Electricity is taken for granted. Lights illuminate when we flip a switch. Turn up the thermostat and the house warms up. In the recent past a power failure could mean family time gathered around candles and a fun board game. Today, power failures are much more than a nuisance. No lights. No heat. No air conditioning. No business.
Power failures have long been a result of hardware failure. Blown transformers or opened circuit breakers, possibly victims of storms. These failures still occur and are accompanied by new problems thanks to the increasing reliance on network-connected devices in the power system. These devices can be hacked, sometimes with remote control taking place right in front of an operator. In one case, multiple circuit breakers were opened and entire substations were taken offline during a cold winter day.
This post will focus on the problem, potential attack methods, and some solutions to secure critical and noncritical infrastructure.
Power and control systems present tempting targets for hackers. Motives include curiosity, money, political statements (hacktivism) and terrorism. The tools and education necessary to perform an attack are only an Internet search away. The truth is that power and control systems remain vulnerable. These vulnerabilities are typically exploited via one of three attack vectors: people, technology and operations.
People are often the most vulnerable of the attack vectors due to social engineering. An act of psychological manipulation, social engineering tricks people into revealing critical information or performing tasks without intentional compliance. It’s a technique preferred by some of the most famous hackers and is commonly used as an entry point for an attack.
The technology vector includes any device or medium that is used to carry out an attack. This includes wireless or wired networks, computers (either a target computer or an attacker’s computer), USB flash drives and networking devices (such as firewalls and routers). A carefully crafted attack reportedly delivered via USB flash drive crippled a complex industrial control system. A popular example of this idea is to drop a USB flash drive in a parking lot where it will likely be picked up by a curious employee of the target company. The curious employee then plugs the USB flash drive into their company computer (to see what it contains) and the payload is delivered to their machine and other machines on the network. An analogous, pre-cyber example was used in WWII to successfully plant disinformation about war plans.
The final attack vector is operations. This vector focuses on the policies in place by the organization and the enforcement (or leniency) of those policies. Password management is an example. Policies are written to prevent users from using simple passwords (like “123456” or “password” or another from the list of worst passwords). Attackers will detect if these policies are enforced or are considered mere suggestions.
At this point, you may be convinced that we’re all doomed. Fear not, though. There are solutions to address most of these issues. Look for some of these solutions in my second post in this series. In the meantime, find out more by reading our white paper “Securing Power Monitoring and Control Systems.”
7 years ago
Great post. However, I believe that truly safe system will always be only the off grid system. 🙂
7 years ago
I agree. Keeping your ICS network entirely isolated from external networks absolutely raises the barrier and reduces your attack surface. It is just important to remember that you should architect and deploy off-the-grid solutions as if they are connected. Months or years down the road these isolated networks may get exposed due to changing requirements (we need to show the public our energy dashboard!) or in some cases by accident (many ICS network racks are in the same closet as their corporate counterparts). Additionally, most targeted attacks involve a form of social engineering – a very good method for an attacker to get into isolated networks. The Stuxnet attack was allegedly carried out at the Iranian Nuclear plant via thumb drive…and that was an isolated network.