Dark Times Ahead as Cybercriminals Target Power Grids

On 23 December 2015, a new era of cyber warfare was born. At the Prykarpattyaoblenergo power plant in Western Ukraine, a worker noticed his computer cursor quietly flitting across the screen of its own accord.

For the next several minutes, the cursor systematically clicked open one circuit breaker after another, leaving more than 230,000 Ukrainians without power. The worker could only watch as the cursor then logged him out of the control panel, changed his password, and shut down the backup generator at the plant itself.

As the first documented outage precipitated by a cyberattack, the incident provoked speculation from the global intelligence community that nation-state actors had been involved, particularly given the sophisticated tactics in question. Indeed, blackouts that plunge entire cities – or even entire countries – into darkness are a devastating tactic in the geopolitical chess game.

Unlike direct acts of war, online onslaughts are difficult to trace, shielding those responsible from the international backlash that accompanies military aggression. And with rival economies racing to invent the next transformative application of electricity, it stands to reason that adversaries would attempt to win that race by literally turning off the other’s lights.

Since the watershed Ukraine attack, the possibility of a similar strike has been a top-of-mind concern for governments around the globe.

In March 2018, both American and European utilities were hit by a large-scale attack that could have “shut power plants off at will” if so desired, but which seemed intended instead for surveillance and intimidation purposes. While such attacks may originate in cyberspace, any escalation beyond mere warning shots would have dramatic consequences in the real world.

Power distribution grids are sprawling, complex environments, controlled by digital systems and composed of a vast array of substations, relays, control rooms, and smart meters. Between legacy equipment running decades-old software and new Industrial Internet of Things (IIoT) devices designed without rudimentary security controls, these bespoke networks are ripe with zero-day vulnerabilities.

Moreover, because conventional cyber defences are designed only to spot known threats facing traditional IT, they are blind to novel attacks that target such unique machines.

Among all of these machines, smart meters – which communicate electricity consumption back to the supplier – are notoriously easy to hack. And although most grids are designed to avoid this possibility, the rapid adoption of such smart meters presents a possible gateway for threat-actors seeking to access a power grid’s control system.

In fact, disabling individual smart meters could be sufficient to sabotage the entire grid, even without hijacking that control system itself. Just a 1% change in electricity demand could prompt a grid to shut down in order to avoid damage, meaning that it might not take many compromised meters to reach the breaking point.

More alarming still, a large and sudden enough change in electricity demand could create a surge that inflicts serious physical damage and produces enduring blackouts. Smart energy expert Nick Hunn asserts that, in this case, “the task of repairing the grid and restoring reliable, universal supply can take years”.

The US and UK security services have both warned that Russia’s interference into critical infrastructure and major businesses is not something they can sit by and tolerate. Both are stepping up offensive strategies – the New York Times reported recently that the US government has implanted malicious code – for surveillance or attacks – into Russia’s power grid. But what about defence?

Catching suspicious activity on an energy grid requires a nuanced and evolving understanding of how the grid typically functions; it requires a radically different approach to cyber defence. Only this understanding of normalcy for each particular environment – comprised of millions of ever-changing online connections – can reveal the subtle anomalies that accompany all cyberattacks, whether or not they’ve been seen before.

The first step is visibility: knowing what’s happening across these highly distributed networks in real time. The most effective way to do this is to monitor the network traffic generated by the control systems, as OT machines themselves rarely support security agent software.

Fortunately, in most power grid architectures, these machines communicate with a central SCADA server, which can therefore provide visibility over much of the grid. However, traffic from the control system is not sufficient to see the total picture, since remote substations can be directly compromised by physical access or serve as termination points for a web of smart meters.

To achieve total oversight, dedicated monitoring probes can be deployed into key remote locations.

Once you get down to this level – monitoring the bespoke and often antiquated systems inside substations – you have firmly left the world of commodity IT behind. Rather than dealing with standard Windows systems and protocols, you are now facing a jungle of custom systems and proprietary protocols, an environment that off-the-shelf security solutions are not designed to handle.

The only way to make sense of these environments is to avoid predefining what they look like, instead using artificial intelligence (AI) that self-learns to differentiate between normal and abnormal behaviour for each power grid while ‘on the job’.

Vendor- and protocol-agnostic, such self-learning tools are singularly capable of detecting threats against both outdated machines and new IIoT devices. And with power plants and energy grids fast becoming the next theatre of cyber warfare, the switch to AI security cannot come soon enough.