Ultra Intelligence & Communications

Notes from the Road: DistribuTECH 2016

February 19th, 2016 / By

This year was my first visit to DistribuTECH and, with my background working with electric utilities, I wanted to focus on the “Defending the Grid” track. Topics of “Defending the Grid” addressed a variety of subjects including physical security, adopting the NIST Cybersecurity Frame Work, and application of threat assessment methodologies, to name a few. In addition, given the recent media coverage of critical infrastructure vulnerabilities, many of the sessions touched on implications of the December 23 Ukrainian cyber-attack that caused a massive electricity outage.

A Graphic Depiction of the Problem

With a session titled “A Childlike Approach to Grid Cybersecurity”, one might reasonably wonder about the seriousness of the subject matter. Fortunately, the speaker, Robert Lee – course author and certified instructor with the SANS Institute — did not disappoint. Using a series of web comics he wrote (illustrated by Jeff Haas), Lee used a light-hearted approach to discuss a matter of grave importance to owners and operators of utility industrial control systems (ICS). As reported by CNN, the Christian Science Monitor, and numerous other news outlets, elements of the Ukrainian power grid were disrupted in a deliberate and coordinated fashion. Over a period of six hours, breakers were opened in an unauthorized fashion, affecting the operation of 17 substations.

The attack appears to have originated within the utility business network. Using that as a foothold, malware penetrated deeper to infect and significantly degrade control systems that operate elements of the Ukrainian distribution system. It is not necessary to delve into geo-political intrigue or identify the adversaries responsible for the cyber-attack on the Ukrainian electric system to recognize that this is a revolutionary event.

Ukrainian electric utility-system operators effectively lost control of their system for a period of time. The bad news is that, during this time, hundreds of thousands of people were without electricity. The good news is that there have been no reports of permanent damage to critical elements of the electric system’s high voltage transformers or generation turbines. However, it is not a dramatic leap for an attacker to move from opening breakers affecting distribution systems to performing other actions that could cause significant, long lasting damage.

Owners and operators of critical-infrastructure systems have an opportunity to learn from the Ukrainian event. It is no longer sufficient to rely on traditional firewalls and anti-virus solutions to protect critical systems. Every decision-maker in electric utilities and other critical-infrastructure sectors should consider the level of visibility and protection that they have inside of their industrial control systems.

Not Just Electric Utilities

As described by The Register, a researcher with Trend Micro found that the malicious software used against the Ukrainian electric utility was also used to attack a mining company and large railway operator in Ukraine. The take-away is that any operation that relies on computers or data communications services could be subject to cyber-attacks.

Game Changer

The Ukrainian cyber-attack is the first publicly disclosed example of how adversaries using computers and malicious software were able to literally turn off the lights for a large population center in a deliberate and highly coordinated manner. Although this situation has been widely discussed as a theoretical possibility, it has now become reality. It is very reasonable to expect the development of new rules and regulations, development of security practices and guidance, and potentially congressional hearings to address this risk. The issue is being closely observed by the US Department of Homeland Security. In mid-February, DHS, in conjunction with the National Cybersecurity and Communications Integration Center and ICS-CERT, issued a seven-page Official Use Only Incident Alert concerning the power outages experienced by the Ukrainian utilities. The alert cited several risk-mitigation strategies and detection methods concerning this event. As I left DistribuTECH, with a wider perspective on the cybersecurity problem, I considered the challenges that critical infrastructure owners and operators face in defending their networks.

Three key questions seem particularly relevant:

  • How would your organization respond to recent events such as the Ukrainian utility attack?
  • Have you implemented solutions that address the special operational needs of ICS networks?
  • Have you considered how to manage risks associated with the insider threat?

Leaders entrusted to provide uninterrupted delivery of essential services should consider their work incomplete if they are not prepared to answer these questions. Failing to take a proactive approach today, could oblige them to answer more difficult questions in the future.