The US is very close to improving power grid security by mandating the use of “retro” (analog, manual) technologies on US power grids as a defensive measure against foreign cyber-attacks that could bring down power distribution as a result.
The idea is to use “retro” technology to isolate the grid’s most important control systems, to limit the reach of a catastrophic outage.
“Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators,” said US Senators Angus King (I-Maine) and Jim Risch (R-Idaho), who introduced the bill on the Senate floor in 2016.
“This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult,” they said in a press release last week, after the bill, named the Securing Energy Infrastructure Act (SEIA), passed the Senate floor.
The bill now needs approval from the US House of Representatives, where SEIA had been introduced as part of the National Defense Authorization Act for Fiscal Year 2020.
If approved, the SEIA bill would establish a two-year pilot program with the National Laboratories to study power grid operators and identify new vulnerabilities, but also develop new analog devices that could be used to isolate the most critical systems of covered entities from cyber-attacks; and establish a working group to test the newly developed analog devices.
SEIA bill inspired by 2015 attack on Ukraine’s power grid
Senators King and Risch said SEIA was inspired and set in motion by the 2015 cyber-attack on Ukraine’s power grid, where suspected Russian hackers crashed a portion of the country’s power grid and led to more than 225,000 Ukrainians going without power on Christmas Eve.
The attack only impacted the power grid in Ukraine’s western region, near capital Kyiv.
“The attack could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid,” Senators King and Risch said.
Through SEIA, they are now trying to limit the damage of any cyber-attack on the US power grid, in a similar way the attack had been contained in Ukraine.
Increased cyber-activity targeting the US energy sector
The bill’s approval comes after US cyber-security firm Symantec reported in 2017 that a known Russian-linked hacker group known to go after power grid operators had expanded its targeting to include the US.
Earlier this year, US intelligence officials warned that both China and Russia have the technical capabilities to disrupt the US’s power networks.
Last month, the Trump administration admitted to stepping up its cyber operations targeting Russia’s power grid, as a countermove to Russia’s increased focus on the US energy sector.
All of these signs point to an increasing focus from both western and eastern cyber threat actors on power grids, and rising tension in the respective governments.
“There are definitely concerns in the western electric sector with multiple, concerning adversaries at least working to satisfy the prerequisites necessary to engage in future disruptive events,” Joe Slowik, Principal Adversary Hunter at Dragos, Inc., a cyber-security firm specialized on industrial control systems, told ZDNet today in an interview.
“However, short of conflict, a CrashOverride event [Ukraine power grid attack] in the US seems highly unlikely,” Slowik added.
Prevention and investment
Both Slowik and fellow Dragos employees have been ardent in recent years about not overhyping the dangers posed to the US energy sector in the media and pushing government officials towards helping organizations shore up defenses.
They’ve been the voice of reason in a rising chorus of security alerts about vulnerabilities and impending attacks. They’ve constantly argued for ongoing analysis of current threats, and focusing on setting up basic defenses first and foremost, instead of reacting against the latest doom and gloom ICS malware threat reported in the press.
In a 2018 Senate hearing, Dragos Inc. CEO and Founder Robert M. Lee, argued that US officials should refrain from passing new regulation targeting the industrial sector so that organizations could catch up to current standards and regulations.
Using SEIA to isolate and segment portions of the US power grid in the case of an attack is a good start, but Slowik, just like Lee, argues for a different approach.
“Regulation is good to force people to do things but is often backward looking and not nuanced enough to capture real problems,” Slowik said. “In the case of US electric, I think – based on my own experience – companies are already taking threats seriously and are working to improve.
“A better approach, in my opinion, would be providing support and resources to smaller municipalities and co-op utilities that can’t afford to invest in security,” the Dragos researcher said.
Nonetheless, SEIA is still a good step forward, one that has been positively received by some industry insiders, although some criticism about demonizing “digital” solutions has also been raised at the same time.