From transportation,
to telecommunications, health care and banking. The digitization of our
infrastructure has made our daily lives more
convenient, but it's also opened us up to
the threat of cyberattacks. Yahoo's hack of over
500 million accounts will make it the biggest
data breach ever. Equifax, which, as you know,
is a very large supplier of credit information,
has announced a cybersecurity incident that
they say potentially impacts about 143
million U.S. consumers. Marriott announcing that
up to 500 million guests with
reservations at Starwood Properties could have had
their data compromised. But it's not just
companies under attack. Increasingly, power plants
and other critical infrastructures are also
becoming a target. Critical infrastructure is
really anything that makes up the
backbone of society. Everything from transportation
and airlines to banks. Cyberwarfare is the
new weapon of choice. You can run a cyberattack
remotely, shut down the critical infrastructure of
other countries, create massive destruction
of refineries and chemical plants without ever
shooting a gun. Electricity is so prevalent in
our lives that we often don't even think about
it until it fails to work. All electricity starts
at a generator, which can be powered by
wind, water, coal or even nuclear fission. After it
is generated, the electricity travels from the
power plant to transmission substations, which convert
it to a very high voltage so that
it can travel long distances. From there,
the electricity travels along power lines to
another transformer, which again converts the power, this
time to a lower voltage, before it goes
into our homes and businesses. Often people think
of the power grid as "the grid." It's really not. It's a quilt
made up of 3,000 or so power companies that
are owned by investor-owned utilities. But most of them
are rural electric associations, or maybe a few
owned by the government. But generally it's
a mixture. This ownership disparity
also means that utilities are
regulated differently. The focus of the regulation
is to prevent the bulk electric system from
suffering a widespread outage. So it may
not affect the smaller companies that are serving
smaller cities or rural areas. On one
hand, smaller power companies in the United States may not
be as juicy of a target because they have
a small amount of customers, say 25,000. But on the other hand,
they may be more susceptible to cyberattacks
because they don't have a big as security team
or a big as security budget to focus on
protecting their critical systems. That's where
Sistrunk comes in. As a consultant for
cybersecurity firm, FireEye, part of Sistrunk's job
involves teaching a digital forensics class for
people who want to learn how to defend
the control systems running our power plants. And to
learn how to defend against an attack, you first
have to learn to hack. This is a
small PLC, programmable logic controller. This particular device
is made by Phoenix Contact and it's basically
easy to for an attacker to get into. There's a lot of
vulnerabilities in it. Sistrunk demonstrated how a
hacker may alter the functions of "stop" and "go"
buttons that in a power facility may control
something like a motor or a pump. This is a
web page of this PLC and it's been hacked. You can
see whenever I try to click on the red stop
button, the green start button comes on. So an attacker can go
download the software and change things if
they wanted to. And that's what we
do in the class. In a conventional warfare
attack, the first thing that is hit is
the infrastructure, the refineries, the electrical
systems, the chemical plants, those things that
fuel the war machine. You can simply do the
same thing remotely with cyberweapons. It seems
like attackers have crossed the Rubicon or
they've crossed the red line in the sand. You know, that they
are going after control systems, whereas once
no one cared. Today, there are more than
9,700 power plants in the US. Many of them
were built decades ago when operating a plant required a
lot of manual labor and cybersecurity was
not a consideration. But that's changing. Starting in
the mid '80s and early 2000s, the
industry started connecting these control systems
through the enterprise networks to the internet,
for the benefit of remote access, information
sharing, etc.. Fantastic for productivity
improvement and business enhancements, but that
exposed us to cybersecurity threats. The heart of a power plant
is what is known as a SCADA system. SCADA
stands for supervisory control and
data acquisition. These systems are made up
of a combination of software and hardware that
allow operators to monitor and control plant
processes in one central location. Besides
power generation plants, SCADA systems are
ubiquitous in the manufacturing, telecommunications
and transportation sectors,
among others. Today, a typical SCADA system
is made up of thousands of components and
runs on several different kinds of
operating systems. Because of this wide
spread of operating systems, it creates a very
complex surface that security experts have to understand
before they can defend against the many different
types of exploits used against those specific
operating systems. Since 2010, the number
of attacks have increased exponentially. The reason for it
is that it's a lucrative business for ransom
attackers as well as for nation states. A 2015 risk report put
out by the University of Cambridge and Lloyd's, a
large insurance company, posed a hypothetical scenario
in which a cyberattack plunged
15 U.S. states into darkness, leaving
93 million people without power. The report
estimated that the loss to the U.S. economy
would range between $243 billion to $1 trillion. There is a belief that
every system could be compromised, especially these
control systems, since they were not
originally designed for cybersecurity, unlike computers that
we use at home and at work that
are regularly patched and protected from
cyberattacks. As reported in this "60
Minutes" episode on CNBC from December 2014, the
first cyberweapon to cause physical damage was used
in Iran in 2010. We begin with the story
of Stuxnet, a computer virus considered to be
the world's first destructive cyberweapon. It was launched several
years ago against an Iranian nuclear facility,
almost certainly with some U.S. involvement. Stuxnet infected SCADA systems
that were running Windows and Siemens software
within the nuclear facility. It was used
to spin centrifuges too fast until they
basically destroyed themselves. This was the first time a
virus of this type was used to physically destroy
something within a power facility. In December
2015, hackers cut power to around 225,000
people in Ukraine. The incident became the
first successful hack on utilities. It was believed
to have been done through a tactic
called spearphishing, where hackers sent emails with
malicious attachments to I.T. staff and system
administrators that helped to steal the
recipients' credentials. Almost exactly a year
later, hackers again shut off power to a large
part of the Ukrainian capital. Some have blamed
the attacks on Russia. While the attacks were short
lived, it showed the world that Russia had the
will and the ability to conduct cyberwarfare in
this way. Another attack shook the
cybersecurity world in 2017, this time in
the Middle East. In the past year, researchers
have spotted a new family of industrial
control malware. It's called Triton. Triton
was a really alarming piece of malware. It
affected facilities in the Middle East. And what was
most alarming about it was that it disabled
what essentially was the kill switch for
a catastrophic disaster. The metaphor I use here
is relying on the police to come help you out
when your house is broken into. But the police is
asleep in his police car. That is a metaphor of
that safety system being bypassed. Though there's not
been a cyberattack in the U.S. that has shut
off power to the grid, hackers have still gone
after utility companies. In 2016, an electric
power and water utility company paid $25,000 in
bitcoin ransom after hackers locked the utility
out of its computer systems. In 2018, the
Department of Homeland Security and the FBI
issued a joint alert, warning that Russian
cyberactors had been targeting U.S. government
entities and critical infrastructure sectors
since 2016. And in 2017, the Department
of Energy disclosed a hack at an electric utility
in the western U.S. Though the hack did not
cause outages, it did show that our power
grid was vulnerable. Most countries that the
United States has an adversarial relationship with
don't actually want to go to war
with the United States. It makes more sense
for them to conduct reconnaissance missions against
our electrical grid. For that reason,
it's more realistic that the types of attacks we see
are in the name of gathering information or opening
back doors, then some sort of catastrophic
attack or an attack similar to the one that
we saw in Ukraine. Protecting our energy grid
is essential to our national security. But there
are a few reasons why it is
difficult to do. For one, it's hard to
even gauge how many cyber attacks there are. The reason
we don't have good numbers around how many
cyber attacks there are against utilities is that
most of these companies simply don't report them. There's not much of an
incentive for utilities or the companies that provide
them with equipment to tell the public about
every cyberattack they've had. They would risk
panicking the public and they might also even
open themselves up to further attacks if attackers
know what's working against them.
That's changing. In early 2019, the
Federal Energy Regulatory Commission updated cybersecurity
standards for electric grids. The new standards require
electric companies to report any incidents that
either compromise or attempt to compromise
electronic security perimeters, electronic access
control or monitoring systems and
physical security perimeters associated with
cyber systems. The new reliability
standard also encompasses disruptions or attempts to
disrupt the operation of a bulk electric
system or cyber system. Like with Stuxnet, hackers
may try to subvert security measures by
targeting suppliers as opposed to going after
the big utility companies. Companies are becoming
very careful about checking the software that
comes from their suppliers. In fact, they
have a test environment whereby the updates for the
software is tested to make sure that the
software they're getting from their automation vendor is
not infested with malware. Another best practice
is what is known as PEN or
penetration testing. PEN testing is a
process through which you intentionally attack your
own system, whether with your own people or
bring people from the outside to see how
well your defenses are. But finding someone to perform
this test is often difficult. There is a
shortage of over 1.5 to 2 million cybersecurity
experts in our industry, and that is
something that's going to harm us if we don't
address it more proactively. Despite these obstacles,
experts stress that there are steps we can
take to mitigate the risk of cyberthreats. Knowing what
you have is the very first thing you must
do, and that's become more and more accepted as
the first thing you do, which is gain a
complete inventory of your control systems. The second thing that you
do is understand your vulnerabilities and
address them. Those are the holes
in your system. And the best way to do
that is do some PEN testing or
vulnerability assessment. And the third thing
that we advocate is understanding the configuration
of these systems, the brains, the genealogy of
the data in your environment and
controlling that. So when they are
changed, you know. And the last thing
that we advocate, very strongly, is assume
you've been attacked. What are you doing
for recovery purposes? Do you have the
latest version of that configuration of your system
to bring the system back up in the
unfortunate occurrence of losing the system? Adopting new
technology is part of competitive advantage. You have to
continue to automate. You have to continue to
take on new technologies to make your
business competitive. Otherwise you get
left behind. While the threat of
cyberattacks against the grid is a real threat, and
we have to be proactive about it, and we have
to prepare for it, it's also important not to
panic and to not sensationalize. We
experience reconnaissance missions and attacks
against electrical companies every day. The majority
of them are not successful.
