Cyber Security Holes Pose Major Risks for Utilities
The risks of cyber attacks on utility systems are on the rise from both casual and organized hackers, and companies are facing potentially large investments to bring their computer systems into compliance with evolving industry security standards.
Spending by electric, gas and water utilities for cyber security is estimated at $15 billion to $18 billion over the next three years; overall U.S. spending in this area is forecasted to reach $50 billion, according to Gartner Inc., a research organization. Much of this investment will be made in response to the government regulations that stemmed from widespread inaction on this issue.
The typical large utility can get “pinged” about 1 million times or more per day by parties trying to gain access to the computer networks that ultimately are the doorways to the operating and financial systems, said Dan Rueckert, Associate Vice President for Black & Veatch’s management consulting division.
While the idea of a million pings a day – 12 times per second – sounds like an astronomical number, it is important to recognize that with a little information and minimal guesswork, an unfriendly party can set up an automated script to repeatedly and continuously attempt variations on entering a system, according to Cathy Ransom, a Senior Consultant for Black & Veatch’s cyber security practice. “Each one of those attempts, generated by code, is a ping against the system and must be uniformly and proactively defended against.”
She added, “Given the current capabilities of processors and connectivity speed, 12 times per second is a very reasonable estimate.”
George Gamble, a Director in Black & Veatch’s management consulting division, said, “Through our customer efforts, we have mapped 16 threat categories with 216 specific utility-related threats that every utility should pay attention to.”
It is estimated that 80 percent of the hacks or unauthorized intrusions into utility systems are done by a company’s own personnel, either through recklessness or disgruntlement, he said.
Utility management needs to take this issue seriously. The impact of a cyber incident within a utility can be huge, affecting productivity (lost manhours); financial performance (lost sales, credit rating, stock price); incurring incremental costs (overtime, regulatory fines); hidden costs (liabilities, lost opportunities); and compromising reputation.
SMART GRID GATEWAYS
The major utility operating sectors, such as generation, transmission and distribution, used to be stand-alone silos with isolated computer systems. Now they must all be integrated on some level to exchange data. Evolving smart grid technology, while introducing efficiency gains for the industry as a whole, is adding another tier of complexity – the neighborhood area network. Home appliances will be able to “talk” to a home’s electric meter, and each meter will send information back into the utility computer network.
Each of those nearly universally distributed interface points is a potential gateway into the utility computers, Gamble said. Additionally, since many utilities also accept bill payments by credit or debit cards over the phone or through the Web, integrated banking functions add another layer of potential vulnerability.
“The data is probably one of the most important aspects of everything the hackers go after,” Gamble said. “What can we do to the data; what is in it that’s of value?”
Data collection is a major aspect of the advanced metering infrastructure (AMI), which is the heart of the smart grid. “We are not just going with a fixed amount of power usage per month on the meter, but now we’re starting to look at how much the customer uses at given times of the day, the appliances they use – information that could be used in sales and marketing efforts. It opens a whole spectrum because it’s all about the data,” Gamble said.
Rueckert noted that getting into some of these systems is not that hard. A hacker might take one of the many tools available on the Internet to analyze an externally facing “doorway” to a company’s computer systems, he said. The hacker will find a portal that is in use, and might see that the software that is running has a known vulnerability, allowing the perimeter to be breached.
Once on the computer system, one can start scanning from there looking for ports and services. “It’s that easy,” Rueckert said.
It is important to note that hackers are not just focusing on large utilities, but also scan small-to medium-sized utilities that might offer an easier front door.
Sometimes, the keys to the kingdom are even presented to the outside world on a silver platter.
For example, one company recently installed a firewall but never sent the technician for training on that piece of software. The tech configured the firewall on the wrong side of the router, which allowed a payment system to be wide open to the Internet.
“I could see all of the credit card transactions,” Gamble said. “I was on the Internet recently, looking for an example of a vulnerability report. And up comes the vulnerability report of a particular organization with all of their Internet protocol addresses and host names. Once I have that, I’m good to go. The full report was published online. I’ve seen major banks published that way.”
And, sometimes gaining access is even easier than that.
In a series of surveys released last year, the consulting firm Credant
Technologies found that:
- 17,000 flash drives were left in clothes dropped off at 500 dry cleaning and laundry shops in the UK during 2010.
- Surveys of taxi drivers in London and New York found that more than 25,000 hand-held devices such as laptops, iPods and memory sticks are left in taxis annually.
- More than 11,000 laptops, tablets, smart phones and flash drives were left behind by travelers at U.S. airports in the 12 months through June 2011.
- In 2011, nearly 2,200 hand-held wireless devices were lost at the 15 busiest U.S. shopping malls; 1,100 were never claimed.
- 2,300 laptops, tablets, smart phones and USB drives were left behind in hotels from four major chains in San Francisco during 2011.
What can utilities do to safeguard against intrusions?
Gamble said, “The first thing is a good defense in depth. It always comes back to the layers of the onion. Hackers will likely penetrate a utility’s systems, but if the proper security is in place, we should be able to limit the depth of the intrusion. They won’t get in far enough to do damage.”
Often it is simply a matter of properly using available software tools. “I know of a company where they had put up some firewalls that started to slow down traffic, so they just set the program at ‘accept all,’” Rueckert commented. “That makes the firewall of no value.”
He pointed to a list of 20 key vulnerability areas compiled by the SANS Institute, a cooperative research and educational organization for cyber security. If utilities just focused on the 20 areas identified by SANS, their company would be about 80 percent of where they need to be from a security and risk perspective. “We could spend a month just talking about ‘boundary defense’ alone,” Rueckert said. (See the sidebar on p.8 for the list.)
Last fall, the U.S. Securities and Exchange Commission issued disclosure guidance related to cyber security risks and costs that may have far-reaching impacts on utilities. Rueckert and Gamble pointed out those electric utilities already subject to the North American Electric Reliability Corp. standards for critical infrastructure protection may need to more closely evaluate their compliance costs and potential financial exposure to hacking.
Rueckert and Gamble also noted that some utilities still are not putting much effort into cyber security and are not taking it seriously enough. What will it take to change?
Rob Lee, curriculum lead and author for digital forensic and incident response training at the SANS Institute, said that just as it took a hurricane with the ferocity of Katrina to get the levees fixed in New Orleans, “I believe that it will take a true incident for anyone to make it a national priority.”
Story by Samuel Glasser, Black & Veatch