16 Mar “Cybergeddon” is Threatening our Energy Industry. How Do We Stop It?
by David C. Darnell
Are they right — the well-known experts and authorities who think we are headed towards a catastrophic cyber-attack on the United States critical infrastructure, a “Cybergeddon”?
Ted Koppel, a writer after his career as a television journalist, proposes just that in his book, Lights Out. Mr. Koppel’s book suggests that the USA is primed for a cyber-attack that could completely disable our power grid for an extended period of time. Although not a cybersecurity expert, he focuses (very convincingly) on how ill-prepared our government and its agencies are to respond to such a catastrophic event.
Learning from Previous Energy Industry Cyberattacks
A famous cyber-attack Mr. Koppel references, as an indicator of cyber malware technology, is “Stuxnet.” Stuxnet malware took over a set of Iranian nuclear fuel factory centrifuges and destroyed them. Researching details beyond what Lights Out covers, one discovers Stuxnet was a horrific example of state-sponsored malware that enabled destructive control of an Industrial Control System (aka SCADA systems).
Several cyber-attacks in the Ukraine show that power grids are vulnerable to cyber-attack.
- In the first attack, in December 2015, over 225,000 customers lost power across several geographic areas. This attack used a spear phishing campaign on targeted individuals. This campaign generated a months’ long credential theft that intruded into the internal SCADA networks of three Ukrainian power companies. The sophisticated use of malware (“BlackEnergy 3” and “KillDisk”), plus the simultaneous hacking of UPS systems and telephone denial-of-service attacks, indicate a possible state-sponsored, well-organized and executed cyber-attack.
- A year later, in December 2016, the Ukrainian power grid suffered a second severe cyber-attack based on different malware (“Industroyer” aka “Crash Override”) which caused another extensive power outage. Many cybersecurity experts and cybersecurity companies think that “Industroyer” posed the greatest cyber threat to critical infrastructure since the notorious Stuxnet, and could be modified to disrupt other critical infrastructures, within and outside of the energy industry.
Our Department of Homeland Security (DHS) corroborates these warnings but says it has seen no evidence of malware used on the United States power grid. However, in April 2018, there was a widely-reported cyber-attack on a USA energy-industry EDI service provider. Over 100 industry organizations were affected, and they faced days of business system outages and resulting increased costs. Though the power grid was not directly affected, this cyber attack showed that “bad actors” (i.e., cybersecurity criminals) can cripple the industry by attacking not only Industrial Control Systems (SCADA) but associated energy-industry IT business systems.
Preparing through Cybersecurity Standards, Certification, and Organizations
But there is certainly hope — through positive developments in several cybersecurity technical areas: standards development, membership and participation in information-sharing and analysis, and education and training.
- Standards for sharing cyber threat information are being developed and are evolving. A standards committee in the OASIS organization has developed detailed technical standards for Cyber Threat Intelligence (CTI), and another is working on automating Command and Control systems (OpenC2). The evolution of machine learning offers great possibilities, as does artificial intelligence in software that defends against Zero Day attacks.
- Membership and active participation in an ISAO (Information Sharing and Analysis Organization) support cyber-sharing. America’s cyber adversaries move with speed and stealth. To keep pace, all types of organizations, including those beyond traditional critical infrastructure sectors, need to be able to share and respond to cyber risk in as close to real-time as possible. Organizations engaged in information sharing related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. (ref. https://www.cisa.gov/information-sharing-and-analysis-organizations-isaos). My company, Systrends, has realized this value with active involvement in the industry-leading ISAO: ACTRA (Arizona Cyber Threat Response Alliance).
- Support of ongoing cybersecurity learning and training is critical. Each organization must see the value of cybersecurity training, and should require key personnel to constantly update their skill set with an ongoing educational program. The way followed, by most successful organizations in the energy industry, is to hire certified people and to encourage current employees to study and certify through accredited organizations such as (ISC)2 and ISACA. Key certifications maintained by these organizations are the CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), and CISA (Certified Information Systems Auditor). Another option is to partner with a cybersecurity service provider who can provide analysis, consulting, training, and technical support; the advantage is their focus remains fixed on cybersecurity and staying ahead of the bad actors while you have other business priorities to consider and manage.
Are we doing enough to stop Cybergeddon? Time will tell, but I know the efforts are there and the appropriate resources are beginning to be allocated. Obviously, the recent increase in emphasis and focus on protecting our critical infrastructure is going to help. We must stay alert, focused, dedicated, and work together to prevent a “lights out” in our energy industry, in our real world.
David C. Darnell is CEO of Systrends