could allow power system cyberattacks to go unnoticed, Weiss said. Inadequate sensor protections contribute to continued uncertainties about the specific cause of the 2005 Stuxnet attack on an Iranian nuclear facility and a 2008 Florida nuclear plant shutdown resulting from a substation disruption that left no proof of its supposedly accidental cause, he added.
Even where internet communications are secure, if OT sensors “are compromised or defective, it will not be possible to have a safe, secure, reliable, or optimized process,” Weiss wrote in March 2021.
These vulnerabilities are “a real plague in OT environments,” OPSWAT’s Dvoskin agreed. The malware that attacked the Colonial pipeline in 2021 compromised so many of Colonial’s IT components that it forced a preemptive shutdown of operations, he said.
The current alternative is “unidirectional security gateways” that “segment the OT network” to limit malware access between the IT network and OT devices, he said. But “attack patterns are always one step ahead,” and even the zero trust concept is compromised when OT networks “not architectured for cybersecurity leave the entire network vulnerable,” he said.
To date, most attacks have been through ransomware and companies have paid the attackers, he said. Unfortunately, that has created “an incentive for attackers to pursue bigger returns by targeting operations, like the Colonial incident,” Dvoskin said.
As a result, cybersecurity has become a high electric system priority, many stakeholders agreed.
Utilities and system operators respond
Major U.S. utilities and power system operators are using the CISA and Biden order guidance to prepare for attacks, they told Utility Dive. They are also participating in public agency and industry protective exercises, including the North American Electric Reliability Corporation GridEx and the Department of Energy Clear Path simulations.
As early as 2020, cybersecurity attacks and vulnerabilities to “ransomware and supply chain compromises” were “a significant concern,” according to NERC’s 2021 State of Reliability report. And in December 2020, there was a complicated attack “that leveraged SolarWinds’ Orion software and Microsoft’s Azure cloud environment.”
The attack on software provider SolarWinds allowed Russian attackers to access power sector networks, NERC reported. Though it caused no loss of system load, it “highlighted the extraordinary capability and persistence” of “the Russian Foreign Intelligence Service,” CISA added. A post-incident investigation revealed “25% of electric utilities had downloaded malicious software,” NERC said.
While energy industry leaders have limited “expertise” about cybersecurity threats, the “shock of recent incidents” has driven “major changes,” a February-March 2022 international survey by global consultants DNV found.
Electric utilities are working on cybersecurity from a “defense-in-depth” perspective, with simultaneous planning for prevention of and remediation from attacks, both Edison Electric Institute Senior VP of Security and Preparedness Scott Aronson and American Public Power Association Senior Director, Cybersecurity, Bridgette Bourge emailed Utility Dive.
As part of the defense-in-depth approach, an Essence 2.0 Cybersecurity Technology is now being developed that integrates the monitoring of IT and OT systems and “continuously assesses the electric grid for anything out of the ordinary,” according to the National Rural Electric Cooperative Association.
Individual utilities reported unhesitating seriousness about cybersecurity.
“We can never be too safe or prepared,” Duke Energy spokesperson Caroline McMillan Portillo said. “As the scale and sophistication of potential cyber events grow, so do our defensive capabilities for all of our IT and OT assets, and for both the bulk system and the distribution system.” Arizona Public Service spokesperson Yessica del Rincon and Entergy spokesperson Neal Kirby concurred.
American Electric Power, which provides regulated, unregulated, and transmission service across a 12-state, 200,000 square mile territory, “has about 200 cyber people focused on security,” AEP VP of Cyber and Physical Security Steve Swick said.
“We are reluctant to speak in specifics,” but “we hire top cyber security experts,” and “hold regular drills,” Consolidated Edison spokesperson Allan Drury emailed. “Threats are increasing in sophistication, magnitude and frequency,” and “would-be attackers are inventive and relentless,” he added.
The California and Midcontinent independent system operators declined to comment in detail. The New York Independent System Operator “relies on the NERC Critical Infrastructure Protection standards and other cybersecurity frameworks, guidelines, and best practices,” its Power Trends 2022 reported.
And better practices are emerging, cybersecurity analysts reported.
Emerging cybersecurity practices
The Biden executive order, CISA’s Shields Up protections, and the NERC guidelines are the most frequently mentioned cybersecurity standards, stakeholders agreed.
But most of the Biden order and CISA guidance only explicitly address IT intrusions and ransomware, Weiss and others stressed. And while securing IT systems from attacks can prevent financial consequences, losing control of OT systems could lead to significant economic or environmental impacts or cost lives, a recent DNV “insights” paper warned.
Historically, OT networks were not online, which allowed use of less secure equipment and practices, DNV Cyber Security Managing Director Trond Solberg told Utility Dive. And the IT and OT departments were often organizationally siloed, “exchanging risk reports that were frequently forgotten or building firewalls that people weren’t trained to use.”
Many energy industry executives acknowledge “OT security is now getting attention,” he said. But because many have not realized the extent to which OT requires new practices, “too few executives are willing to invest significant time and money, and OT cybersecurity problems remain.”
Better practices in OT security will depend on how “people, processes, and technologies” move from “prevailing practices” to meet “current conditions” and take advantage of foreseeable “future directions,” a DNV December 2021 white paper on new OT security practices summarized.
Prevailing practices have too few people engaged in OT security, inadequate plans to define responsibilities, and do not focus on developing dedicated OT security teams, DNV said. OT-specific, risk-based standards are being adopted, but policy enforcement is needed, it added.
These prevailing practices do not effectively address current nation-state attacks and the lack of industry-wide governance, the paper said. Investments are needed to close gaps in incident response, asset identification, and, especially, in management of currently emerging attacker accesses through IT-OT interfaces, it said.
In the next two to four years, the pool of personnel dedicated to OT security should be doubled, DNV said. Because attacks through supply chains are accelerating, a converged IT and OT team and a wider view of where threats can come from will also be needed in auditing vendor security.
Converged IT and OT systems can drive adoption of more zero trust measures and advanced and enabling technologies, DNV concluded. The result could be the optimization of today’s isolated and fragmented security practices.
A “radical shift” can be driven by safeguarding OT if energy company leaders recognize that protecting sensors and communications systems will transform a “non-security” cost into “a security win,” DNV said. With that shift, zero trust and access management programs can become bigger priorities, which will lead to better security practices in both the IT and OT domains, it added.
Skilled OT security specialists, managers, engineers operators, and others must be developed, the paper stressed. That kind of team will have the organizational and technical skills to develop critical “cyber readiness” by planning for and responding to “security compromises and data breaches” on both OT and IT systems, and also ensuring supply chain and third-party security, it added.
Cyberanalyst Weiss was more succinct than DNV. Close the “culture gap” between the Chief Information Security Officer who “owns no hardware” and the vice president for power delivery who “owns everything but isn't part of cybersecurity,” he said. “Engineers care about reliability and safety and network people care about cybersecurity and they currently are not talking to each other.”