By Paul Wesslund
About 3:30 in the afternoon on December 23, 2015 operators at three electric utilities halfway around the world in western Ukraine found themselves not to be solely in control of their computer terminals. Someone from outside the utilities had taken over the controls and started opening circuit breakers at more than 27 substations, cutting power to more than 200,000 customers. Thousands of fake calls clogged utility switchboards, preventing people from phoning in to get information about the outage. Utility workers switched to manual operations, and it took three hours to restore power.
That’s not a movie plot. And if you missed or forgot about that news report, people who run electric utilities have not. Attention to cyber security at electric utilities has been growing fast in the past few years, and the Ukraine attack pushed that trend into overdrive.
“It’s garnered a lot of attention from the federal government and throughout the industry,” says Barry Lawson, Associate Director of Power Delivery and Reliability for the National Rural Electric Cooperative Association (NRECA).
A big part of Lawson’s job is helping the nearly 1,000 public power districts and electric co-ops in the country understand digital-age dangers, and ensuring that they know how to protect and secure the power supply, electric grid, and co-op members and employees from Internet mischief.
Public power districts and electric co-ops are showing they do understand the importance of cyber security, says Cynthia Hsu, Cyber Security Program Manager for Business and Technology Strategies at NRECA.
“Electric cooperatives were the first utilities to test and use the U.S. Department of Energy’s cyber security self-assessment tool,” says Hsu. “They are often on the cutting edge of implementing best practices to improve their cyber security capabilities.”
While the Ukraine cyber attack has been studied in-depth by U.S. utilities and the Federal Department of Homeland Security, most analysts see a large-scale attack by hackers as unlikely to succeed in this country. The reports characterize the Ukraine attack as extremely well planned and coordinated, but not technically sophisticated.
The Ukraine incident actually started as early as March 2015, when utility workers received e-mails with Microsoft Office documents, such as an Excel spreadsheet, from the Ukrainian parliament. But the emails were not from the Ukrainian parliament. When workers followed the email instructions asking them to click on a link to “enable macros,” malicious malware embedded in the documents––called BlackEnergy 3––secretly infected the system. Among other capabilities, BlackEnergy 3 can enable an adversary to observe and copy all the keystrokes made on the infected computers, giving hackers passwords and other login information needed to access the utility’s operations control systems.
Defenses against that kind of attack are pretty basic, and you’ve probably even heard the warnings yourself—don’t click on any links or attachments unless you were expecting the message to be sent to you. Utilities are increasing their efforts to enhance and formalize their security plans, processes and controls. New cyber security standards require upgraded levels of training for utility operators, multiple layers of security to shield operational and control systems from the Internet and even stricter procedures for visitor access (physical and electronic) to control rooms. These utilities are regularly audited for cyber security compliance, and regulators, such as the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC), can levy strict penalties for not following standards.
NRECA’s Lawson describes an example of one type of security technology, a security token—a physical device an operator would carry with them that changes their password every 30 seconds.
NRECA has also worked with the Department of Energy to develop software called Essence, which constantly monitors a utility’s system for even a microsecond of irregularity that might indicate some kind of hacking attempt or malware is interfering with the system.
With all that attention to keeping the electricity flowing, Lawson says there’s another major cyber-threat receiving high-priority attention from public power districts and electric co-ops—protecting data and critical utility information to avoid identity theft of members’ information. He says some rural electric utilities hire firms to periodically try to hack into their computer systems, so the utility can identify and fix the holes in their security.
Lawson describes a scary world of cyber terrorists, organized crime, issue-oriented groups or just kids in their basement seeing what kind of trouble they can cause on the Internet. At the same time, he compares those high-tech threats to risks posed by hurricanes or the everyday need for paying attention to safety at the public power district or electric cooperative. Rural electric utilities regularly use risk assessment and management practices to balance a wide range of threats to their systems.
“Physical security and cyber security are becoming just another cost of doing business,” says Lawson. “You’ll never be 100 percent secure, and all you can do is try your best to keep up with the bad guys. It’s a fact of life in these days and times we’re living in.”