Cyber Attacks on PJM: When, Not If

Oct 22, 2013

How PJM Interconnection practices cyber security. An attack is a question of when, not if, says an RTO official.

LAUREL, MD — As manager of a team of eight staffers charged with combating cybersecurity threats to the PJM grid, Stephen McElwee carries secrets.

Steven McElwee, PJM Manager, Corporate Information Security at the October meeting of the INCOSE Chesapeake Chapter

“If I run off to a security briefing, I learn a lot of things and I go home scared. But I can’t tell my analysts who are actually doing the real-time monitoring anything about it” because security clearances are limited to managers, he says.

Such is life in the cybersecurity world, McElwee, PJM manager of corporate information security, told an audience of more than 80 systems engineers at John Hopkins University Applied Physics Laboratory here. Most of the audience at the lecture, sponsored by the International Council on Systems Engineering (INCOSE), were contract workers for the nearby National Security Agency. (See video of lecture.)

“A year and a half ago I would have said [hackers] haven’t touched the energy sector. Now they are touching the energy sector,” he said. “It’s not a matter of if [PJM is attacked] but when.”

Threats to Pipelines, Smart Meters

McElwee said natural gas pipelines have been under attack since last year. “That campaign resulted in breaching of many natural gas companies — stealing plans, and gaining possible footholds in those companies.” Some hackers obtained plans for pipeline compressors.

McElwee and his colleagues also worry about botnets — private computers infected with malicious software and controlled as a group — taking control of thousands of smart meters. “You could … suddenly switch on and off that load, making it nearly impossible to control” the system, he said.

PJM Defenses

PJM’s defenses are a combination of risk assessment, education of system users and information-sharing partnerships with government and industry.

Education is key to prevent “spear phishing,” in which hackers penetrate networks through unwitting employees.

Thus, PJM hired a consultant to conduct mock phishing campaigns by sending employees emails with links that could have contained malware. When the test started, McElwee said, one in five recipients clicked the bad links. Over a year of education, the click-through rate was reduced to 4%, where it has remained in the current year. “It’s hard to get it below that” rate, he said.

PJM also has hired contractors to conduct penetration testing — probing the network for vulnerabilities — and to provide 24-hour monitoring of threats. It has staff dedicated to installing patches and has formed a security assessment committee of PJM officials to identify risks in any new software and projects.

`Kill Chains’

The company uses “kill chain” analyses to assess threats: “How far did it make it? Where did we stop it? Where did we detect it?”

PJM uses that data as an input back in its risk assessment, McElwee said, “so we have a feedback loop that allows us to continually improve our security posture.”

PJM relies on partnerships with industry and government to ensure it has adequate response plans and the best technology. “We recognize we can’t do this on our own,” McElwee said.

Cyber Risk Information Sharing Program (CRISP) (Source: PJM Interconnection, LLC)

Thus, PJM has become one of four pilot participants in the Cyber Risk Information Sharing Program (CRISP), a Department of Energy program involving Argonne National Laboratory, Pacific Northwest National Laboratory (PNNL), and the Electric Sector Information Sharing Analysis Center, a project of the North American Electric Reliability Corp. (NERC).

CRISP analyzes PJM’s network traffic and uses “snort signatures” and other techniques to identify potential threats.

“When there’s something suspicious that they see on our network they give us a call and say `here’s an IP address you need to block’ and we can proceed and block that address and never know it was the nation-state of the day that was attacking us,” McElwee said. “All we know is that somebody was watching out for us.”

CRISP is considering adding 20 new participants soon, with a broader expansion after that. “Because the power grid isn’t just PJM,” McElwee said. “It’s all the transmission owners all the generation owners that make up the entire system.”

NERC Standards ‘Dated’

McElwee said NERC’s Critical Infrastructure Protection standards are “dated.” A new version, which is awaiting final approval by the Federal Energy Regulatory Commission, “promises a lot more protective mechanisms,” he said. (See FERC OKs New Reliability Standards)

President Obama’s executive order, issued in February, was helpful in providing industry increased access to information, he said. “Not all information needs to be classified as high as it is.”

Reliability