My favorite joke when I was 5 years old was, “Where will you be when the lights go out?” The answer, of course, is “in the dark,” though I used to make my very patient sister guess a bunch of other places first, which I used to think was absolutely hilarious.
We are fortunate that in this country having the lights unexpectedly go out is actually a pretty big deal, and quite rare. You don’t have to wonder whether the light will come on when you throw the switch, or if your computer will have enough power to boot up. The sodas in the fridge are always cold and our showers are always warm. It always just happens, so we more or less take it for granted.
That comfortable reliance on modern, powered conveniences is one of the things terrorists really hate about us. So, it was no surprise CNN reported this week that ISIL is trying to attack the utilities grid. The interesting thing is, the spin that federal officials were putting on the story is that the attacks have been largely unsuccessful, and that the terrorists have little capability to enact a major attack against a utility. But that is kind of a misconception based on the two different types of networks found at most utilities.
Every utility, like every modern company of any shape or size, has an IT network. The IT network consists of everything from desktop computers to email servers to storage devices and even things like printers and webcams. It’s what most people think of when they think of a computer network.
For utilities, their IT networks are just as vulnerable as anyone else. In fact, some of the utility clients I have recently worked with were seeing Advanced Persistent Threats attack their networks as far back as 2010. So, it’s safe to say there have already been successful cyberattacks against utilities.
So, why haven’t the lights gone out?
Because compromising an email server or stealing personnel and customer records, while bad, won’t let an attacker stop the flow of water at a dam or overload a substation. For that to happen, they would need to tap into the second type of network in place at most utilities, the one made up of operational technology.
Operational Technology, which is mostly called OT, consists of everything from industrial control systems to mechanical computers and even electric valves and switches. Many of our nation’s power plants were built decades ago, with some hydroelectric dams going back to the 1920s. Those plants have been haphazardly upgraded over the years, and today contain a mix of modern technology working alongside some of the original equipment much more manual than automated.
There is also an enormous number of proprietary OT devices used that contain unique operating and management software, sometimes which is only specific to a single device. It really is a bit of a mess from an OT network management perspective, though that chaos has ironically kept utilities safe from cyberattacks.
An attacker would need special training with specific devices to be able to attack the OT infrastructure. Even then, compromising one device would never be enough to endanger a large portion of the utility grid. They might be able to turn the power off for a neighborhood or something small, but even that is doubtful.
But the protection offered by our hodgepodge OT network won’t last forever. A lot of OT isn’t yet networked, though utilities are doing everything they can these days to make OT more like IT. That way, they don’t have to send someone out in a truck to a remote substation every time they need to flip a switch.
The latest version of the regulations that govern most of the utilities industry, the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards, also calls for more monitoring of both IT and OT networks at utilities. As OT becomes more like IT, the same threats that endanger IT will come to the OT network too.
To help with this transition, a NIST panel called the The National Cybersecurity Center of Excellence has released a draft guide of Special Publication 1800-2, which gives helpful suggestions about how utilities can network IT with OT using off-the-shelf, end-to-end identity management solutions. That way, effective access control capabilities can be built into this process as it moves along. Unlike NERC CIP, NCCoE isn’t mandatory, but it’s good to see the government taking the threat of cyberattacks against infrastructure and utilities seriously.
Even if the bad guys don’t yet have the capability to do any real harm to utilities, it’s only a matter of time. If we want to make sure having the lights going out is still exclusively part of a marginally funny kid’s joke, we need to continue to take the threat seriously, and build up our defenses even as we network and expand our aging OT infrastructure.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys