In 2010, a cyberattack was launched against the Iranian nuclear program. Stuxnet—a malicious computer worm that is part of a family of worms often referred to as malware—invaded the nuclear power plant through its control system, allowing adversarial control and operation of its industrial facilities. In this case, the worm attacked four different vulnerabilities within the program’s network of control systems and essentially took over. Stuxnet was designed to destroy itself two years after it was introduced.
The Stuxnet incident is emblematic of the cyber risk looming over many industrial facilities. It has the potential to not only cause damage, but cripple major infrastructure that an industrial base relies on. For electrical contractors, it should raise concern. Much of ECs’ work in and around electrical infrastructure and industrial facilities is fertile ground for cyberattacks. Enterprises continue to struggle to find security protections to prevent such attacks. Some have taken mitigating action. Many have not.
The industrial target
According to Joseph Campbell of Navigant Consulting’s Global Investigations and Compliance practice, and a 25-year FBI veteran of the FBI, an industrial cyber threat is very real.
“Public works facilities and infrastructure continue to be targets from external and internal threats,” Campbell said. “Their information technology [IT], often involving use of supervisory control data acquisition systems and industrial control systems [ICS]—which might have been mechanical processes at one time, but are now more frequently controlled through information technology—are on the radar of actors engaged in online penetration and disruption, the results of which can potentially cause damage to the facility and possibly the surrounding environment.”
In the case of Stuxnet, the malware gave directions to the Natanz Plant’s programmable logic controllers (PLC), that caused damage to the uranium-enriching centrifuges.
“The PLCs are small computers that control the ICS and compromise to those systems can potentially lead to significant damage of equipment and functions at an industrial entity,” he said. “It is believed the malware was injected into the Natanz system by someone plugging a USB stick into a computer. This is one means of infecting a system with malware, but IT systems can be infected and disrupted remotely also through actions such as spear phishing and distributed denial of service attacks or simply obtaining a user’s password or other access credentials.”
Looking to penetrate ICS can be motivated by nation-state objectives—a way of getting through to nations or countries with ulterior objectives. These may be political objectives, or a desire to simply penetrate a system and cause damage just because they can.
“When I was assigned to the Weapons of Mass Destruction Directorate at the FBI, we were very focused on the threat of both human and cyber adversarial penetration of these facilities, many of which house sensitive data and hazardous materials, such as at chemical and nuclear power plants, and with those facilities conducting specialized work for the U.S. government, or providing essential public services such as water treatment,” Campbell said. “We worked with interagency partners and facility personnel to develop and rehearse plans to prevent such an attack, and also developed and rehearsed plans to respond if there was some sort of breach. Cyber penetration, whether from an external or internal source, accidental or intentional, is a threat public works facilities and infrastructure must continue to guard against around the clock, as they work with each other and governmental authorities to share threat information and coordinate on response capabilities.”
Securing the grid perimeter
“IoT [internet of things] devices are playing a major role in the security of all types of systems, including the power grid,” said Andrew Howard, chief technology officer with Kudelski Security in Atlanta. “IoT tends to take systems that were never designed to be internet-connected and connect them. Building secure systems is difficult and IoT has dramatically increased the connectivity of systems never designed to be connected.”
Cyberattacks on electrical infrastructure are expected in the future. However, we will likely have more safeguards in place as the awareness of this threat grows. For ECs, any electrical work, particularly any that would rely heavily on an electrical grid as infrastructure, should incorporate and address the possible risk that industrial cyber in this form presents.
“I think you can expect to see small-scale outages related to computer systems being either attacked or simply failing,” Howard said. “The grid is large and complicated, securing all of it, all of the time, is difficult. The good news is that the awareness about this issue is growing. There is industry and government momentum on protecting these vital assets.”