Is analog the answer for securing the grid?

A cyberattack on Ukraine's power grid in December cut power for 225,000 people and set off alarm bells in the U.S. Congress. The scope of the hack, for which Russia is widely believed to be responsible, stoked fears that the American grid was at least as vulnerable and demanded a legislative response.

An analysis of the hack published by the Electricity Information Sharing and Analysis Center and the SANS Institute states it is "the first time the world has seen this type of attack against [operational technology] systems in a nation's critical infrastructure."  

The cyberattack was unusual because it hit two kinds of critical infrastructure: the electrical grid and the telecommunications system. Attackers generated thousands of calls to one of the Ukrainian power companies, which prevented customers from calling to report outages.

The Ukrainian hack was a "really serious warning…[that] this is a crisis waiting to happen," Sen. Angus King (I-Maine) said in a recent interview.

In June, King and three of his colleagues on the Senate Select Committee on Intelligence introduced a bill with a seemingly anachronistic answer to the threat: It advocates replacing digital devices on the grid with analog ones.

"The United States is one of the most technologically advanced countries in the world, which also means we're one of the most technologically vulnerable countries in the world," King said in announcing the bill.

The legislation would establish a two-year pilot program at the Energy Department's national laboratories to identify new security vulnerabilities in parts of the grid whose compromise could threaten public safety or national security. The $10 million program would support research and implementation of improved platforms, including "analog and non-digital control systems."

The Senate Committee on Energy and Natural Resources' Subcommittee on Energy will hold a hearing on the bill on July 12.

"If all we're doing is trying to combat hackers with more and more sophisticated and complex software solutions, I think we're doomed to failure," King told FCW.

Ukraine's grid operators managed to get the system back up and running relatively quickly thanks to an operational safety net. They were able to restore power "in hours because they had these old-fashioned grid control mechanisms and the people to operate them," said Paul Stockton, who as an assistant secretary of Defense led the Pentagon's response to Hurricane Sandy in 2012.

He added that the idea of maintaining certain analog or electromechanical control systems to shelter them from hackers is promising. However, the U.S. "power grid is much more technologically sophisticated [than Ukraine's], grows more so every year, and that introduces new attack surfaces for adversaries to exploit," said Stockton, who is now managing director of consulting firm Sonecon.

In recent years, the U.S. power grid has become increasingly automated through billions of dollars of investments in "smart grid" technologies that can save customers money and electricity. The Senate bill's embrace of analog stands in contrast to those modernization efforts, but King said the two are not mutually exclusive.

"I'm not…suggesting that we should repeal the 21^st century," he said. "We're not talking about de-digitizing the grid in any serious way" but instead isolating certain nodes on the grid.

The downside to automation

The Department of Homeland Security has been preparing for a cyberattack on the U.S. power grid for years. A 2007 DHS-run experiment at the Idaho National Laboratory, known as Aurora, demonstrated how a hacking operation could knock out a power generator.

One of the lessons from Aurora was that it might make sense to have a generator in electromechanical (i.e., not digitized) mode to prevent it from reconnecting to the grid for a certain amount of time during a cyberattack, said Gib Sorebo, chief cybersecurity strategist at Leidos.

But expanding that approach to a broader swath of grid devices comes with risks, he added.

"From a security point of view, it may limit your ability to have visibility into parts of the grid by turning it into analog," he told FCW. "The best approach is probably a targeted one where you're focused on certain critical elements where the economic and efficiency losses would not be significant."

Utilities can deploy out-of-band sensors or those without control functions that would be vulnerable to attacks. But beyond that, significantly retrofitting the grid with analog systems could be costly and might require utilities to hire employees to operate the systems -- and those skills have become less common with grid automation, Sorebo said.

On the ground in Ukraine

Ann Barron-DiCamillo led DHS' U.S. Computer Emergency Readiness Team when the Ukrainian grid was attacked last December. In February, she sent a team of analysts to Ukraine to study the cyberattack. The delegation included industrial control system (ICS) experts from DHS and officials from the FBI and DOE.

US-CERT's report states that during the cyberattack, multiple hackers remotely operated circuit breakers using existing administration tools or remote ICS software. The Ukrainian power companies "believe that the actors acquired legitimate credentials prior to the cyberattack to facilitate remote access," the report adds.

Barron-DiCamillo declined to elaborate on her team's findings beyond what is in the report, but she did say US-CERT's preexisting relationship with its counterpart in Ukraine made for a smooth investigation.

In general, it is problematic if industrial control systems are completely digitized because they might be unable to operate in a degraded mode when attacked, said Barron-DiCamillo, who is now chief technology officer at Strategic Cyber Ventures. "You can't have all your eggs in one basket," she added.

Even if a utility hedges against digitization, it faces another huge challenge in responding to a cyberattack. The concept of mutual assistance that U.S. utilities have relied on to help one another restore power after natural disasters, for example, could be much more difficult to apply after a large-scale cyberattack. Stockton and other outside advisers made that point in a recently submitted report to Homeland Security Secretary Jeh Johnson.

Restringing power lines is a similar process from one utility to the next, but "much greater variation exists across ICS software, applications and system designs," states the report, which includes recommendations on how to fortify U.S. critical infrastructure against cyberattacks.

"Restoring these operational technology systems after a cyberattack requires specialized, utility-specific training, which will limit mutual assistance operations unless such challenges are resolved," the report states.

The Electricity Subsector Coordinating Council, a forum for utility industry representatives to collaborate with government on grid security measures, is trying to address that challenge.

The council is creating a Cyber Mutual Assistance program that "will pool cyber experts to coordinate response to a significant cyber incident," said Richard Ward, senior manager for national security policy at Edison Electric Institute, a utility association and a member of the council.

"In addition to cyber and IT experts, [the program] also will examine deploying engineers and substations technicians in the event we have a Ukraine-style cyberattack on the grid," Ward added.

Who will pay for it?

The federal government has made sizable investments in grid security, and utilities on the front lines are projected to spend billions on cyber defense.

The Obama administration's fiscal 2017 budget request for DOE includes $378 million for research and development for grid modernization -- an $83 million increase from the amount spent in fiscal 2016. The DOE request also calls for more than $333 million for cybersecurity -- $9.5 million above the fiscal 2016 enacted amount.

By contrast, U.S. utilities are expected to spend about $7 billion on cybersecurity by 2020, according to the Bipartisan Policy Center.  

Despite all the money being allocated to cybersecurity, analysts say it must be spent in a more targeted manner.

"We need objective criteria that state [public utility commissions] can use in order to determine whether proposed investment in cybersecurity and cyber resilience is prudent," Stockton said. "And that is a challenge that remains to be met."

Of course, no amount of spending guarantees security, and as utilities pour money into defense, U.S. officials warn of growing threats to the grid.

Adm. Michael Rogers, director of the National Security Agency and commander of U.S. Cyber Command, said in March that it is not a matter of if but when a nation-state or other group will conduct a destructive cyberattack on U.S. infrastructure. He cited the hack of the Ukrainian grid as an example.

Rogers' warning echoed those from within the Defense Department. Just weeks earlier, two Navy admirals sent a letter to Defense Secretary Ash Carter asking him to pay greater attention to ICS cybersecurity.

ICS vulnerabilities "will have serious consequences on our ability to execute assigned missions if [they are] not addressed," wrote Adm. William Gortney and Adm. Harry Harris, who are the commanders of U.S. Northern Command and U.S. Pacific Command, respectively. Northern Command's charge includes defending the U.S. in the event of a catastrophic cyberattack.

The hack of the Ukrainian grid will likely continue to drive the policy conversation in Washington as lawmakers size up the historic cyberattack.

"This is a big wake-up call," Stockton said. "We can anticipate the risk that adversaries will use more sophisticated weapons against the United States."