Terrorism and the Electric Power Delivery System

Electrical grid is said to be vulnerable to terrorist attack. I can agree that electrical power distribution network would be quite vulnerable if someone tries to sabotage it and knows what to do. I know this because I design software and hardware for control systems for electrical companies.

Some days ago I saw in Finnish television an interesting documentary Suomi polvilleen 15 minuutissa (viewable on Yle Areena at least for Finnish people still for few weeks). It says that in Finland there has been debate on how many weeks the army could protect the country against potential attacks. The document says that the country could collapse in 15 minutes if some outside attacker or a small terrorist group would attack to certain key point in power network. Practically nothing would work anymore without power and it will take quite bit of time to get replacement parts for some key component. There are not too many spare parts and it it take months or a year to build a new big high voltage distribution transformer.

This vulnerability would hold to practically all developed countries. I have understood that Finnish electrical power distribution network would be in pretty good condition compared to electrical power networks on some other countries. I think that in many countries could quite easily cause huge problems by damaging some key points on power distribution network. Those attacks could be either cyber-attacks or attacks or damaging physical infrastructure.

s_080220133187

In USA there has been lots of talk lately about electrical grid vulnerability to terrorist attack. There are warnings like this: Cyber-terrorists could target the U.S. electrical grid and throw the nation into chaos. And there is indeed some truth on those because this critical infrastructure is vital to a country’s economy and security, not a new target for terrorist groups (there have been documented incidents since the 1970s), inherently vulnerable (economical and practical reasons) and extremely hard to protect well. The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles. Electrical infrastructure is not necessarily a new target for terrorist groups- there have been documented incidents since the 1970s.

New York Times writes that Terrorists could black out large segments of the United States for weeks or months by attacking the power grid and damaging hard-to-replace components that are crucial to making it work. By blowing up substations or transmission lines with explosives or by firing projectiles at them from a distance, the report said, terrorists could cause cascading failures and damage parts that would take months to repair or replace.

Remember the fact that causing large scale problems for long time is usually hard. In Debunking Theories of a Terrorist Power Grab article a Penn State power-system expert cites laws of physics to pull the plug on worries that a terrorist attack on a minor substation could bring down the entire U.S. electric grid. The most vulnerable points are the ones that have the most energy flowing through them — like huge power stations or highly connected transformers. Those are the ones that should be well protected well and there should not be too much worrying on protecting smaller transformers.

Here are few links to articles for more information:

There is also a free book Terrorism and the Electric Power Delivery System on-line covering those topics. Check it out if you want to learn more. It gives you much more background than those articles.

512 Comments

  1. Tomi Engdahl says:

    Puerto Rico governor: Power could be out for months
    http://edition.cnn.com/2017/09/20/americas/hurricane-maria-caribbean-islands/index.html

    (CNN)Puerto Rico’s energy grid took such a severe blow from deadly Hurricane Maria that restoring power to everyone may take months, Gov. Ricardo Rosselló told CNN on Wednesday night.
    The entire system is down, the governor said. No one on the island has power from utilities.

    Puerto Rico, which has been through a long recession and is deeply in debt, has a power grid that is “a little bit old, mishandled and weak,” Rosselló told “Anderson Cooper 360˚.”
    “It depends on the damage to the infrastruacture,” he said. “I’m afraid it’s probably going to be severe. If it is … we’re looking at months as opposed to weeks or days.”

    Reply
  2. Tomi Engdahl says:

    DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
    http://www.securityweek.com/ddos-attacks-more-likely-hit-critical-infrastructure-apts-europol

    While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment (IOCTA).

    The report covers a wide range of topics, including cyber-dependent crime, online child exploitation, payment fraud, criminal markets, the convergence of cyber and terrorism, cross-cutting crime factors, and the geographical distribution of cybercrime. According to the police agency, we’re seeing a “global epidemic” in ransomware attacks.

    When it comes to critical infrastructure attacks, Europol pointed out that the focus is often on the worst case scenario – sophisticated state-sponsored actors targeting supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) in power plants and heavy industry organizations.

    However, these are not the most likely and most common types of attacks – at least not from a law enforcement perspective as they are more likely to be considered threats to national security. More likely attacks, based on reports received by law enforcement agencies in Europe, are ones that don’t require attackers to breach isolated networks, such as distributed denial-of-service (DDoS) attacks, which often rely on easy-to-use and widely available tools known as booters or stressers.

    While these types of attacks may not lead to a shutdown of the power grid, they can still cause serious disruptions to important utilities and services.

    “While DDoS is often a tool for extortion, the lack of communication from the attackers may suggest that these attacks were of an ideological nature,” Europol said in its report. “Although European law enforcement recorded an increasing number of these attacks last year, they also note that they only had moderate, short-lived impact.”

    Internet Organised Crime Threat Assessment (IOCTA) 2017
    https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017

    Reply
  3. Tomi Engdahl says:

    Home> Power-management Design Center > How To Article
    Hurricane hardening for utility power architectures: Puerto Rico
    https://www.edn.com/design/power-management/4458874/Hurricane-hardening-for-utility-power-architectures–Puerto-Rico

    In the aftermath of Hurricane Maria, the island of Puerto Rico has been devastated with a loss of their electrical power infrastructure and lack of fresh water. The electrical infrastructure efforts are estimated to bring power back to the island in six months.

    The Puerto Rico Electric Power Authority (PREPA) is the only power distributor on the island. PREPA’s power plants were 44 years old when Hurricane Maria struck; most industry power plants average 18 years. They burned Venezuelan oil at these aging power plants which needed billions of dollars in overdue repairs and renovation. Puerto Rico being essentially bankrupt did not help. This is a lesson for other governments to make sure their citizens are well protected for typical catastrophes that occur in their region.

    Reply
  4. Tomi Engdahl says:

    NASA Images of Puerto Rico Reveal How Maria Wiped Out Power On the Island
    https://hardware.slashdot.org/story/17/10/02/2236255/nasa-images-of-puerto-rico-reveal-how-maria-wiped-out-power-on-the-island

    Hurricane Maria was the most devastating hurricane to make land in Puerto Rico in nearly 100 years and the country is still reeling in its wake. Much of the island still doesn’t have running water, reliable communication or electricity. Recently, NASA published a set of date-processed photos that show the island’s nighttime lights both before and after the storm.

    These NASA Images Of Puerto Rico’s Power Loss Are Staggering
    https://jalopnik.com/these-nasa-images-of-puerto-ricos-power-loss-are-stagge-1819076467

    Reply
  5. Tomi Engdahl says:

    Hurricane Maria Left Puerto Rico Absolutely Devastated
    https://gizmodo.com/hurricane-maria-left-puerto-rico-absolutely-devastated-1818706517#_ga=2.183983014.1472517162.1507031174-1226169591.1507031174

    Hurricane Irma pounded Puerto Rico earlier this month, leaving hundreds of thousands without power, but narrowly avoiding a worse-case scenario.

    Unfortunately, Hurricane Maria slammed directly into Puerto Rico at Category 4 strength on Wednesday, lashing the island with 155 mile per hour (250 kilometer per hour) winds and double-digit storm surge. The storm immediately knocked out the region’s entire power grid, much of its communications networks and large stretches of road, making it impossible for the territory’s central government to assess the damage.

    But the scale of the second hurricane’s devastation across Puerto Rico is rapidly becoming clear, the Washington Post reports, with many towns across the territory totally destroyed.

    https://www.washingtonpost.com/national/if-anyone-can-hear-us–help-puerto-ricos-mayors-describe-widespread-devastation-from-hurricane-maria/2017/09/23/7ef5f6c4-a069-11e7-8ea1-ed975285475e_story.html

    Reply
  6. Tomi Engdahl says:

    Part II: Powering America: Defining Reliability in a Transforming Electricity Industry
    https://www.youtube.com/watch?v=W-sU63PdgM8

    Reply
  7. Tomi Engdahl says:

    How Do South Korea’s Secretive “Blackout Bombs” Actually Work?
    http://www.iflscience.com/technology/south-koreas-secretive-blackout-bombs-actually-work/

    IFLScience logo
    How Do South Korea’s Secretive “Blackout Bombs” Actually Work?
    2.5K SHARES
    TECHNOLOGY
    How Do South Korea’s Secretive ‘Blackout Bombs’ Actually Work?
    These non-leathal weapons are still somewhat under wraps. Josemaria Toscano/Shutterstock
    BY ROBIN ANDREWS

    10 OCT 2017, 11:51
    As tensions across the Korean peninsula continue to simmer, reports are now circulating that South Korea’s military forces are prepared to use so-called blackout bombs in any future conflict. These high-tech weapons have only been used a handful of occasions before – most notably during the last two Gulf Wars and during the conflict in Kosovo – so what exactly are they?

    Classified until only recently, these weapons are decidedly non-lethal. They contain millions of small particles of chemically treated carbon filaments, essentially a type of graphite.

    these bombs are targeted at major power grids and lines: when these particles make contact, a current flows through them at such extreme temperatures that it melts part of the mainline wiring, and the system shorts out. So long as the power lines aren’t insulated, these graphite bombs can be incredibly effective.

    When they were first deployed in the 1990 Gulf War against Iraq by the US Air Force, up to 85 percent of the country’s electrical supply was knocked out. Similarly, when used by NATO forces against Serbia in 1999, 70 percent of the country’s power grid was shut down.

    South Korea’s Agency for Defence Development has been working on them recently, and has, according to Yonhap News Agency

    Reply
  8. Tomi Engdahl says:

    Energy Regulator Acts to Improve Power Grid Security
    http://www.securityweek.com/energy-regulator-acts-improve-power-grid-security

    With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.

    In response to such concerns, the Federal Energy Regulatory Commission (FERC) yesterday proposed new cyber security management controls to enhance the reliability and resilience of the nation’s bulk electric system.

    “FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security ñ Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System,” it announced.

    The new standard will particularly improve on existing standards for access control, “by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.”

    FERC Proposes New Security Management Controls for Grid Cyber Systems
    https://www.ferc.gov/media/news-releases/2017/2017-4/10-19-17-E-1.asp#.Wei8GVtSwUF

    Today’s Notice of Proposed Rulemaking also proposes to direct the North American Electric Reliability Corp. (NERC) to develop modifications to provide clear, objective criteria for electronic access controls for low-impact cyber systems and to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards.

    In a separate order, the Commission accepted NERC’s preliminary geomagnetic disturbance (GMD) research work plan and directed that NERC file a final plan within six months.

    Reply
  9. Tomi Engdahl says:

    Protecting Critical Infrastructure When a Dragonfly Beats its Wings
    http://www.securityweek.com/protecting-critical-infrastructure-when-dragonfly-beats-its-wings

    The Threat of Cyberattacks on Power Networks is Real, But We Have the Ability to Build Defenses That Minimize The Disruption to Services

    News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.

    Anyone who works in security quickly gets used to the dilemma at the heart of what we do. It’s vital for us to communicate openly, clearly and with transparency about the threats faced in today’s networked world. Yet all too often, we run the risk of creating an unnecessary public panic which still doesn’t have the required effect of motivating those responsible for protecting critical systems into following good security practice.

    The recent revelations were published by researchers at Symantec and concern a cyber-attack group known as Dragonfly. They found that over a two-year period Dragonfly-affiliated hackers have been stepping up their attempts to compromise energy industry infrastructure, notably in the US, Turkey and Switzerland. The Symantec researchers found that the behavior of the Dragonfly group suggests they may not be state-sponsored, but that they have been conducting many exploratory attacks in order to determine how power supply systems work and what could be compromised and controlled as a result.

    An obvious target

    This shouldn’t come as a shock. Even the most innocuous web server will face dozens, if not hundreds, of attacks every day. Industrial control systems and critical national infrastructure have always been prime targets. Everyone from bedroom hackers to state sponsored spies have wanted to breach critical systems since the dawn of the networked era, whether that be for monetary gain, secret information, or just pure curiosity.

    What’s important in the Symantec report is not that energy systems are under attack, but that the methods detected – email phishing, Trojan malware and watering hole websites – are all well understood and can be mitigated against.

    Symantec was keen to point out that it has already integrated protections from the known Dragonfly attack methods into its software. Even so, it would be foolish to underestimate Dragonfly. It’s clearly a sophisticated group with a clear purpose, and while Dragonfly’s primary mechanisms at present appear to be based on social engineering, there are plenty of other state and non-state sponsored groups who have yet more sophisticated tools at their disposal.

    What’s more, the industrial internet of things (IIoT) continues to expand and our power infrastructure is diversifying to include smart grids and new, decentralised generation and transmission technologies. These may be beyond the control of traditional energy companies, but are still connected to their networks, introducing many more potential points of weakness to protect. We already know that there are many hundreds of thousands of consumer devices out there that are poorly secured against malware such as Mirai and its successors . The risk is that the same weaknesses may be unwittingly introduced to critical infrastructures.

    Building our defenses

    What does defense in-depth mean for the power supply industry? For a start, more work needs to be done to convince utility companies that security spending must be an absolute business priority. Proactive regimes that include regular retraining and offensive exercises, such as penetration testing and “red teaming”, require ongoing investment and a commitment at all levels, but are essential to keeping defenses honed.

    On a practical level, it should be a given for even the smallest business in this day and age that application and client software is regularly patched and up-to-date, but as recent ransomware outbreaks have shown, this is not something we can take for granted.

    For power companies, the challenge here isn’t just about rapid deployment of desktop and server software security patches, there are myriad field devices and control systems that need protecting too, which requires careful consideration. The update-and-patch ethos applies just as it does in the server world, but many of the MTUs, the RTUs and the IEDs may be legacy units for which security was an afterthought. They must be supplemented with intelligence in the network that can spot anomalies and improve the ability to detect new threats and signatureless malware.

    Improving capabilities for prevention and detection of attacks, however, won’t be effective without similar investment in the ability to respond to incidents. This requires the development of specialist forensic skills and knowledge within the ICS and SCADA environment, so that once an incident is detected, it can be quickly neutralised and identified with the least possible disruption to operations. To further minimize disruption, solid plans for business continuity also need to be drawn up and prepared.

    Reply
  10. Tomi Engdahl says:

    Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
    https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

    Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

    Reply
  11. Tomi Engdahl says:

    Cyber Defense Tool Is an Early Warning System for Grid Attacks
    https://spectrum.ieee.org/energywise/energy/the-smarter-grid/cyber-defense-tool-targets-grid-vulnerability

    A new tool will enable grid operators to better detect not only a brutal physical attack, but also a hacker probing for vulnerabilities

    Grid operators worry that the loss of one or more critical substations could trigger an outage that cascades across a region

    Reply
  12. Tomi Engdahl says:

    Attack on Nine Substations Could Take Down U.S. Grid
    Feds seek new rules to protect against physical attacks
    https://spectrum.ieee.org/energywise/energy/the-smarter-grid/attack-on-nine-substations-could-take-down-us-grid

    Reply
  13. Tomi Engdahl says:

    Electrical Substation visit. Inside an Electrical Substation.
    https://www.youtube.com/watch?v=l53NrBvlorQ

    An electrical substation is a subsidiary station of an electricity generation, transmission and distribution system where voltage is transformed from high to low or the reverse using transformers. Electric power may flow through several substations between generating plant and consumer, and may be changed in voltage in several steps.

    Reply
  14. Tomi Engdahl says:

    Electricity has such amazing power – Compilation
    https://www.youtube.com/watch?v=yX5TIDLvMyw

    EXCLUSIVE LOOK INSIDE A NUCLEAR POWER PLANT!
    https://www.youtube.com/watch?v=UuqbD28k6dY

    Reply
  15. Tomi Engdahl says:

    Electrical Substations
    https://www.youtube.com/watch?v=tS0SK-bMYjI

    6 Electrical Substation Bus Schemes Explained
    https://www.youtube.com/watch?v=ZU4y6vsabP4

    A substation bus scheme is the arrangement of overhead bus bar and associated switching equipment. The operational flexibility and reliability of the substation greatly depends upon the bus scheme.

    Reply
  16. Tomi Engdahl says:

    140,000 Volt Substation Explosion
    https://www.youtube.com/watch?v=uhG5RTKy66k

    140,000 Volt Substation Explosion. (Damage)

    Reply
  17. Tomi Engdahl says:

    High Voltage Substations around the world… 125kv, 66kv, 33kv
    https://www.youtube.com/watch?v=9yr3bmYwqLE

    Reply
  18. Tomi Engdahl says:

    Control room of 400/220kV substation, Scada control
    https://www.youtube.com/watch?v=3nxVReepVJY

    Reply
  19. Tomi Engdahl says:

    Isolating a Disconnecting Circuit Breaker using live line working
    https://www.youtube.com/watch?v=VfwpF68Di8k

    As it becomes more and more common with live working, performed by special trained staff, the question has been raised if it is possible to use the manual links in the DCB-design for live working.

    Reply
  20. Tomi Engdahl says:

    351 Substation Demolition — B Roll
    https://www.youtube.com/watch?v=TyWshVmbjGE

    The U.S. Department of Energy (DOE) recently teamed with contractor Washington Closure Hanford to complete a major recycling effort during cleanup of the Hanford Site in southeastern Washington State.

    Reply
  21. Tomi Engdahl says:

    Cyber Defense Tool Is an Early Warning System for Grid Attacks
    https://spectrum.ieee.org/energywise/energy/the-smarter-grid/cyber-defense-tool-targets-grid-vulnerability

    A rifle attack on an electrical substation near California’s Silicon Valley in April 2013 led to the development of a new tool for grid operators that will enable them to better detect not only a brutal physical attack but also the slightest hint of a hacker looking for vulnerabilities in these critical links in the grid.

    Although distributed in nature, grid operators worry that the loss of just a few critical substations could trigger an outage that cascades across a region, potentially crippling a major urban center.

    Indeed, in 2014, the Wall Street Journal reported the startling findings in confidential report by the Federal Energy Regulatory Commission (FERC): Thirty substations across the U.S. played an outsized role in grid operations; knocking out nine of them could cause a cascading outage capable of bringing down the nation’s grid.

    During the still-unsolved crime, attackers cut fiber optic cables to the facility, and then shot up 17 transformers, resulting in $15 million in damage. The utility had to to re-route power around the damaged substation until repairs could be made.

    A rifle assault means the attacker has to come close enough to blast away at a substation. Perhaps more worrisome to grid operators, however, is the possibility of a cyberattack launched remotely from anywhere on the globe.

    Reply
  22. Tomi Engdahl says:

    Critical Infrastructure Threat Is Much Worse Than We Thought
    https://www.securityweek.com/critical-infrastructure-threat-much-worse-we-thought

    Adversaries Most Likely Want to Acquire a “Red Button” Capability That Can be Used to Shut Down the Power Grid

    Last October the United States Computer Emergency Readiness Team (US-CERT) published a technical alert on advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Recently, it was updated with new information uncovered since the original report, and there are some interesting revelations this time around.

    Since the initial alert, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with U.S. and international partners, determined that attacks were already underway and being carried out by unspecified threat actors. The new report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.

    The boldest revelation is the decisive manner in which the unspecified “threat actors” are explicitly identified. There is no equivocation; what was once believed to be an amorphous “threat actor” has now been identified as the “Russian Government”.

    As for reconnaissance and weaponization, in the original alert DHS identified the then “threat actor” as being interested in website and open source material pertaining to critical infrastructure. The report stated that no compromise was detected. The new alert reneges the “no compromise” statement and provides a very detailed description of how the Russians used malware to compromise industrial control system (ICS) networks. Moreover the use of zero day, APT and backdoor techniques all indicate the sophistication and intent of the activity designed to take over US critical infrastructure.

    The breadth of these attacks are not only deeper but also broader than originally thought. Because it is infinitely easier to hack into a trade magazine website than into a critical infrastructure network, the report also notes the use of “watering hole” attacks; architected to compromise machines belonging to ICS personnel that visited popular online news outlets. Once installed this malware could be easily used for account takeovers.

    The updated alert also reveals the effort put into exploitation. The October alert stated, “there is no indication that threat actors used Zero Day exploits to manipulate the sites.”

    Also new, for the first time, the attackers attempted to cover their tracks, making it much harder to understand exactly what facilities were compromised.

    Protecting the Power Grid from Cyber Attacks

    One thing that remained static in both reports is the target of the attack: “…campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

    As alarming as the revised alert is, perhaps most glaringly absent is a situational analysis of what the attackers did once they successfully gained access. The updated report only scratches the surface. To date, no detailed technical report – except for Stuxnet in 2010 – has been released detailing that last mile of malware inside of ICS networks, and specifically the damage caused by the attack.

    What we can conclude from this new alert is that the Russians have been running a cyber campaign against industrial infrastructures for nearly a decade. Most likely, they and others want to acquire a “Red Button” capability that can be used to shut down the power grid, or cause other infrastructure damage, at some point in the future. Having these capabilities can cause more damage and disruption that a traditional armed conflict and in many cases organizations and nations are less prepared to deal with it.

    Reply
  23. Tomi Engdahl says:

    U.S. Energy Department Offers $25 Million for Cybersecurity Tech
    https://www.securityweek.com/us-energy-department-offers-25-million-cybersecurity-tech

    The United States Department of Energy (DOE) on Monday announced that it’s prepared to award up to $25 million for the research and development of technologies designed to protect the country’s energy infrastructure against cyber threats.

    The funding opportunity announcement (FOA) comes from the Office of Electricity Delivery and Energy Reliability’s Cybersecurity for Energy Delivery Systems (CEDS) program and it seeks applications for researching, developing and demonstrating novel approaches to improving cyber resilient energy delivery systems.Energy Department offers $25 million for cybersecurity

    “This FOA builds on DOE’s efforts with the private sector toward improving the security of the Nation’s critical energy infrastructure, and reducing the risk of a cyber incident that could disrupt energy delivery,” the DOE said. “It will expand the development and adoption of energy technologies that will help ensure a more secure, resilient, and reliable electricity system.”

    In September 2017, the Energy Department announced its intention to invest $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure, including more than $20 million in cybersecurity.

    Reply
  24. Tomi Engdahl says:

    The Domino effect scares: cyber attacks can shake electricity from across Europe

    German security specialists warn that strategicly targeted cybercrime would be able to paralyze entire European electricity distribution.

    According to Der Spiegel, the country’s cyber-security center, intelligence services and the information security ministry jointly evaluate the online threat may pose a variety of problems for critical infrastructure. Through the network it would be possible to hinder the reliability of traffic and energy supply, for example.

    According to the estimates, the paralysis of a single German energy distribution company could cause a domino effect through which the problems would be reflected across Europe through a common electricity distribution network. The report calls for increased infrastructure protection.

    A similar problem in Finland has been warned, among other things, by the Stonesoft security company in 2013.

    In Germany, reporters have been familiar with the cyber attacks in Ukraine. In December 2015, the malware dropped an electricity grid.

    Source: https://www.tivi.fi/Kaikki_uutiset/dominoefekti-pelottaa-kyberisku-voi-pimentaa-sahkot-koko-euroopasta-6738176

    More:
    http://www.spiegel.de/netzwelt/netzpolitik/sicherheitsbehoerden-halten-europaweiten-stromausfall-nach-hackerangriff-fuer-moeglich-a-1224727.html

    Reply
  25. Tomi Engdahl says:

    The Cybersecurity 202: These researchers worry more about cybercriminals hacking the grid than nation-state hackers.

    The Department of Homeland Security wants utility companies to beware of nation-state hackers who seek to infiltrate the U.S. electrical grid. But a prominent cybersecurity firm says there’s another type of adversary that officials and utility operators need to watch out for.

    Researchers at Cybereason say cybercriminal groups may pose a more immediate threat than nation state groups to electricity providers and other critical infrastructure such as wastewater facilities or manufacturing plants. Government-backed intruders tend to focus on quietly gathering information about the systems they penetrate, while cybercrime groups often use more amateurish techniques to compromise a network. That means they’re more likely to damage equipment or cause disruptions, even if they don’t intend to.

    “They’re not looking to throw the switch, but they might throw the switch by accident,” Ross Rustici, Cybereason’s senior director of intelligence, told me.

    The Boston-based firm wrapped up an experiment last week in which researchers set up a fake utility network and watched as hackers bearing the hallmarks of cybercriminals penetrated it in a matter of days. While the hackers showed some advanced skills, they used a few sloppy methods that raised “red flags” about their potential to inadvertently cause failures in the system, researchers concluded.

    DHS, tasked with protecting U.S. critical infrastructure, has publicly devoted its attention largely to the threat from nation states. These findings paint a more complete picture for policymakers and utilities facing a rise in malicious cyber activity — and spotlight a potential threat that hasn’t been as much of a focus in public remarks by top officials.

    https://www.washingtonpost.com/gdpr-consent/?destination=%2fnews%2fpowerpost%2fpaloma%2fthe-cybersecurity-202%2f2018%2f08%2f29%2fthe-cybersecurity-202-these-researchers-worry-more-about-cybercriminals-hacking-the-grid-than-nation-state-hackers%2f5b8586d51b326b3f31919e0f%2f%3fnoredirect%3don%26utm_term%3d.f86a099d6257&noredirect=on&utm_term=.bd38bd7fd9af

    Reply
  26. Tomi Engdahl says:

    Uusi kyberraportti Saksasta varoittaa: hakkerit voisivat pimentää koko Euroopan sähköverkon
    https://yle.fi/uutiset/3-10369841
    Cyber-Abwehrzentrum warnt vor Stromausfall in ganz Europa
    http://www.spiegel.de/netzwelt/netzpolitik/sicherheitsbehoerden-halten-europaweiten-stromausfall-nach-hackerangriff-fuer-moeglich-a-1224727.html

    Reply
  27. Tomi Engdahl says:

    Could home appliances knock down power grids?
    https://www.welivesecurity.com/2018/09/06/madiot-home-appliances-power-grids/

    Far-fetched though it may sound, the answer is yes, according to researchers, who show that electrical grids and smart home appliances could make for a dangerous mix

    Cybercriminals could rope internet-connected household appliances into a botnet in order to manipulate the demand side of the power grid and, ultimately, cause anything from local outages to large-scale blackouts, according to a study from a team of academics at Princeton University.

    Their research focused specifically on power-hungry domestic appliances like electric ovens, space heaters and air conditioners that can be connected to the internet and are often controlled via mobile applications or smart home hubs. They didn’t highlight any specific security flaws in any particular devices, but envisaged a scenario involving their compromise in some way by hackers.

    The underlying – and unusual – threads of the proof-of-concept attacks are that threat actors could cause the disruption without compromising the grid’s supervisory control and data acquisition (SCADA) systems. Also, rather than taking aim directly at the network’s supply side, the attacks – nicknamed “MadIoT” (Manipulation of demand via IoT) – would target the demand side.

    The sources of MadIoT attacks are “hard to detect and disconnect by the grid operator due to their distributed nature”, wrote the researchers. Moreover, the attacks can be easily repeated while requiring no knowledge of the grid’s operational details on the adversary’s part.

    The researchers tested the plausibility of the new type of attack on “state-of-the-art simulators on real-world power grid models”. The threat is described in a paper called “BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”, and the research was also presented at a recent USENIX security symposium.

    Back to MadIoT now. In a nutshell, the academics came up with three broad attack scenarios:

    First, it’s attacks that result in frequency instability due to abrupt increases or decreases in the power demands of high-wattage internet-connected devices by simultaneously turning many of them on or off. The ensuing imbalance between supply and demand triggers a sudden drop in the system’s frequency.

    “If the imbalance is greater than the system’s threshold, the frequency may reach a critical value that causes generators tripping and potentially a large-scale blackout,” wrote the academics.

    A simulation on a power grid model of a US-based utility showed that a 30% increase in demand was enough to cause the tripping of all the generators. “For such an attack, an adversary requires access to about 90 thousand air conditioners or 18 thousand electric water heaters within the targeted geographical area,” reads the paper.

    https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-soltan.pdf

    Reply
  28. Tomi Engdahl says:

    Grid Resilience: Three Key Strategies to Make the Grid Stronger
    https://www.sealevel.com/2018/09/05/grid-resilience-three-key-strategies-to-make-the-grid-stronger/

    Paperback thrillers have used the grid relentlessly: EMPs take it out; enemy governments hack it; a weather disaster topples it or, perhaps the worst outcome, humanity over consumes it. Grid resilience, the ability of an electrical or general energy grid to withstand threats, has become a monster in the closet.

    Although the grid is more stable than these depictions, grid resilience remains a major, looming concern in utility management. In parts of the United States where the climate can be ferocious, like the hurricane-prone areas of the Gulf and Atlantic coast, the grid’s ability to withstand a weather event is important. Failure spells even longer recovery. Other concerns do include cybersecurity and consumption.

    However, many companies and organizations are working toward making the grid resilient. From at-home IoT monitoring to microgrids with individual command and control, utilities are doing everything they can to ensure their grids remain functional and secure. Below are three innovative solutions to make the grid stronger.

    Aerial Damage Assessment

    One issue with grid infrastructure is access. Substations, lines and other utility units may not be in places that typical crews can access. They may be in fields, forests, among many buildings or simply tangled up in poorly managed neighborhood trees. It’s hard to inspect this infrastructure before storms and twice as hard after major weather events.

    One innovative solution finding success is the adoption of aerial assessment drones. These UAVs are equipped with cameras and other equipment that allow them to function as robotic inspectors.

    Cyber-Defense Planning

    It’s true that the grid has been a target of foreign governments. The threat is not exclusive to the United States: Iran and Ukraine have experienced hacking of energy systems. However, what makes American cyber-defense unique is the ease with which our grid could be secured. It takes two steps: educating employees on cybersecurity protocols and implementing self-healing systems to quarantine threats.

    Self-healing systems are also called distributed feeder automation systems. They are part of the “smart grid” initiative that adds intelligence to the grid to make it more effective. Essentially, these systems identify areas of the network that are down or compromised and isolate them using digital communications tools.

    IoT Gateways for Energy Efficiency

    While IoT solutions abound for at-home energy monitoring, IIoT for the grid is just arriving. Much like the voltage meters and smart home energy tools seen in residences, industrial monitoring systems exist for circuits and substations. These IIoT gateways serve two main purposes: recording voltage for efficiency analysis and sending out commands regarding metering and distribution.

    Smart grid systems also offer the opportunity for increased automation, which frees up costs long-term for utilities to invest in better infrastructure or more cybersecurity.

    Reply
  29. Tomi Engdahl says:

    What would happen if an attack interrupted a country’s power supply?
    https://www.pandasecurity.com/mediacenter/security/attack-power-supply-infrastructures/

    When we think about cyberattacks, we tend to imagine the loss of a large chunk of our data, or not being able to work for several hours. In the case of companies, the risk increases considerably, since they can lose confidential information and face serious cybersecurity problems, as well as problems for the running of their business. But what happens when a cyberattack affects a basic service? What if we’re suddenly left without power?

    That is exactly what the US Department of Energy has set out to determine: in November of this year, it is going to simulate a cyberattack on the electrical grid to analyze the consequences of an event like this that could bring the whole country to a standstill.

    During the drill, the American Government will mainly analyze three factors: firstly, where the attack is coming from and what its intentions are; secondly, how it has affected the supply, and how the service can be brought back; and thirdly, to what point the system can run using just its own internal resources.

    How to curb cyberattacks on critical infrastructure

    Companies and public administrations face great risks for their cybersecurity, and this danger increases even more when we talk about critical infrastructure. To help answer the question of how this kind of problem can be prevented, attacked, or solved, PandaLabs has launched its report, Critical Infrastructure: Cyberattacks on the backbone of today’s economy. It also presents a series of recommendations, such as:

    1.- Detection of weak points. To act preventively, large organizations must protect their corporate cybersecurity by carrying out a complete analysis of their IT systems in order to detect any vulnerabilities or weak points. Not only must these points be protected, but they must also receive greater attention, or be isolated from the rest of the system if it is deemed that there is a high risk of attack.

    2.- Protection of systems. When it comes to protecting different services, organizations must watch out for their security by outlining all possible attack scenarios and reinforcing the points of resistance of each of them even if it is just to slow down the attacker.

    3.- Automatic reaction. Companies not only need to predict the arrival of a cyberattack, but they also need to know how to respond to one if it becomes inevitable. Here, swiftness is key: simple action protocols and rapid (and even automatic) responses must be designed to solve the problem as quickly as possible.

    3.- Alternative channels If an attack affects a company or a public body, the normal course of action is to turn off the machines until it’s fixed. But what if the attack is on some kind of infrastructure that provides a basic service, such as electricity, that must be restored as soon as possible? In those cases, the organization needs to keep protecting their corporate cybersecurity, as well as having alternatives to restart the supply while they are fixing the underlying problem.

    Reply
  30. Tomi Engdahl says:

    GreyEnergy: New malware campaign targets critical infrastructure companies
    https://www.zdnet.com/article/greyenergy-new-malware-campaign-targets-critical-infrastructure-companies/

    Security researchers warn of cyber-espionage activity by group which has links to some of the most destructive cyber attacks of recent times.

    The hacking group which took down Ukrainian power grids is systematically targeting critical infrastructure in Ukraine and beyond in what security researchers believe could be cyber espionage and reconnaissance ahead of future attacks.

    Dubbed GreyEnergy by researchers at ESET, the group is believed to have been active over the last three years and to be linked to BlackEnergy, the attack group whose actions left 230,000 people in Ukraine without electricity in December 2015.

    Dubbed GreyEnergy by researchers at ESET, the group is believed to have been active over the last three years and to be linked to BlackEnergy, the attack group whose actions left 230,000 people in Ukraine without electricity in December 2015.

    Reply
  31. Tomi Engdahl says:

    https://semiengineering.com/week-in-review-iot-security-auto-15/
    Researchers at ESET, a software security firm in Slovakia, said three energy and transport companies in Ukraine and Poland were infected with malware over a period of three years, and that malware could be used to launch devastating cyberattacks, Reuters reports. The malware infections may have originated with Russia’s GRU spy agency, it was said. FireEye says a group known as Sandworm was likely responsible for causing power outages in Ukraine in December of 2015.

    Hackers accused of ties to Russia hit 3 E.European companies – cybersecurity firm
    https://finance.yahoo.com/news/hackers-accused-ties-russia-hit-123749171.html?guccounter=1

    Investigators at ESET said the group responsible for a series of earlier attacks against the Ukrainian energy sector, which used malicious software known as BlackEnergy, had now developed and used a new malware suite called GreyEnergy.

    ESET has helped investigate a series of high-profile cyber attacks on Ukraine in recent years, including those on the Ukrainian energy grid which led to power outages in late 2015.

    Reply
  32. Tomi Engdahl says:

    National Cybersecurity Awareness Month: Critical Infrastructure Cybersecurity
    https://www.us-cert.gov/ncas/current-activity/2018/10/23/National-Cybersecurity-Awareness-Month-Critical-Infrastructure

    October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. Building resilience in critical infrastructure is crucial to national security. The essential infrastructure systems that support our daily lives—such as electricity, financial institutions, and transportation—must be protected from cyber threats.

    Critical Infrastructure Sectors
    https://www.dhs.gov/critical-infrastructure-sectors

    There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

    Reply
  33. Tomi Engdahl says:

    Tietoturvariskit puhuttavat energiamessuilla
    https://www.uusiteknologia.fi/2018/10/22/tietoturvariskit-puhuttavat-energiamessuilla/

    ’’Esimerkiksi sähkökatkon tullen energiayrityksen on löydettävä tärkeät tiedot välittömästi, jotta tilanne saadaan ratkaistua ripeästi. Olemmekin huomanneet, että monet energia-alan yritykset panostavat tehokkaaseen ja turvalliseen tiedonhallintaan erityisen paljon’’,

    Reply
  34. Tomi Engdahl says:

    GreyEnergy: Updated arsenal of one of the most dangerous threat actors
    https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/

    ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks

    https://www.hackread.com/greyenergy-malware-hits-energy-sector-with-espionage/

    Reply
  35. Tomi Engdahl says:

    Could home appliances knock down power grids?
    https://www.welivesecurity.com/2018/09/06/madiot-home-appliances-power-grids/
    Far-fetched though it may sound, the answer is yes, according to
    researchers, who show that electrical grids and smart home appliances
    could make for a dangerous mix

    Reply
  36. Tomi Engdahl says:

    Disrupting the Flow: Exposed and Vulnerable Water and Energy Infrastructures
    https://blog.trendmicro.com/trendlabs-security-intelligence/disrupting-the-flow-exposed-and-vulnerable-water-and-energy-infrastructures/

    Energy and water are two of the most central critical infrastructures (CIs). Both sectors have undergone necessary changes to reflect the latest in technology and improve how natural resources are harnessed and distributed. At present, these changes are heading toward more interconnected systems, especially through the integration of industrial internet of things (IIoT) technologies. This continuing development in the energy and water sectors has allowed people and businesses to enjoy a more efficient and reliable flow of resources — but it has also made it more difficult to secure each significant system behind the infrastructures. As vulnerabilities in the systems behind CIs increase, specifically for supervisory control and data acquisition (SCADA) human machine interfaces (HMIs), it’s important to look at what risks these critical sectors face.

    Using open source intelligence techniques (OSINT), we were able to get a glimpse of possible problem areas for the energy and water sectors. Using internet scanning (mainly through Shodan) and physical location mapping, we were able to identify a number of exposed and vulnerable HMIs, all of which are from small to medium businesses. What this tells us is how important cybersecurity is for each level of the supply chain as well as for each CI sector.

    Reply
  37. Tomi Engdahl says:

    Hackers obtain nuclear power plant plans in France
    https://www.dw.com/en/hackers-obtain-nuclear-power-plant-plans-in-france/a-46126878

    Hackers have accessed confidential documents about nuclear plants and prisons in a cyberattack on a French firm, media reported. Some of the data was found on a rented server in Germany, according to the reports.

    Thousands of sensitive documents pertaining to nuclear power plants, prisons and tram networks have been stolen from the servers of a French company in a cyberattack, German and French media have reported Friday.

    The data illegally accessed from the French company Ingerop back in June amounted to more than 65 gigabytes, according to reports by German public broadcaster NDR, the daily Süddeutsche Zeitung and French newspaper Le Monde.

    Some of the documents were connected with the Fessenheim nuclear plant

    France’s oldest nuclear plant Fessenheim to close by 2022
    https://www.dw.com/en/frances-oldest-nuclear-plant-fessenheim-to-close-by-2022/a-45762582

    The closure of the nuclear power plant just across the border from Freiburg is no longer conditional on the startup of a new reactor on the Normandy coast. The opening of EDF’s Flamanville 3 plant has been delayed.

    Reply
  38. Tomi Engdahl says:

    Energy Sector’s IT Networks in the Bulls-Eye
    Attackers are actively infiltrating energy organizations and utilities for reconnaissance purposes.
    https://www.darkreading.com/analytics/energy-sectors-it-networks-in-the-bulls-eye/d/d-id/1333201

    Stuxnet and Triton/Trisis may have forever shaken the naive sense of security in ICS/SCADA networks, but attackers meanwhile are quietly hammering away at the IT infrastructure of energy firms and utilities in their quest for valuable intelligence on industrial systems.

    Recent attack activity tracked by security threat monitoring firm Vectra Networks of more than 4 million devices and systems shows that the IT networks in energy and utilities are being hit regularly by attackers intent on blending in as they conduct deep reconnaissance on their ultimate targets: the industrial networks. From January to June of this year, for every 10,000 host systems, nearly 200 remote access hacking attempts were spotted. In addition, some 314 lateral-movement activities were detected for every 10,000 host devices and cloud application operations. Vectra’s data also shows nearly 300 data exfiltration actions per 10,000 host devices and cloud app operations.

    Attackers targeting energy companies and utilities increasingly hit their IT networks with stealth tactics, such as employing legitimate Windows tools, too. Chris Morales, head of security analytics at Vectra, says attackers targeting energy and utility organizations are employing the same techniques against their IT infrastructures as nonutility businesses, including phishing and so-called “living off the land” methods of attack, in which they employ legitimate software tools, such as Microsoft PowerShell and Remote Desktop Protocol (RDP), to infiltrate their victims so that their network activity doesn’t raise red flags.

    “So much happens on [utilities'] IT systems and IT networks,” Morales says. “[Attackers] are using tools already there, like PowerShell, and hooking into Windows servers, and still using phishing to access credentials to get on those IT networks.”

    Reply
  39. Tomi Engdahl says:

    THE HAIL MARY PLAN TO RESTART A HACKED US ELECTRIC GRID
    https://www.wired.com/story/black-start-power-grid-darpa-plum-island/

    Standing in the middle of a utility command center, he flinched as a cyberattack tripped the breakers in all seven of the grid’s low voltage substations, plunging the system into darkness. “I heard all the substations trip off and it was just like bam bam bam bam bam bam bam bam,”

    Thankfully, what McHann experienced wasn’t the first-ever blackout caused by a cyberattack in the United States. Instead, it was part of a live, week-long federal research exercise

    blackout conditions and rough weather, but also a group of fellow researchers throwing a steady barrage of cyberattacks their way,

    the exercise, which ran the first week of November, served as a testing scenario for seven DARPA-developed grid recovery tools.

    Researchers built their test grid off of the already isolated power grid on Plum Island

    Over the past few years, the threat of grid hacking has morphed from a distant possibility to a stark reality. The most chilling incidents to date are two cyberattack-induced blackouts in Ukraine

    there is increasing evidence that various hacker groups have infiltrated US grid defenses.

    For actual resilience, the industry needs what cybersecurity practitioners call an “assume breach” mentality: thinking not just about how to keep attackers out, but knowing how to respond if and when they do break in.

    RADICS seeks to develop tools that aid in three phases of black start after a cyberattack.

    Black start recovery, especially after a cyberattack, involves navigating, defending, and configuring generations of technologies.

    Reply
  40. Tomi Engdahl says:

    Preventing physical damage from cyberattacks
    All too often, security vulnerabilities are much closer to home, much simpler, and in some ways more concerning precisely because they can affect our everyday lives.
    https://www.csemag.com/single-article/preventing-physical-damage-from-cyberattacks/829f45838267938a0d3c0e5e6dfaf75b

    Ways to increase system security

    Broadly speaking, defending these systems can be broken down into two categories: external and internal attacks. External attacks will most likely originate from the Internet. For this reason, all Internet connections should be treated as potentially hostile and secured against intrusion. Several options can be explored:

    No connection – while obviously secure, this severely limits the functionality of modern systems, which need to exchange data with a host of other applications or need to be monitored / controlled from remote locations.
    Remote desktop application – this requires a dedicated software package running on a remote computer. While effective, this in turn creates another point of vulnerability at the remote computer itself, which must likewise be protected.
    Virtual Private Network (VPN) Firewall – similar to a remote desktop but with a more secure connection. The remote computer itself still requires protection.
    Dedicated EMCS / SCADA Web Server – rather than connecting an EMCS directly to the Internet, a separate server is placed behind a firewall and access to the server itself is restricted.

    Reply
  41. Tomi Engdahl says:

    Is your marine or power plant’s operating environment cyber secured?
    https://www.maritimemanual.com/is-your-marine-or-power-plants-operating-environment-cyber-secured/

    Cyberattacks pose one of the most significant threats to a company’s information and operation systems. Cyber risks can have significant consequences for the health and safety of operating environments as well as data integrity. Companies also need to follow national or regional standards involving regular audits, often requiring extensive support from an external partner to cover the global operating ground of regulations.

    Creating a comprehensive approach to cyber security helps marine and energy industry service providers safeguard their products and the operating environment – now and in the future.

    Cyber security measures tailored to operational needs

    Wärtsilä’s spectrum of cyber services ranges from risk assessment to technical controls and threat monitoring. Wärtsilä also launched recently the world’s first International Maritime Cyber Centre of Excellence in Singapore, consisting of a Maritime Cyber Emergency Response Team and a cyber academy.

    “We have a 360-degree approach to creating a safe and compliant operating environment for marine and energy companies, all the way from customised risk assessment to a cyber management system with governance,” says Eklund. “Our global knowledge and presence also set us up as a unique advisor on industry standards, an area that is vital for operational safety.”

    Reply
  42. Tomi Engdahl says:

    https://www.wired.com/story/russian-hackers-us-power-grid-attacks/

    Russian Hackers Haven’t Stopped Probing the US Power Grid | WIRED

    Reply
  43. Tomi Engdahl says:

    Water and Energy Sectors Through the Lens of the Cybercriminal Underground
    https://blog.trendmicro.com/trendlabs-security-intelligence/water-and-energy-sectors-through-the-lens-of-the-cybercriminal-underground/

    In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.

    Critical Infrastructures Exposed and at Risk: Energy and Water Industries
    https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exposed-and-vulnerable-critical-infrastructure-the-water-energy-industries

    Securing energy and water should remain top priority in the continuing integration of the industrial internet of things in these critical sectors.

    Reply
  44. Tomi Engdahl says:

    How to accidentally shut down a nuclear reactor: it’s as easy as pressing a button, red-faced staff at Ont. plant discover
    https://calgaryherald.com/news/local-news/how-a-nuclear-reactor-got-shut-down-by-accident-in-ontario/wcm/a0c7f56a-6671-4afb-8dcc-2ed7e53a7d89

    If your laptop lets you think twice before it shuts down, should a nuclear reactor not do the same?

    Canadian nuclear safety officials have been dealing with a split-second mistake that shut down a reactor at the Pickering nuclear station east of Toronto.

    There was no radioactive leak, no injury, no damage to equipment. But there were red faces when someone pushed the wrong button, and a machine that can produce half a billion watts of electricity stopped.

    Then, a nuclear operator pushed the wrong button and shut off the computer that was still running. With both computers now down, staff were required to shut down the entire reactor manually.

    The reactor was running again a few hours later.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*