Translating power grid security concerns into action

Next story
Cameron Camp, ESET security researcher

On the heels of our recent investigations into threats against critical infrastructure like power grids, transportation and other systems that we count on every day, public agencies and private parties alike wonder if we can trust the power grid (see this selection of WeLiveSecurity articles).

I was recently invited to speak at a Lexington Institute Capitol Hill Forum in Washington D.C. titled “Cybersecurity of the Electric Grid,” along with officials and other industry experts offering differing perspectives on the topic. In years past, the bulk of attention paid to concerns the grid was focused on capacity and distribution, but now it centers on cybersecurity. More specifically and urgently, the concern is this: how ready are we for a large-scale attack? Whether here in the U.S. or elsewhere, anxiety about this is coming to the forefront.

While policy makers lean in and promise budget and resources to assist, which is good, there’s a lot of other work to be done.

During our investigations, we have found that operators often make simple mistakes or plant run computers that are woefully underpatched. A large part of the problem is not the technology itself but the people and processes involved in its use and deployment.

Yes, there are people looking for examples of zero-day exploits being used against a power grid, but investigation of attacks shows that a zero-day is not needed when you can hack the operator and achieve the same thing.

So the challenge will be manifold, starting with better educating and reporting, but extending quickly to the difficult task of defending ancient (in computer terms) physical systems like pumps, motors, generators and the like.

It is important to bear in mind that the protocols used to talk to these machines were not designed with security in mind, often lacking the most basic authentication you would expect on any computer or network nowadays. The machines just listen for commands, assume they’re legitimate and act. Most of the time that’s fine, unless a rogue process or actor sends the command.

There’s a significant amount of effort being spent to determine if systems are already infected and just awaiting a payload to do the bidding of the attackers when the time comes. It’s difficult or impossible to place an exact number, but penetrating these systems would be an important first step (after identifying targets and doing reconnaissance), regardless of what payload might be chosen later.

Modern modular malware can act in this way, sending system information back to the mothership after the initial infection, and then a payload chosen appropriately based on the information gathered. The beginnings of this sequence of events are starting to be noticed worldwide, so it merits a certain amount of attention (see this US CERT Alert on VPNFilter – a piece of router malware that takes an interest on Modbus packets, also discussed in this WeLiveSecurity article).

The good news is that these conversations are now happening at the highest levels, thereby providing the impetus (and hopefully budget) to start driving some change.

But change won’t be instant. Again, many of these systems have served reliably for decades, making system owners and operators loathe to change them out for anything different. So progress won’t be as simple as a software patch, but at least the process of change seems to be gaining momentum. At this rate, the grid will slowly become more secure over the coming months and years, as the army of practitioners, policy makers and others continues to roll out fixes. And while it all won’t happen at once, it’s far better than not happening at all. Think of it as a wake-up call, long overdue, but now ringing out louder and clearer than ever.