By Rich Heidorn Jr.
WASHINGTON — The cybersecurity expert whose firm discovered the malware that caused blackouts in Ukraine in 2016 told state regulators that hackers targeting the U.S. electric industry are growing more numerous and more skilled.
“There are five dedicated teams targeting infrastructure sites in North America, including eight different campaigns targeting sites,” Robert M. Lee, CEO of cybersecurity firm Dragos, told the National Association of Regulatory Utility Commissioners’ Winter Policy Summit on Feb. 11. “This is an extreme uptick.”
In June, Lee’s company identified malware it named CrashOverride as the likely cause of a disruption in December 2016 that cut one-fifth of Kiev’s power consumption for an hour. (See Experts ID New Cyber Threat to SCADA Systems.)
The attack occurred about a year after the December 2015 attack on Ukraine — the first time hackers had taken down a portion of the power grid. The 2015 attack used the BlackEnergy program, which highjacked the supervisory control and data acquisition (SCADA) systems, taking control of operator workstations and locking the operators out.
CrashOverride — which can control circuit breakers without any manual involvement — takes advantage of the simplicity of SCADA. “CrashOverride was just knowledge of the 2015 attack getting codified in malware to make it scalable,” Lee said. “A lot of times we tell ourselves, ‘There’s computer vulnerabilities; if we patch the computer vulnerabilities, we’re OK.’ But that’s not the actual risk. … [The 2016 Ukraine attack] was just adversaries learning the industrial systems and using them against themselves — almost becoming malicious insiders even though they were remote.”
The 2016 outage lasted only an hour. But, Lee said, CrashOverride is still dangerous because it “can work without any modification across all of Europe, most of the Middle East and most of Asia.”
The malware is an illustration of the increasing sophistication of hackers, Lee said. As recently as 2014, he said, there were only two campaigns against infrastructure sites. 2015 saw not just the first attack on Ukraine but also a cyberattack that caused physical damage at a steel mill in Germany — only the second attack to produce such results, after the Stuxnet attack on Iran’s nuclear centrifuges.
Last year, the first known malware specifically targeting industrial safety systems was identified, Lee said. The malware, which targets Schneider Electric’s Triconex safety instrumented system, was deployed against at least one victim in the Middle East. “It was going after safety systems in oil and gas production facilities. The only purpose of a safety system is to protect human life. If you go after it willfully … you are either intending to kill people or you’re just OK with doing so.”
Lee said grid operators and other industries face two strategic challenges. “We don’t truly understand or appreciate our industrial threat landscape,” he said. “So, we get a lot of best practices or compliance standards written off of business network security, not industrial network security to address the real risk.
“The second challenge is there’s not a lot of people who are industrial cybersecurity experts. The Department of Homeland Security puts that at around 500 people in North America … so you’re not going to scale that across the industry.”
Lee said small electric cooperatives and water utilities may be particularly vulnerable because of their limited staffs. He said his company has done “charity” work for one small water utility where “the one IT guy actually mows the lawn on Fridays.”
Tim Roxey, NERC’s chief security officer, said there are fewer than 500 people who have the necessary cybersecurity expertise and understanding of both NERC’s Critical Infrastructure Protection standards and federal government rules.
“You don’t find a whole lot of beer conversations around the bar about the Administrative Procedures Act, and yet these things are fundamental … to how we actually … develop the standards, implement the standards [and] enforce the standards,” he said.
There is some good news on that front, however. In an earlier presentation at the NARUC meeting, Dennis P. Gilbert Jr., Exelon’s chief information security officer, reported on his company’s adoption of the National Initiative for Cybersecurity Education (NICE) Workforce Framework. Developed by the National Institute of Standards and Technology, the program provides organizations with a common lexicon for describing cybersecurity careers by category, specialty area and work role. It involves creating new job titles and performing a market salary assessment.
Gilbert said Exelon was happy to reward many of their cybersecurity team members with 10 to 35% pay raises, citing better morale and a lower attrition rate of 5% — reducing the costs of having to recruit and train new workers in the “high demand, low density” career field.
How Moody’s Measures Cyber Risks
Jim Hempstead, managing director of Moody’s Investors Service’s Global Infrastructure Finance Group, who shared the panel with Lee and Roxey, explained how cyber risks figure in credit rating agencies’ evaluation of companies’ ability to pay their debts.
“We do not explicitly incorporate cyber risks into the credit analysis for the utility industry or for any of the other” industries, Hempstead said. “The transparency and disclosure around cyber risks are unreliable. There’s just not enough disclosure as to what the events are. And there’s not enough disclosure as to what is actually happening behind it.”
Instead, Hempstead said, Moody’s conducts scenario analyses that treat cyberattacks like extreme weather — a low-probability, high-impact event.
“We have seen over and over again utility companies that are able to absorb the impact of a severe event that in many instances has significant financial consequences, but the company is still able to right itself and put itself back on track.
“Now that means the cyberattack [modeled] is not a permanent destruction of critical infrastructure,” Hempstead added, distinguishing it from the dire scenarios painted by Ted Koppel in his controversial 2015 book “Lights Out.” (See Critics: Koppel Doomsday Scenario Ignores Prep.)
“If Ted Koppel is correct and everything east of the Mississippi is affected by cyber for 18 months, that’s outside the bounds of what we’re incorporating in our analysis,” Hempstead said. “But because utilities are viewed by Moody’s as critical infrastructure assets, we believe there will be an extraordinary government intervention to assist the company in putting itself back on track.”
Hempstead said Moody’s is concerned that the cybersecurity regulations for the utility industry “could create a culture of compliance where the defenses are relaxed because the compliance check boxes are getting checked. That’s, we don’t think, the right mentality. Cyber risk is an enterprise risk issue and therefore it resides at the board of directors. And we are very encouraged at how many boards of directors in the utility sector are very focused on cyber.”
Lee said some of his customers have been reluctant to embrace innovation for fear of being found in violation of reliability standards. Others express concern over how Dragos’ subscription-based services will impact their bottom lines. “Right now, one of the biggest pushbacks I get from a lot of my customers across the utility industry is, ‘Hey is there any way we cap ex this?’” he said. “We have to figure out how to make sure that the [security effort] that is already moving in the right direction is not hampered by the way we want to do accounting.”
In an earlier presentation, Bill Lawrence, director of NERC’s Electricity Information Sharing and Analysis Center (E-ISAC), shared lessons learned from GridEx IV exercise in November, which simulated physical and cyberattacks on the electric system. (See Ukraine Attacks, ‘Fake News’ Color NERC GridEx IV Drill.) E-ISAC works with the Department of Energy and the Electricity Subsector Coordinating Council (ESCC) to inform the industry about physical and cyber threats.
“The scary thing is … everything we come up with [as an attack scenario] has happened somewhere in the world — about 99% of our entire scenario [has happened],” Lawrence said. “So, things with drones, things with modular malware, things with drains on resources in both computer and physical security.”
A public report on GridEx IV is due at end of March. A meeting will be held in November to plan for GridEx V, to be held in 2019.