The electric utility industry has spent vast amounts of money on cybersecurity, an investment that has steadily escalated since the Critical Infrastructure Protection (CIP) Reliability Standards became effective in 2008. Those investments, and the increasingly strict CIP Reliability Standards, were intended to address fears that hackers could use the industrial control systems and other computer systems that control the electric system to cause a blackout. Until recently, that threat was hypothetical. Now, for the first time, public reports have emerged of hackers taking down part of an electric grid.
In late December 2015, hackers allegedly infected several of Ukraine’s power authorities, causing blackouts that lasted several hours and affected thousands of people. Ukrainian authorities confirmed that malicious software infected several control systems, which disabled those systems and resulted in a power outage. The malware, known to have been involved in attacks since 2007, was reportedly embedded in Microsoft Office documents and was retrofitted to include code targeting power stations and other critical infrastructure. Although the geopolitical circumstances in Ukraine are drastically different from those faced by electric utilities in the United States, the attack provides a “proof of concept,” demonstrating that it is possible for an attacker to cause a widespread blackout—the threat is no longer hypothetical.
For those electric utilities already subject to CIP Reliability Standards, there are three key takeaways:
- First, the threat is real. This has the benefit of creating greater corporate awareness, but the risk of greater awareness by regulators as well. Although recent changes to the Federal Power Act provide the federal government with the ability to direct short-term emergency actions in response to threats to electric infrastructure, an appetite for new authority and greater regulation continues in these areas.
- Second, strict implementation of the CIP requirements for malware protections can pay dividends in protecting critical computer systems. Recent reports suggest that known malware was used to gain access to these systems and cover up the signs of the intrusion.
- Third, protecting against malware cannot be a purely automated process; human error likely permitted the malware’s initial introduction into the utility’s systems. Reports suggest that the malware may have been introduced through macros in Microsoft Office documents, which employees opened as a result of spear-fishing attacks. Such attacks use social engineering to convince preselected email recipients to open apparently innocuous documents or click on apparently safe links. In reality, those actions cause malicious programs to download or run on the recipient’s computer, spreading throughout the connected network. A timely reminder that utility employees, particularly those with access to critical utility systems, should receive training on identifying and handling spear-fishing attacks as part of their regular security training. Such training, although not required by the existing CIP Reliability Standards, could be part of the quarterly CIP security awareness efforts required under CIP-004-5.1 R1.1.