Is analog the answer for securing the grid?

The scope and nature of the cyberattack on the Ukrainian power grid last year has spurred legislation in Congress that would make the U.S. grid less digitized.

Shutterstock image (by gyn9037): High voltage towers, electricity infrastructure.
 

The scope and nature of the cyberattack on the Ukrainian power grid last year has spurred legislation in Congress that would make the U.S. grid less digitized.

A cyberattack on Ukraine's power grid in December cut power for 225,000 people and set off alarm bells in the U.S. Congress. The scope of the hack, for which Russia is widely believed to be responsible, stoked fears that the American grid was at least as vulnerable and demanded a legislative response.

An analysis of the hack published by the Electricity Information Sharing and Analysis Center and the SANS Institute states it is "the first time the world has seen this type of attack against [operational technology] systems in a nation's critical infrastructure."  

The cyberattack was unusual because it hit two kinds of critical infrastructure: the electrical grid and the telecommunications system. Attackers generated thousands of calls to one of the Ukrainian power companies, which prevented customers from calling to report outages.

The Ukrainian hack was a "really serious warning…[that] this is a crisis waiting to happen," Sen. Angus King (I-Maine) said in a recent interview.

In June, King and three of his colleagues on the Senate Select Committee on Intelligence introduced a bill with a seemingly anachronistic answer to the threat: It advocates replacing digital devices on the grid with analog ones.

"The United States is one of the most technologically advanced countries in the world, which also means we're one of the most technologically vulnerable countries in the world," King said in announcing the bill.

The legislation would establish a two-year pilot program at the Energy Department's national laboratories to identify new security vulnerabilities in parts of the grid whose compromise could threaten public safety or national security. The $10 million program would support research and implementation of improved platforms, including "analog and non-digital control systems."

The Senate Committee on Energy and Natural Resources' Subcommittee on Energy will hold a hearing on the bill on July 12.

"If all we're doing is trying to combat hackers with more and more sophisticated and complex software solutions, I think we're doomed to failure," King told FCW.

Ukraine's grid operators managed to get the system back up and running relatively quickly thanks to an operational safety net. They were able to restore power "in hours because they had these old-fashioned grid control mechanisms and the people to operate them," said Paul Stockton, who as an assistant secretary of Defense led the Pentagon's response to Hurricane Sandy in 2012.

He added that the idea of maintaining certain analog or electromechanical control systems to shelter them from hackers is promising. However, the U.S. "power grid is much more technologically sophisticated [than Ukraine's], grows more so every year, and that introduces new attack surfaces for adversaries to exploit," said Stockton, who is now managing director of consulting firm Sonecon.

In recent years, the U.S. power grid has become increasingly automated through billions of dollars of investments in "smart grid" technologies that can save customers money and electricity. The Senate bill's embrace of analog stands in contrast to those modernization efforts, but King said the two are not mutually exclusive.

"I'm not…suggesting that we should repeal the 21st century," he said. "We're not talking about de-digitizing the grid in any serious way" but instead isolating certain nodes on the grid.

The downside to automation

The Department of Homeland Security has been preparing for a cyberattack on the U.S. power grid for years. A 2007 DHS-run experiment at the Idaho National Laboratory, known as Aurora, demonstrated how a hacking operation could knock out a power generator.

One of the lessons from Aurora was that it might make sense to have a generator in electromechanical (i.e., not digitized) mode to prevent it from reconnecting to the grid for a certain amount of time during a cyberattack, said Gib Sorebo, chief cybersecurity strategist at Leidos.

But expanding that approach to a broader swath of grid devices comes with risks, he added.

"From a security point of view, it may limit your ability to have visibility into parts of the grid by turning it into analog," he told FCW. "The best approach is probably a targeted one where you're focused on certain critical elements where the economic and efficiency losses would not be significant."

Utilities can deploy out-of-band sensors or those without control functions that would be vulnerable to attacks. But beyond that, significantly retrofitting the grid with analog systems could be costly and might require utilities to hire employees to operate the systems -- and those skills have become less common with grid automation, Sorebo said.

On the ground in Ukraine

Ann Barron-DiCamillo led DHS' U.S. Computer Emergency Readiness Team when the Ukrainian grid was attacked last December. In February, she sent a team of analysts to Ukraine to study the cyberattack. The delegation included industrial control system (ICS) experts from DHS and officials from the FBI and DOE.

US-CERT's report states that during the cyberattack, multiple hackers remotely operated circuit breakers using existing administration tools or remote ICS software. The Ukrainian power companies "believe that the actors acquired legitimate credentials prior to the cyberattack to facilitate remote access," the report adds.

Barron-DiCamillo declined to elaborate on her team's findings beyond what is in the report, but she did say US-CERT's preexisting relationship with its counterpart in Ukraine made for a smooth investigation.

In general, it is problematic if industrial control systems are completely digitized because they might be unable to operate in a degraded mode when attacked, said Barron-DiCamillo, who is now chief technology officer at Strategic Cyber Ventures. "You can't have all your eggs in one basket," she added.

Even if a utility hedges against digitization, it faces another huge challenge in responding to a cyberattack. The concept of mutual assistance that U.S. utilities have relied on to help one another restore power after natural disasters, for example, could be much more difficult to apply after a large-scale cyberattack. Stockton and other outside advisers made that point in a recently submitted report to Homeland Security Secretary Jeh Johnson.

Restringing power lines is a similar process from one utility to the next, but "much greater variation exists across ICS software, applications and system designs," states the report, which includes recommendations on how to fortify U.S. critical infrastructure against cyberattacks.

"Restoring these operational technology systems after a cyberattack requires specialized, utility-specific training, which will limit mutual assistance operations unless such challenges are resolved," the report states.

The Electricity Subsector Coordinating Council, a forum for utility industry representatives to collaborate with government on grid security measures, is trying to address that challenge.

The council is creating a Cyber Mutual Assistance program that "will pool cyber experts to coordinate response to a significant cyber incident," said Richard Ward, senior manager for national security policy at Edison Electric Institute, a utility association and a member of the council.

"In addition to cyber and IT experts, [the program] also will examine deploying engineers and substations technicians in the event we have a Ukraine-style cyberattack on the grid," Ward added.

Who will pay for it?

The federal government has made sizable investments in grid security, and utilities on the front lines are projected to spend billions on cyber defense.

The Obama administration's fiscal 2017 budget request for DOE includes $378 million for research and development for grid modernization -- an $83 million increase from the amount spent in fiscal 2016. The DOE request also calls for more than $333 million for cybersecurity -- $9.5 million above the fiscal 2016 enacted amount.

By contrast, U.S. utilities are expected to spend about $7 billion on cybersecurity by 2020, according to the Bipartisan Policy Center.  

Despite all the money being allocated to cybersecurity, analysts say it must be spent in a more targeted manner.

"We need objective criteria that state [public utility commissions] can use in order to determine whether proposed investment in cybersecurity and cyber resilience is prudent," Stockton said. "And that is a challenge that remains to be met."

Of course, no amount of spending guarantees security, and as utilities pour money into defense, U.S. officials warn of growing threats to the grid.

Adm. Michael Rogers, director of the National Security Agency and commander of U.S. Cyber Command, said in March that it is not a matter of if but when a nation-state or other group will conduct a destructive cyberattack on U.S. infrastructure. He cited the hack of the Ukrainian grid as an example.

Rogers' warning echoed those from within the Defense Department. Just weeks earlier, two Navy admirals sent a letter to Defense Secretary Ash Carter asking him to pay greater attention to ICS cybersecurity.

ICS vulnerabilities "will have serious consequences on our ability to execute assigned missions if [they are] not addressed," wrote Adm. William Gortney and Adm. Harry Harris, who are the commanders of U.S. Northern Command and U.S. Pacific Command, respectively. Northern Command's charge includes defending the U.S. in the event of a catastrophic cyberattack.

The hack of the Ukrainian grid will likely continue to drive the policy conversation in Washington as lawmakers size up the historic cyberattack.

"This is a big wake-up call," Stockton said. "We can anticipate the risk that adversaries will use more sophisticated weapons against the United States."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.