Just weeks after federal officials confirmed the first known disruption caused by a hack of the U.S. electric grid, a new industry survey reveals that power providers are at a loss for how to respond to rapidly-evolving and ever more potent cyber threats.

Cyberattacks have evolved from sieges on information, like office files and data, to the types of attacks that once seemed relegated to Hollywood, imperiling critical infrastructure like substations, high voltage transmission lines, and even power plants themselves.

More than half of the world's electric utilities say they're ill-prepared to fend off such an attack, according to the survey released Friday by Siemens, which was conducted in the first half of the year. Roughly the same number reported that a cyberattack has forced a shutdown or loss of operational data – not just one time, but at least once per year. And a quarter have been hit by so-called "mega attacks" like the WannaCry ransomware attack, which had infected hundreds of thousands of computers at a cost of more than $8 billion.

"This is not just a theoretical issue, but is a very real national security issue," former Homeland Security Secretary Michael Chertoff said Friday while introducing the study's findings at the Atlantic Council, a think tank based in Washington. "The surface area for attacks is dramatically increasing."

The report comes just weeks after the North American Electric Reliability Corporation, a federal regulator, confirmed that a remote hacker – for apparently the first time – interfered with the U.S. electrical grid, disabling systems that had allowed an unnamed utility to communicate with and monitor crucial power sites in Utah, Wyoming, and California. The breach, first reported this spring by E&E News, did not cause any power outages, but it underscored the vulnerabilities facing an electric grid often hamstrung by outdated software, legacy equipment, and deep layers of regulation, even as it integrates decentralized energy resources like solar panels and wind turbines that demand ever more connectivity.

Attackers meanwhile have also flexed their muscles overseas: Successive cyberattacks have repeatedly brought down parts of the electric grid in Ukraine, robbing hundreds of thousands of homes of heat and power in the dead of winter. Last year, a sophisticated cyberattack apparently sought to trigger an explosion at a chemical plant in Saudi Arabia.

"In each of those cases, there's one common thread, and that is visibility: The operator didn't know at first if she or he was experiencing a cyberattack or if their core system was malfunctioning," said Leo Simonovich, global head of industrial cyber and digital security for Siemens Gas and Power, and the lead author of the company's report. "If we want to build confidence in the industry, we have to empower the industry with information, if they're operating blind they feel uneasy about this. Can you detect? Can you contain? Can you respond? [That] only 18 percent [of utilities are] using the right kind of tools is a proxy for this kind of problem."

Cheddar spoke with Simonovich about this evolving threat to utilities and other industrial sites, from petroleum refineries to petrochemical plants – what he called "the new risk frontier." The interview has been edited and condensed for clarity and brevity:

If you look at the frequency of attacks targeting the operating environment – and we're talking about power plants, substations, high voltage transmission lines – they are getting worse. And the industry is not well-prepared to address these challenges: 58 percent said that they're not well-prepared to address this challenge. And once an attack does happen, they're not well-prepared to respond – one-third do not have a basic incident response plan.

Digitization has driven enormous benefits: The grid has become more resilient, more intelligent, the upward production capacity from traditional fossil to renewables – there's enormous promise there. But that requires connectivity, a catch-22: the more connectivity you have, the more attack surfaces you have, the more opportunity for malicious actors to cause damage.

Many of those attacks are coming from nation-states, and utilities are faced with a perfect storm: They have to deal with machine-speed attacks on legacy assets that are interconnected, with security being an afterthought. And in many ways, they're not prepared to deal with that.

Some utilities don't know what assets they have. Others don't know whether an adversary is in their networks, is traversing their networks, and can activate and cause damage. It took something like 88 days for organizations to respond to a cyberattack. Only 18 percent are using any sort of artificial intelligence and analytics to do detection. In many ways, they're operating blind.

There's an enormous skills gap – a small organization may be lucky to have one to three, one to 10, people that do security. And the ones that do operational technologies are nonexistent. Who owns industrial security today? The job of operating plants has been with operations – the people who operate the controls that manage power. The job of security has been with the chief information officer. Those two groups don't speak the same language.

We have to have a mindset change, and that is already happening. We are moving away from being based on compliance [with regulations]. We think compliance is important. It helps provide us a baseline, it provides hygiene, but what it doesn't do is protect against a changing adversarial environment, which is becoming more potent and more hard-hitting.

The energy value chain is becoming more compressed – there are oil and gas companies that are now the largest producers of power in the world. The good news is that there is real awareness of this problem

The report found that insider threats make up the majority of the attacks on this type of infrastructure. Why is that? It's not a question of who, it's a question of how. So nation-states may use someone – whether it's a negligent insider, or someone who brings a stick into the plant and then puts it into the control system, or brings in an iPhone and charges it in a system – and suddenly malware is introduced into the environment.

Some environments are air-gapped, they're not connected to the internet. And yet they are still vulnerable, and they're vulnerable because the way the adversary will work: They'll spread the malware on office networks, and then someone will bring it into the plant.

The flip side of that coin is when you're disconnected you can't see your operating environment. So the panacea of just unplugging, 'let's just go back to analog,' is not feasible anymore because it's not sustainable from a business standpoint and it doesn't give you security.

[If] you and I put solar panels on our houses, we are now connected and we are connected to the trade system. So the idea of a castle and a moat as a way to protect yourself doesn't apply anymore. The value chain is distributed, it's decentralized, and it's hyper-connected.

Utilities spend 30 percent of their funding on compliance – it's a big number. Not that compliance is bad, but it has to be rationalized against the size and the ability of the utility. There has to be a way to pool resources for providers who specialize in operational security to address these problems that the threat environment is introducing.

The government has to encourage a risk-based approach and how we can pool resources together to address this wave. Regulation is not bad. It's been really important in lifting the middle and providing a key foundation for basic hygiene issues. But when you have regulation that's really prescriptive, sometimes it lags and sometimes it's really patchy.

The introduction of renewables into the grid, and the introduction of things like the cloud – we're only just beginning to see regulatory [action] around the cloud. Cloud has been around for a long time, and we're just seeing it with utilities.

Digitalization is core to the operating model. So how do we enable things like the Internet of Things to happen? How do we deal with these more sophisticated attacks? The government has an important role to play in establishing regimes, trans-Atlantic regimes that make sense for things like transfer of data, but helping to secure against these nation-state-based attacks.

Share:
More In Business
‘Chainsaw Man’ anime film topples Springsteen biopic at the box office
A big-screen adaptation of the anime “Chainsaw Man” has topped the North American box office, beating a Springsteen biopic and “Black Phone 2.” The movie earned $17.25 million in the U.S. and Canada this weekend. “Black Phone 2” fell to second place with $13 million. Two new releases, the rom-com “Regretting You” and “Springsteen — Deliver Me From Nowhere,” earned $12.85 million and $9.1 million, respectively. “Chainsaw Man – The Movie: Reze Arc” is based on the manga series about a demon hunter. It's another win for Sony-owned Crunchyroll, which also released a “Demon Slayer” film last month that debuted to a record $70 million.
Flights to LAX halted due to air traffic controller shortage
The Federal Aviation Administration says flights departing for Los Angeles International Airport were halted briefly due to a staffing shortage at a Southern California air traffic facility. The FAA issued a temporary ground stop at one of the world’s busiest airports on Sunday morning soon after U.S. Transportation Secretary Sean Duffy predicted that travelers would see more flights delayed as the nation’s air traffic controllers work without pay during the federal government shutdown. The hold on planes taking off for LAX lasted an hour and 45 minutes and didn't appear to cause continued problems. The FAA said staffing shortages also delayed planes headed to Washington, Chicago and Newark, New Jersey on Sunday.
Boeing defense workers on strike in the Midwest turn down latest offer
Boeing workers at three Midwest plants where military aircraft and weapons are developed have voted to reject the company’s latest contract offer and to continue a strike that started almost three months ago. The strike by about 3,200 machinists at the plants in the Missouri cities of St. Louis and St. Charles, and in Mascoutah, Illinois, is smaller in scale than a walkout last year by 33,000 Boeing workers who assemble commercial jetliners. The president of the International Association of Machinists says Sunday's outcome shows Boeing hasn't adequately addressed wages and retirement benefits. Boeing says Sunday's vote was close with 51% of union members opposing the revised offer.
FBI’s NBA probe puts sports betting businesses in the spotlight
The stunning indictment that led to the arrest of more than 30 people — including Miami Heat guard Terry Rozier and other NBA figures — has drawn new scrutiny of the booming business of sports betting in the U.S. The multibillion-dollar industry has made it easy for sports fans — and even some players — to wager on everything from the outcome of games to that of a single play with just a few taps of a cellphone. But regulating the rapidly-growing industry has proven to be a challenge. Professional sports leagues’ own role in promoting gambling has also raised eyebrows.
Load More