In late June and early July, reports emerged that hackers had breached the business systems of several nuclear and energy plants in the United States, including Wolf Creek Nuclear Operating Corp. in Kansas. According to The Washington Post, Russian government hackers initiated the attacks, which pierced the business and administrative systems of the plants but not the operational technology systems controlling plant functions.
Though a spokesman for the Nuclear Energy Institute, the nuclear industry’s trade group, told Utility Dive that none of the nation’s 99 operating nuclear power plants had been “penetrated by a cyberattack,” the reports underscored the vulnerability of the energy and utilities sectors.
While E&U firms have increasingly become targets for such attacks, there are several steps they can take to protect themselves. Conducting wide-range security assessments is a paramount priority. There are also cloud-based tools that plants can use to monitor, identify and respond to malware and malicious actors on their networks. And there are a whole host of tools E&U companies can use to protect their networks and data.
But it is clear that utility companies face an uphill battle, according to the National Academies of Sciences, Engineering and Medicine. “It is now, however, becoming apparent that protection alone as mechanism to achieve cybersecurity is insufficient and can never be made perfect,” reads their July report “Enhancing the Resilience of the Nation's Electricity System.”
Cyberattacks have targeted power and utility companies in Ukraine and Finland over the past several years, note Stan Pietrowicz and Tony Bogovic, senior principal and vice president, respectively, at Vencore Labs, a communications and information research and engineering company. Writing in Utility Dive, they note that the recent Petya malware attack “forced Ukraine’s national power grid company, Kievenergo, to shut off all of its computers.”
Utilities face a threat environment that is growing more complicated, especially as they adopt Internet of Things technologies like smart, connected energy meters and other sensors.
“Utilities are becoming increasingly complex, with greater dependence on energy automation, increasingly dynamic transmission and distribution systems with more distributed intelligence and field sensors, all tied together over a growing heterogeneous wide area network infrastructure often relying on wireless networks,” Pietrowicz and Bogovic write. “These smart energy systems offer improved reliability and operational benefits, but they also introduce potential vulnerabilities by increasing a utility’s overall attack surface.”
To get a foothold on cybersecurity, utilities need to understand their vulnerabilities, which will help inform business and IT leaders on how to mitigate and manage risk through processes and IT investments, Pietrowicz and Bogovic note. Such assessments need to “go beyond the traditional network assessment and adequately cover the unique nature of embedded Industrial Control Systems (ICS),” they add.
The four domains utilities need to assess are core network infrastructures; software and management applications; embedded hardware and firmware; and wireless communications and networks, according to Pietrowicz and Bogovic.
Network assessments need to cover and validate the encryption and privacy of information, they state, adding that such assessments need to be supplemented with embedded hardware/firmware analysis and wireless communications analysis “to deliver a more complete picture of a utility’s security posture.”
Beyond security assessments, E&U companies can turn to the cloud for protection. In mid-July, Microsoft announced a new cybersecurity program, “Microsoft Azure Certified Elite Partner Program for Cyber Analytics in Power and Utilities.”
Larry Cochrane, Azure principal program manager for energy at Microsoft, wrote in a blog post that the company “is demonstrating a commitment to the industry by covering the initial costs for deploying and running the Operations Management Suite (OMS) for program participants.”
The program, Cochrane writes, will allow E&U companies to “better track threat actors currently in their network, identify malicious software dialing outbound from their servers, and establish an alerting system to enable active network cyber defense.”
The program uses the Microsoft Azure OMS Advanced Log Analytics Service to analyze customer logs uploaded to Microsoft’s Azure cloud. “This includes the data acquisition of network cyber logs across the utility enterprise and ICS networks to an Azure repository,” Cochrane says. “Global malicious site and threat actor intelligence is used to provide utility companies greater visibility into the current security state of their networks. The OMS alerting capability is also used to notify a utility if intrusion or new malware is detected, almost immediately.”
The National Academies report notes that malicious actors have attacked power companies’ IT systems, operational technology systems and the ICS layer in between them. As a result, the report calls for a “program of research, development and demonstration activities to improve the security and resilience of cyber monitoring and controls systems.”
The report identifies some cybersecurity basics E&U firms can follow, including identifying and apprehending cybercriminals, using firewalls and “whitelisting” communications sources, practicing good cyberhygiene, continuously searching for and removing pernicious code, and segmenting systems and networks to prevent the spread of malware. However, it notes that these are insufficient given that relentless attacks and the difficulties of protections mean successful cyberattacks are “inevitable.”
Most cyberattacks against utilities have not penetrated operational technology systems that control plants and power grids, in part because “there are fewer attack surfaces, fewer users with more limited privileges, greater use of encryption, and more analog technology.”
However, the report says, the threat of a breach of OT systems is growing, as they become more intertwined with business systems and as more utilities adopt IP- and cloud-based services.
Therefore, utilities need to engage in “cyber resilience,” in the report’s parlance, which aims to protect systems as best as one can while acknowledging that “protection can never be perfect and requires monitoring, detection and response to provide continuous delivery of electrical service.”
Such an architecture should deploy a strategy for tolerating cyberattacks and other impairments “by monitoring the system and dynamically responding to perceived impairments to achieve resilience goals.”