By PR-Tech (Portland, Or.)
The risk of a power grid cyber attack is real – and becoming a larger looming threat every day. Cybersecurity firm Dragos rates the threat to utilities, specifically toward an electric grid cyberattack, as high. In a recent report, they detail how they have discovered “threats from specific Activity Groups (AG) demonstrating new interest in the electric sector,” with three out of the four new AGs Dragos discovered in 2020 targeting the electric utility industry.
Certainly, there has been no absence of activity in 2021. Just this December, an alert from the Cybersecurity and Infrastructure Security Agency (CISA) warned organizations to immediately implement mitigations to protect against a new vulnerability, Log4j, which is an “open-source, Java-based logging utility widely used by enterprise applications and cloud services,” and that could be used to take control of an impacted system.
While every type of industry is potentially at risk, cybersecurity is vital to the safety of the electrical grid, which is why utilities should carefully and actively manage their risks.
Risks and Vulnerabilities of a Compromised Utility
Look no farther than recent headlines to identify the issues that arise from a power grid cyber attack. For example, the prominent Colonial Pipeline attack put the nation’s vehicles at a standstill, and roughly one-quarter of utilities were exposed to the widespread SolarWinds hack.
While the worst result of a cyberattack would be the grid going down, there are other ways that an electric grid cyberattack can manifest itself. For example, Delta-Montrose Electric Association (DMEA), a small Colorado-based cooperative, experienced a power grid cyber attack in early November, which knocked out 90% of its internal systems, thwarting access to its payment processing and billing systems for more than a month. It also experienced significant data loss, with 25 years of historical data wiped out.
While hackers have grown increasingly sophisticated, there are steps utilities can take to help prevent or minimize the potential of a power grid cyber attack.
Establish Guidelines and Offer Training
Many attacks occur because of one errant click on a rogue email or because employees are logging in through an insecure network. Utilities should emphasize the importance of cybersecurity through frequent training and reminders. However, it’s important to remember that while you have specific expectations, you also don’t want employees to hesitate to report a potential issue. Remind your team that everyone can make a mistake and encourage them to come forward if they believe they may have inadvertently exposed the system to malware or an attack, rather than hiding it.
Update Software
This step alone would have helped minimize the Colonial Pipeline debacle. The New York Times reports that “cybersecurity experts note that Colonial Pipeline would never have had to shut down its pipeline if it had more confidence in the separation between its business network and pipeline operations.”
As a special cybersecurity section in the Wall Street Journal explained, “By modernizing their company’s technology, companies can take advantage of growing levels of automation and default settings in the software that shift much of the responsibility for cybersecurity away from the user, thereby reducing the opportunity for human error. The majority of cyber incidents can be traced to missteps by people who, for example, click on the wrong link or open the wrong email attachment.”
In addition to updated network software, make sure you have installed robust anti-virus and anti-malware software.
Upgrade Your Password Strategy
It’s common to get lazy with passwords, which can make it easier for a hacker to infiltrate your system. While many companies enforce complex passwords, a better strategy, suggested by the FBI, is to use a “passphrase,” which “involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.” That’s based on guidance from the National Institute of Standards and Technology (NIST) which found that the length of the password is more important than its complexity. Password software can help make sure users mix their passwords or passphrases up frequently and make them harder to detect.
Many companies also use the layered approach of multi-factor authentication (MFA) which entails double-checking a login via a phone or other secondary device, rather than relying on login credentials alone. Another more sophisticated option is to use cryptographic keys, a private key that can only be unlocked by the designated user through their face or fingerprint.
Limit Employee Access To Sensitive Information
Not everyone needs access to all the data your utility has; for example, only certain people need to connect to billing or payment information; and even fewer are likely to need access to mission-critical operations. Start by implementing checks and balances and limiting access to people based on their level or department.
Then check to see if your software can identify patterns to surface anomalies. For example, if someone who handles your accounts payable on a regular schedule is unexpectedly logging in and requesting access to sensitive information on the weekend or from an IP address they don’t typically use, that could be a red flag.
Develop a Crisis Response Plan
Even the tightest controls can be thwarted, which is why your utility cybersecurity should include a backup plan in the event of a power grid cyber attack. A comprehensive plan will approach the situation from a variety of scenarios, from how to handle data that’s been compromised to what to do if your systems fail. It’s vital to consult with professionals who can help identify and prevent vulnerabilities, and offer tested and approved advice for handling a wide variety of scenarios.
In most cases, it’s recommended that utilities hire an expert – a data safety officer (DSO) – to manage security, likely in partnership with other consultants.
Of course, cybersecurity is just one rung on the safety ladder every utility builds. For more information on keeping your power lines safe with line markers, the SentriSense power line monitoring network, and other necessary technology, contact P&R Tech today.