Electric utilities in the United States apparently got off easy from the massive SolarWinds cyberattacks, according to the organization charged with protecting North American power supplies. That was possibly due more to luck than foresight. A new plan to create stronger ties between federal security agencies and electric utilities is aimed at identifying and addressing vulnerabilities that could be leaving companies open to more significant intrusions in the future. The May hack of the Colonial Pipeline, which shut down fuel shipments from Texas to New York, illustrated how severe the consequences could be.
In an April 13 media briefing, officials with the North American Electric Reliability Corp. (NERC), Atlanta, stated that approximately one-quarter of U.S. power utilities were exposed to the SolarWinds hacking events discovered in late 2020. SolarWinds is a software company that offers its clients cloud-based network monitoring services to help manage corporate IT systems. Foreign actors—believed to be directed by Russia’s intelligence agency—packed their own malware into an otherwise routine software update, infiltrating the networks of hundreds of the software company’s clients between March and June 2020.
Investigators still don’t know the attack’s purpose. It might have been an exercise to prove what was possible. Hackers could have left behind as-yet-unseen backdoors in the affected networks for future intrusions. This means those distribution utilities whose systems were intruded could face future attacks on their control systems.
According to Manny Cancel, NERC senior vice president and CEO of the Electricity Information Sharing and Analysis Center, an overwhelming majority of utilities “did not experience any of the indicators of compromise, meaning the command-and-control activity.” This means those utilities did not see a crossover into the industrial systems used to control distribution system operations.
“From that respect, we did not see what some of the other sectors were seeing with the compromise,” Cancel said.
Historically, utility industrial control systems have been protected from cyberattacks by design, as they operated as self-contained networks with no hardware or software connections to corporate IT networks or the internet. More recently, though, utilities have sought increased access to those systems through remote means and IT networking protocols. As a March 2021 assessment from the U.S. Government Accountability Office points out, such moves might aid utility operations, but they also create vulnerabilities to future cyberattacks. The threat will only grow more significant as networked distributed energy resources, such as residential solar and storage equipment—and even network-connected smart devices such as thermostats and water heaters—add more potential doorways into utility systems.
Mandatory federal cybersecurity standards already apply to the power generators and transmission companies that make up the bulk of the nation’s power systems. Local distribution utilities, however, are regulated at the state level, which makes establishing nationwide standards difficult. As a result, utilities can be at varying levels of preparedness and can face conflicting demands that, to company managers, may seem to pit cybersecurity against grid operations and safety. For example, the GAO report outlined that:
Older systems not originally intended for broader network connections might not be able to authenticate commands to ensure they’re coming from a valid user. They also might rely on an outdated operating system, such as Windows XP, for which Microsoft stopped issuing security patches in 2014.
Grid operators often don’t use conventional IT vulnerability scanning for fear it could impact energy systems availability. Also, this testing may not always detect vulnerabilities in industrial control systems.
When vulnerabilities are identified, corrections might not happen in a timely manner due to the need to take equipment offline to apply security patches.
It’s just these kinds of issues the Biden administration is hoping to address in a plan announced on April 19. Though it’s billed as a “100-day sprint,” full implementation will likely take years. It began with conversations between federal agencies and utility personnel, with officials seeking input on ways to incentivize voluntary participation.
According to a U.S. Department of Energy statement, participating companies are expected to “enhance their detection, mitigation and forensic capabilities.” They will also be expected to share information on any events occurring within their networks with federal officials. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is responsible for plan coordination.
Of course, other vital infrastructure entities with aging networks overseen by industrial control systems—such as municipal water systems and local gas distribution—also face threats from hackers. Private ventures, such as the Colonial Pipeline, also are at risk from cyber intruders. Federal security officials see the partnership with electric utilities as a possible first step in a broader effort to protect vital national interests.