U.S. GAO Report Defines Cybersecurity Gap in Electricity Distribution Systems
By Michael Mimoso | March 31, 2021
A report published recently by the U.S. Government Accountability Office (GAO) calls on the Department of Energy to better address electricity grid distribution systems in its cybersecurity strategy.
Distribution systems, which carry electricity from transmission systems to consumers, are state-regulated, unlike the two other legs of the grid triad—generation and transmission systems—which fall under federal oversight.
The GAO’s report points out that these systems are largely no longer air-gapped, and connectivity to IT networks or direct connections to the internet introduce vulnerabilities that can be exploited by a host of threat actors, including nation-states, terrorists, hacktivists, and criminals.
The GAO also cautions that the scale of potential impacts from a cyberattack against distribution systems is “not well understood.” While likely to have just localized impacts, according to interviews of operators and regulators conducted by the GAO, the report also cautions there could be “national consequences” depending on which distribution systems would be targeted, or whether an attack impacting a large city would result in outages of national significance.
The Security Tradeoffs of Connectivity
The security of industrial control systems (ICS) is largely what keeps the lights on through their management of generation, storage, transmission, and distribution of electricity inside utilities to businesses and homes nationwide. Many, however, were built to operate independently of IT networks or the internet. Now that many are being connected and remote maintenance and data gathering is improving, critical vulnerabilities are being introduced in parallel.
The dispersed nature of distribution systems, the GAO said, also expands the attack surface available to threat actors. Distribution systems are likely to maintain long-term investments in older, vulnerable equipment running for extended periods of time inside remote substations, for example. These older systems aren’t likely to transition to smart systems, for example, given their cost and complexity if existing equipment is operational and cost-effective. Tack on a global pandemic and the mandate for more remote connections to critical infrastructure, and the risk rises exponentially.
All of this is conspiring to make government officials more aware of the cybersecurity gap in distribution systems. Some states are taking steps such as hiring cybersecurity specialists and including cybersecurity as part of routine oversight. The DOE augments that movement with support such as training, tabletop exercises, and best-practices guidance. But its national strategy for grid cybersecurity doesn’t adequately address distribution systems, the GAO said. The DOE has told GAO it will conduct a full assessment of cybersecurity risks to the grid, but that updated versions of its guidance will be similar to previous versions, which GAO deems inadequate with relation to distribution systems.
“DOE officials told us that they are not addressing risks to grid distribution systems to a greater extent in their updated plans because they have prioritized addressing risks facing the bulk power system,” the report says. “Officials said a cyberattack on the bulk power system would likely affect large groups of people very quickly, and the impact of a cyberattack on distribution systems would likely be less significant.”
Supply Chain Risks Singled Out
Supply chain security is one area singled out by the GAO; the report cites incidents where removable media infected with malware was included in a product during manufacturing, and another where attackers were able to compromise software installers for ICS devices on vendor websites; companies in Europe and the U.S. were infected.
In addition to supply-chain attacks, the report also describes some techniques attackers use for initial access to ICS, including exploits against internet-connected ICS devices, spear phishing emails that include links to malicious sites or malware hidden in attachments, as well as exploits targeting remote access tools such as VPNs.
Some of the consequences include the sending of commands instructing control systems to behave outside intended functionality, or cause disruption to operations. Ransomware attacks such as the EKANS attacks of 2019 can result in loss of productivity or revenue, while other attacks can keep operators from fully having visibility into processes, hiding their true state.
DOE, according to the report, concurs with the GAO findings and said it would better address distribution cybersecurity through two ongoing Congressional initiatives, the National Rural Electric Cooperative Association (NRECA), and the American Public Power Association (APPA), which “major deliverables” due next year and in 2023.
Electricity distribution systems look to be state-regulated for the time being, meaning there will be an inconsistent mix of oversight and legislation overlooking these critical systems. Here are a few recommendations that security leaders should consider:
The GAO’s report is accurate in that local incidents could ripple toward larger outages given the wide swathe of distribution systems. Organizations should monitor older equipment within their infrastructure, identify their assets, and assess any existing vulnerabilities that may be remediated.
Having a single pane of glass view into a utility’s entire distribution system is a vital strategy to combat threats. Claroty has had many success stories with large power distribution systems worldwide, in different regulatory environments. Your monitoring and visibility solution should not only identify assets for vulnerability remediation, but also help you monitor and meet your regulatory requirements.
Purpose-built remote access solutions for industrial control systems and networks are crucial tools for electricity distributors. Given the physical locations of many substations across the U.S., it’s likely distributors already have some sort of remote access to these systems. Be aware that traditional VPNs, for example, don’t satisfy the needs of every ICS environment, and lack the auditing and real-time ability to monitor and shut down remote connections in the event of malicious activity.