Focus cyber risk on critical infrastructure: Remote substations are vulnerable

Doug DePeppe is a cyberlaw attorney who I have worked with professionally for several years. He has very good experience working on critical infrastructure issues. When he asked to offer a guest blog using “Lohrmann on GovSpace” to cover this important topic, I quickly agreed. When you read his words, I hope you will see why this is an important discussion. Here’s his guest blog…

Leon Panetta, former CIA Director, repeated in a recent speech his 2012 reference to a risk of a “cyber Pearl Harbor”.  Once again, Mr. Panetta is calling attention to our nation’s cyber catastrophe risks through an attack on critical infrastructure.

Around the time of Mr. Panetta’s remarks, the NSA Director nominee, Vice Admiral Michael Rogers, provided comments to Congress concerning the acceleration of cyberspace as a domain of warfare.  He called for increased cyber-attack capabilities for US military forces.

An important dimension to glean about cybersecurity from these news accounts is the nexus to national security.  Media reporting in the past year has begun to highlight risks of cyber-attack; yet, often the focus is on banking and cybercrime.  Indeed, cybercrime has been highlighted nationally as a threat to e-commerce and to global commercial competitiveness.  This is certainly a grave threat to society. 

As a strategic advisor to corporate clients and as a blogger, it’s important to keep clients and readers abreast of the constantly changing nature of the cyber-risk environment.  Accordingly, this article highlights a particular risk posed to the energy sector, particularly to remote substations. 

WHY A NATIONAL SECURITY RISK IS A COMMERCIAL PROBLEM

In addition to cybercrime, such as the impact of the recent breaches at Target, Neiman Marcus and elsewhere, another grave cyber threat comes in the form of terrorism and from state actors.  Threats to critical infrastructure typically do not originate from criminal organizations.  For example, a recent online Wall Street Journal article explains the risk of a national blackout from a series of targeted cyber-attacks upon power substations.  

This type of attack – one that has a national strategic objective by a foreign adversary, but which targets a commercial sector – is a poignant reminder for how the Internet has enabled the conflation of national security with business interests. 

Given the range of bad actors – cybercriminals, terrorists, state-actors – I am asked from time to time, especially from energy sector clients who face uncertain compliance evolution challenges under NERC CIP, “How much is enough security?”  While I use a proprietary model to help clients design their security programs, I decided to help clients by surveying partners and others in the energy sector to provide greater insight into the trends that will affect cybersecurity in 2014 and into 2015.

WHERE’S THE GREATEST RISK?

Consistent with aspects of my model, I sought to isolate and prioritize risk.  My own research, both in terms of vulnerability and compliance challenges, pointed to remote substations.  If the battle has been brought to the homeland through cyberspace, so that today critical infrastructure is on the front lines, then soft targets face increased risk.  Moreover, since every component of the generation, transmission, and distribution system is under threat of attack, remote substations are among the most difficult to secure and manage. 

My research was personally performed online, as well as through discussions with experts and partners in critical infrastructure and energy sectors.  One partner, RADiFlow, an Israeli-owned and New Jersey-based ICS security appliance manufacturer, helped to confirm the risk to substations.  According to RADiFlow’s CEO, Ilan Barda, “Many of the products in our product line are specifically focused upon helping remote substations establish a more resilient infrastructure.” 

Ayal Vogel of Amid Strategies and a RADiFlow advisor further explained:  “The risks to the distribution grid have already been demonstrated through accidents and physical attack.  Remote substations double or triple the challenge by the very fact that they are remote.  A cyber-attack presents additional challenges because network anomalies may not be viewed a cyber-attack, and sending out a network forensics team right away might not seem justified, until attack indications become more obvious.” 

The vulnerabilities cited are legitimate risks.  Managing distant risks has always been a unique dilemma for risk managers.  The expense associated with committing human resources to a distant location translates into a) having solid decision support tools, and b) deploying remote sensors and other technology to aid in decision support.  The same approach applies in cyber defense.  Remote substations require security hardening, improved detection, and remote monitoring and control over security features.

These challenges of managing risk to a remote site amplify the need for improving cybersecurity around remote substations.  This is a vulnerability approach to assessing risk.  Let’s check the box that remote substations represent heightened risk, perhaps extreme risk, using this vulnerability approach.  Vulnerability, alone however, does not justify increased focus and expenditures to improve security.

WHERE’S THE GREATEST CONSEQUENCE?

Another important component of risk assessment is understanding consequences.  Consequences can be reviewed from different angles:  Loss of Capability, Costs, Fines, and Liability Exposure to list a few general topics within this approach.

Many publicly available accounts have previously described the catastrophic impact, and infrastructure costs, associated with losing critical infrastructure through a cyber-attack.  We know that there is both intent and capability for foreign adversaries to attack the US through cyberspace.  In certain commercial sectors, however, this risk is either discounted or viewed as a government problem.  Under this line of thinking, a business case has not been made to compel owners and operators of critical infrastructure to spend money to improve security.  This logic, however, is not appropriate for the energy sector. 

For utilities subject to NERC CIP compliance, an increasingly activist government intent to improve cybersecurity translates into audits and fines for noncompliance.  This risk, therefore, cannot be discounted or ignored in the energy sector. 

According to Rick Schaal, a subject matter expert and consultant with Schaal Energy Solutions and Energy One who has an extensive and impressive energy sector CV:  “Fines associated with NERC CIP noncompliance are really starting to get executives’ attention.  Of course, the million dollar per day fine risk is well-known, but perhaps less known are the NERC enforcement actions that have led to actual fines that have been levied against utilities.” 

Another aspect of the noncompliance risk under NERC CIP is the lack of certainty of the regulatory framework.  NERC CIP versions are changing from version 3, skipping version 4, and soon going to version 5.  The approach is changing from applying fixed security standards to a more flexible risk management approach.  According to Ilan Barda:  “The Perimeter Security and Security Management parts of NERC CIP version 5 need to be focus areas for utilities, as fines are increasing in these areas.  Our customers are asking us to provide security appliances with adjustable controls, so that they can manage compliance regardless of the NERC CIP version that will approved and implemented by auditors.  And that is what we have done to help the sector.”   

The RADiFlow executive is referring to a necessary capability that utility cybersecurity managers need to comply with both present standards and emerging ones.  Beside NERC CIP version 5, the NIST Cybersecurity Framework emerged in February 2014, and under the President’s 2013 Executive Order and Presidential Policy Directive (PPD) – 21, departments and agencies have been reviewing methods for adopting improved cybersecurity controls and the NIST Cybersecurity Framework.  Against this changing regulatory backdrop, cybersecurity managers must have adaptable solutions. 

WHAT’S THE LIKELIHOOD OF A CONSEQUENCE OCCURRING?

In addition to helping clients identify and prioritize risk from the cyber market vertical, it is also important to assess likelihood of impact.  That impact can be the likelihood of attack as well as the likelihood of a financial consequence. 

There are already myriad reports and stories of cyber-attack risk to critical infrastructure, so there is little sense wasting time recounting those threats here.  Rather, a more productive area is to highlight a) special substation cybersecurity risks, and b) the role that an activist federal government is playing to improve the Nation’s cyber resilience.

The Wall Street Journal story above outlined the results of a study conducted by the Federal Energy Regulatory Commission (FERC):  “The agency’s so-called power-flow analysis found that different sets of nine big substations produced similar results [which were a national outage]. The Wall Street Journal isn’t publishing the list of 30 critical substations studied by FERC.” 

The FERC report studied the major nodes in the grid that could lead to a national outage, not smaller substations within a utility’s distribution network.  However, the targeting of all substations is clearly countenanced as a national risk.  The risk of targeting to remote substations is further validated by the actual physical attacks on remote substations that occurred in 2013 in California and Arkansas.  

Taking the next step of linking physical attack risk to the cyber domain should be readily appreciated, in the age of the Stuxnet attack scenario.  Simply looking at SCADA search engines like Shodan, however, provide ample evidence that the attack risk is real.  SCADA networks, like those operating at remote substations, can be identified and attacked, using multiple attack vectors and tactics.

Turning to the likelihood of audit and fines creating an actual noncompliance consequence, particularly focusing on Perimeter Security and Security Management as identified above, it is important to recognize that scrutiny in the energy sector is part of a broad national effort to improve the resilience of critical infrastructure from cyber-attack risk. 

Again, according to those very close to the market:  “Utilities are increasingly concerned about their substation SCADA networks”, stated Ayal Vogel.  This is likely because they are seeing what is happening in other sectors.  The President’s PPD-21 issuance has resulted in federal financial regulators requiring big banks to conduct cyber audits of their law firms, the Federal Trade Commission (FTC) pursuing security actions for breaches, the Federal Communications Commission (FCC) increasing its inspection role, and Health and Human Services (HHS) hiring auditors to go after HIPAA Security Rule compliance.  This is an example of an activist government intent on improving cyber resilience, and empowering agencies with audit authority and manpower to convince owners and operators of critical infrastructure that there is indeed a business case for improving security. 

CONCLUSION

In every sector having federal oversight, cybersecurity audits are being implemented and expanded.  Yet, few sectors pose the catastrophic risk of the energy sector.  And within the energy sector, the special vulnerabilities, threat profile, and fine consequence likelihood that attaches to remote substations makes this component of the electricity distribution system a necessary focus area in 2014 for cybersecurity hardening. 

This is the advice being provided to clients in the energy sector as well as more broadly in other sectors, as well as more broadly to readers through this article.  In supporting the research in this piece, the support and time provided by RADiFlow, Amid Strategies, and Energy One is appreciated.      

More on the Guest Blogger:  Doug DePeppe is a cyberlaw attorney and consultant, who leads several entrepreneurial and nonprofit ventures in the cybersecurity marketplace.  His Cyber Risk law practice resides at Aspire IP Law Group.  He leads cyber process improvement efforts at Lumark Technologies, energy sector innovation with Energy One, consults to multiple partners, and co-founded the Western Cyber Exchange; and recently, Doug launched the Cyber Resilience Institute with his nonprofit partners.  Doug is also a university adjunct professor, teaching masters programs in cybersecurity.