Protecting Our Energy Infrastructure from Cyber Security Exploitation
Energy delivery systems form the backbone of America’s infrastructure. Today’s electric power grid and oil and natural gas distribution networks are tightly monitored and controlled using energy control systems to ensure reliable and continuous availability of electricity and fuels that nearly every aspect of American commerce and industry depends upon. This dependence has grown as businesses, homes, and communities increasingly integrate digital technologies and automated systems into virtually all facets of modern life.
The energy sector has become a prime target for cyber attacks in recent years. Although reliable data is hard to come by, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reports that the energy sector experienced more cyber incidents than any sector from 2013 to 2015, accounting for 35% of the 796 incidents reported by critical infrastructure sectors. However, most cyber incidents are never reported publicly.
Despite the sector’s ever-improving defenses, the variety of threat actors and methods of attack are expanding, while the impact of incidents has evolved from exploitation to disruption to destruction. A 2015 survey of 150 IT professionals in the energy sector, conducted by Tripwire, showed that more than 75% of energy companies reported an increase in successful cyber attacks in the previous 12 months, with many reporting increases of 50% or more. Yet as little as 20% of respondents reported they were confident that their organization could detect all cyber attacks, implying that many incidents go undetected. In a 2016 survey of 200 energy security professionals, Tripwire reported that more than 80% of respondents believed a cyber attack would cause physical damage to critical infrastructure in 2016.
Cyber Attacks on the Ukrainian Power Grid
On December 23, 2015, hackers attacked three different electric utilities, resulting in power loss for 225,000 customers for several hours. Attackers used spear phishing emails to gain access to the IT networks. Once inside, they stole credentials using keystroke loggers, identified hosts and devices, and hijacked the distribution management system to systematically open breakers and cause a power outage. Attackers accessed the industrial control system (ICS) network through the virtual private network (VPN) and disabled the uninterruptible power supply, disabled operational control systems, disabled computers, and prevented infected computers from rebooting.
Smart Meters and Sensor Deployment
Energy companies increasingly integrate their physical and cyber systems and install digital devices, such as smart meters and smart sensors, throughout their infrastructure. This extensive network of new digital devices provides stronger security capabilities, but is also more accessible and exposes energy delivery systems to potential harm from accidental and malevolent cyber events. But unlike attacks on business IT systems, cyber attacks on energy control systems have the potential to disrupt power or fuel supplies, damage highly specialized equipment, and threaten human health and safety.
Defending against cyber risks grows more expensive each year. A 2015 study by the Ponemon Institute estimates the annualized cost of cyber crime for an average energy company to be more than $27 million. Estimates of control system security costs for the electric transmission and distribution equipment market range from roughly $150 million to as much as $800 million. The cost of preventing and responding to cyber incidents in the energy sector is straining the ability of companies to adequately protect their critical cyber systems.
