Utilities looking to fortify their systems against cyberattacks must consider NERC’s Critical Infrastructure Protection (CIP) standards a starting point to be supplemented by additional security measures, according to a cybersecurity expert focused on the energy sector.

In a webinar hosted by EnergyCentral on Wednesday, Richard Brooks, CEO of Reliable Energy Analytics, said that despite repeated warnings about the rising threat of malicious cyber actors — especially to the power grid — many utilities still have not implemented comprehensive risk assessment and security protocols. (See Government Urges Action on Cyber Threats.) Citing the 2017 attacks on the Ukrainian power grid attributed to hackers employed by the Russian military, he warned that operators that fail to take their cyber risk postures seriously face the same fate.

“Originally, [the Ukraine energy company’s] risk assessment said they had very low risk of anything happening, in regard to the products … and the protocols they were using,” Brooks said. “Then they were struck with [the NotPetya malware], and they could see that their risk posture [had] changed, and now they realized they weren’t in a [low-likelihood, low-consequence] scenario — they were in a high-high scenario. This is how risk can change when reality strikes.”

Software Verification a Key Weakness

Brooks’ presentation focused on verification of software origins, a weakness of many companies’ malware defense strategies that is often exploited in cyberattacks. A recent report by the Atlantic Council, which evaluated 115 software supply chain attacks and vulnerability disclosures over the past 10 years, found that 27 of these attacks involved state actors such as Russia, China, North Korea and Iran, as well as India, Egypt, the U.S. and Vietnam. Common elements of such attacks include:

• abusing trust in code signing by falsifying the certificates that endorse the integrity of code;
• hijacking the software update process to insert malicious code into users’ devices;
• poisoning open-source code by either surreptitiously modifying commonly used code or posting their own packages with similar names; and
• targeting mobile application distribution networks, such as Google Play and Apple’s App Store.

While code verification is part of reliability standard CIP-010-3, Brooks noted that the standard’s requirement that utilities “verify the identity of the software source [and] the integrity of the software obtained from the software source” may leave entities vulnerable to the attack vectors cited in the Atlantic Council’s report. Likening the level of trust involved to “[taking] a free drink from a stranger in a bar,” he urged utilities to look beyond compliance with NERC’s standards and create their own processes for evaluating software products and vendors.

“This is not a one-and-done case; you need to be constantly monitoring for risk,” Brooks said. “You want to implement integrity and authenticity controls following the guidelines of CIP-010-3 but also to augment that with best practices from the [National Institute of Standards and Technology’s] Cyber Security Framework. … Standards do not necessarily require entities to employ best practices.”

Small and Large Entities Vulnerable

While attacks against power systems often involve encrypting the target’s data and threatening to delete them unless a large ransom is paid, Brooks warned attendees not to assume that only larger entities are likely to be targeted in a cyberattack, as the aim of state actors is usually to disrupt a rival’s power grid rather than financial gain. In this light, a smaller utility with fewer resources for prevention may actually be a more tempting target for hackers than a larger entity.

To support this claim, Brooks pointed to a Notice of Inquiry (NOI) issued by FERC in June requesting information on potential gaps in the CIP standards. (See FERC Starts Inquiry on CIP Standards.) The final question in the NOI asks utilities whether “smaller, geographically distributed generation resources” could be used in a coordinated cyberattack across a geographically distributed region.

“[With] these resources, it really doesn’t matter where they’re deployed; whether it’s in a rural co-op or in a bulk electric system, they all run some form of software for command and control,” Brooks said. “So, they are indeed part of the attack vector of the hacker community, and they do try to get into these devices, and then try to work radially to other areas where they could potentially cause harm. You don’t have to be a big guy or a little guy to be a victim.”