Cyber counter-attack
How co-ops keep hackers away from the electric grid
About 3:30 in the afternoon last December 23, operators at three electric distribution utilities halfway around the world in western Ukraine found themselves not to be solely in control of their computer terminals. Someone from outside the utilities had taken over the controls and started opening circuit breakers at more than 27 substations, cutting power to more than 200,000 customers. Thousands of fake calls clogged utility switchboards, preventing people from phoning in to report and get information about the outage. Utility workers switched to manual operations, and it took three to six hours to restore power.
That’s not a movie plot. And if you missed or forgot about that news report from last year, people who run electric utilities have not. Attention to cyber security at electric utilities has been growing fast in the past few years, and the Ukraine attack pushed that trend into overdrive.
Defenses against that kind of attack are pretty basic, and you’ve probably even heard the warnings yourself—don’t click on any links or attachments unless you were expecting the message to be sent to you.
“It’s garnered a lot of attention from the federal government and throughout the industry,” says Barry Lawson, Senior Director of Power Delivery and Reliability for the National Rural Electric Cooperative Association (NRECA).
A big part of Lawson’s job is helping the nearly 1,000 electric co-ops in the country understand digital-age dangers, and ensuring that they know how to protect and secure the power supply, electric grid, and co-op members and employees from Internet mischief.
Kentucky’s electric cooperatives are considered to be at the forefront of that due diligence, led by the collective efforts of the IT Association of the Kentucky Association of Electric Cooperatives. The group of IT professionals from co-ops across the commonwealth has shared it’s cyber security policy framework with NRECA, who made it available online to any interested co-op, and several other states that have requested it.
“We regularly hear from Federated Insurance and the NRECA that Kentucky is helping to lead the way in cyber security for cooperatives,” says Jonathan Grove of Cumberland Valley Electric co-op, headquartered in Gray.
“The Ukrainian attack wasn’t terribly sophisticated,” says Grove who also is an adjunct professor of Information Security at the University of the Cumberlands. “I use it as an example of several basic attack types in my Operational Security class. I talk about it a lot. What makes it unique was the degree of organization that was obviously behind it.”
In the Ukraine incident, utility workers received e-mails with Microsoft Office documents, such as an Excel spreadsheet, from the Ukrainian parliament. But the emails were not from the Ukrainian parliament. When workers followed the email instructions asking them to click on a link to “enable macros,” malicious malware embedded in the documents––called BlackEnergy 3––secretly infected the system. Among other capabilities, BlackEnergy 3 can enable an adversary to observe and copy all the keystrokes made on the infected computers, giving hackers passwords and other login information needed to access the utility’s operations control systems.
Defenses against that kind of attack are pretty basic, and you’ve probably even heard the warnings yourself—don’t click on any links or attachments unless you were expecting the message to be sent to you. Utilities are increasing their efforts to enhance and formalize their security plans, processes, and controls. For G&Ts and approximately 60 distribution co-ops across the country there are mandatory and enforceable cyber security standards from the North American Electric Reliability Corporation (NERC) that require upgraded levels of training for utility operators, multiple layers of security to shield operational and control systems from the Internet and even stricter procedures for visitor access (physical and electronic) to control rooms.
NRECA’s Lawson describes an example of one type of security technology, a security token—a physical device an operator would carry with them that changes their password every 30 seconds.
Another cyber-threat receiving high-priority attention from electric co-ops is protecting data and critical utility information to avoid identity theft of members’ information. Lawson says some co-ops hire firms to periodically try to hack into their computer systems, so the co-op can identify and fix the holes in their security.
Lawson describes a scary world of cyber terrorists, organized crime, issue-oriented groups, or just kids in their basement seeing what kind of trouble they can cause on the Internet. At the same time, he compares those high-tech threats to risks posed by hurricanes or the everyday need for paying attention to safety at the electric cooperative. Co-ops regularly use risk assessment and management practices to balance a wide range of threats to their systems.
“Physical security and cyber security are becoming just another cost of doing business,” says Lawson. “You’ll never be 100 percent secure, and all you can do is try your best to keep up with the bad guys. It’s a fact of life in these days and times we’re living in.”
Paul Wesslund from December 2016 Issue
Sandia National Laboratories
