Defending the grid

The month’s final theme for National Cyber Security Awareness, building resilience in critical infrastructure, should resonate as a priority for all. If you look at what happened with the Mirai and Dyn attacks, they present the harsh reality that most IoT developers hoped they could avoid.

The obvious damage that will continue to come with these attacks range from general frustration to economic losses. But, at the risk of seeming overly paranoid, I am going to agree that these IoT DDoS attacks change the game.

In thinking about the wide range of vulnerabilities yet to be exploited, one serious unintended consequence with IoT is that lives are potentially at stake. Whether it’s medical devices going offline or electrical grids being compromised, the stakes go beyond frustration and fiscal loss. 

The electrical grid runs everywhere, and there are a few different ways that it can be compromised. The potential of a physical attack is always ongoing, said Stewart Kantor, CEO of Full Spectrum but there are other risks.

“One risk is that the data traffic gets blocked and they can’t connect to what’s controlling the grid. Another is that somebody gets in and takes control, like Ukraine,” Kantor said.

Utilities have a variety of perimeter techniques to protect against physical attacks, but they lack updated measures to protect data communication. “These systems were designed a hundred years ago with Edison, and except within the last 10 years, they didn’t do much more than have dial up modems over a telephone network. They were as secure as the landlines were. They were secure, but that is no longer true,” Kantor said.

High voltage can do a lot of damage, and you can quite literally blow things up. Kantor said, “Economically it’s a disaster too. If you can’t get to an outlet, you can’t get your job done anymore. We’re all attached to the grid. In order to support all these apps, you need the automation, but that introduces all these vulnerabilities.”

As is true in most sectors, utilities need to automate in order to increase efficiency and handle new applications like solar. “They want to use internet protocol but don’t want to be vulnerable,” said Kantor. 

[ RELATED: ICS vulnerabilities are still rampant ]

One effort to mitigate risks has to do with real time control. In short, there are no real time controls, but Kantor said that’s changing to allow real time updates. “A lot has to do with wind and solar. They are starting to drive deep down into the grid with data communication so that they have the ability to reroute power and increase or decrease voltage.”

Using public networks is also of great concern in securing utility grids because they are vulnerable to that carrier. In a DDoS attack, that provider alone can block them from getting access to the grid. They basically go blind. That’s why, Kantor said, “If you think about utility companies, they are very focused on security-related issues because they supply the power to everything we do.”

Adversaries could use WiFi type technologies to disrupt service, said Kantor. “They could easily set up a WiFi access point next to a portion of the grid that is using WiFi, which would create interference and take them offline. Who regulates that? If the carrier can’t handle that data traffic, who is liable?”

One solution, said Kantor, is to have a completely private internet. “The ones who want to be the most secure create an air gap that will keep the corporate network with public access completely separated. They move to a different computer and those computers and servers are never connected to the public internet.”

For vendors who are remotely trouble shooting auto-mechanical equipment or any kind of grid management, “They can open up a port with multiple levels of authentication and the port closes after a period of time to limit the potential for a sustained attack,” Kantor said.

Different layers of security will best defend utilities, but there are still vulnerabilities at the edge. “They connect a public device to an Ethernet port of a remote device. When the utility looks at it, they focus on all the vulnerabilities at the grid edge and internally, but port security is a huge issue at the remote device,” Kantor said.

So the question for utilities becomes what kind of security are you going to have in addition?

“They can run a VPN over wireless connection, turn on encryption, encrypt over the air, and then whatever else they want to do. Radios require authentication, and utility companies often run their own private voice networks that they continue to operate.”

Different from the corporate considerations, utilities need to think about security and reliability, as they have to have the ability to recover from either natural or man made disasters. They need now to be building resilience into critical infrastructure because we will only see more of these attacks.