Why America is not prepared for a Stuxnet-like cyber attack on the energy grid

A cyber attack on the energy grid could leave parts of the U.S. without power for six to 18 months, expert warns.

3 industrial iot solar power panels energy network internet
Getty Images

Opening circuit breakers is bad. Closing them again is worse.

When Russia attacked Ukraine's energy grid in December 2016, it opened the circuit breakers at the utility, causing a power outage that lasted about an hour. The attack could have been much worse, experts say. The Russians chose not to then close the breakers, which would have caused a phase shift in the AC power and fried the energy grid, requiring physical replacement of infrastructure.

The United States is vulnerable to just such an attack, experts warn. Although the distributed and segmented nature of the U.S. energy grid means that there is no single point of failure for the entire country, an attacker could still plunge the West Coast or the Northeast Corridor into darkness for months, a year or more.

"The Russians didn't want that [in Ukraine]," ICS security expert Joe Weiss tells CSO. "All they had to do was reclose the breakers. They chose not to."

This vulnerability has been known since at least the 2007 Aurora demonstration, but more than a decade later the energy grid continues to remain vulnerable.

Aurora horribilis

In 2007, Idaho National Laboratory ran the now infamous Aurora Generator Test, demonstrating how a few lines of code could destroy a generator simply by opening and closing circuit breakers. An attacker able to gain remote access to such equipment can easily exploit the laws of physics for destructive purposes.

"This is what every first-year electrical engineering student learns," Weiss says. "You never start AC equipment out of phase with the electrical grid. The grid will break it. All Aurora does is simply using remote access to open a breaker and then reclose it out of phase with the grid."

For 80 years the energy grid ran without the internet. Humans opened and closed relays. Squirrels plagued the system, as they do today. But short of a malicious insider, things worked the way they were supposed to.

Enter the internet and remote management.

It's cheaper and more efficient to use Supervisory Control and Data Acquisition (SCADA) software to remotely manage equipment thousands of miles away than it is to employ boots on the ground. The only problem: If you can remotely manage your relays, then so can anyone else who gains access to your terminal.

"You get a big utility, you have, say, 10,000 or 15,000 transformers. Well, you're not going to have 10,000 to 15,000 relay engineers," Weiss says. "You may have 50 to 100 relay engineers, and they have to support these 15,000 relays over a multi-state area over thousands of miles. So remote access is necessary."

So, what happens if a hostile actor gets remote access?

Stuxnet 2.0

Stuxnet, the U.S.-Israeli malware targeted to destroy centrifuges at an Iranian nuclear enrichment facility, used a variety of zero-days to gain remote access to the equipment in question, but the payload wasn't malware. It was alternate control system logic, Weiss points out. The centrifuges spun out of control and were destroyed.

An Aurora-like attack on the U.S. energy grid would be conceptually similar. Gain remote access and start flipping breakers until things explode. "That's effectively Stuxnet," Weiss says. "This is scarier than hell."

Not everyone agrees with Weiss, however. "Doing that [an Aurora-like attack] at scale is extremely difficult," says Patrick Miller, managing partner at ICS security consultancy Archer International. "There are manual protective devices in place that operate in some cases electromechanically and not digitally."

Any such attack would also not cascade across the United States because of the way the energy grid was built historically, Miller points out. "It's physically impossible to get through a phase shifter at the interconnection points between the Texas and eastern and western grids."

Indeed, a Congressional report concluded in 2014 that to achieve a nation-wide blackout, an attacker would need to take out at least nine substations across the U.S., writing, "A FERC power flow analysis in 2013 identified 30 such critical HV transformer substations across the continental United States; disabling as few as nine of these substations during a time of peak electricity demand reportedly could cause a 'coast-to-coast blackout.'"

A nationwide blackout as described in the 2014 Congressional report is a realistic threat, Joe Slowik, a senior threat analyst knowledgeable about energy grid security, told a group of journalists earlier this month at the offices of Dragos, a consultancy that specializes in ICS security. A worm that could knock out the energy grid is "entirely plausible," he said.

More nation-states are researching energy grid security, Slowik also pointed out. This kind of weapon gives geopolitical leverage to nations both large and small. While a cascading Aurora-like attack might not be simple, easy or cheap, gaining the ability to carry out such an attack would add a potent weapon to even a small nation's military arsenal.

The future of security at layer 1

Security folks tend to focus their efforts on layer 2 and above, often giving little thought to layer 1 security. The energy grid doesn't need the internet to operate, but there's no network to secure if the power goes out.

Worse, the schism between electrical engineering and computer science has grown wider over the last two decades, to the point that many — even most — IT and security professionals lack the training in physics and electrical engineering to be able to threat model potential attacks to layer 1 security and mitigate them appropriately. "If security at layer 1 isn't there, then you have no security," Weiss says.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!