Perils of Power IV
The landscape of American energy infrastructure is extremely multifaceted and intricate. Volumes far beyond the scope of this work could be written on the smorgasbord of vulnerabilities that are pervasive throughout the energy sector. This section shall provide a concise yet thorough overview of some of the talking points that need to arise to national dialogue, and why these gaping vulnerabilities are worthy of attention concomitant with global security concerns.
Cybersecurity experts are sanguine in agreement on a term that is starting to worry them: “legacy systems”. Legacy systems refer to the broad range of applications and systems in place at an organization that are kept and continuously used, solely because they continue to perform their key functions satisfactorily in normal conditions. The utilization of legacy systems is not unlike a motorist that commutes via an old, rusting car. It is that much more prone to a litany of issues and complications, but perhaps in an effort to curtail costs, the management turns a blind eye and elects instead to worry about failure when it occurs. Legacy systems are often not fitted with adequate, standard-meeting security controls; the presence of which would empower the designated cybersecurity officer(s) to mitigate cyber crises in a clandestine, rehearsed and coherent way. This spirals into a whirlpool of a larger problem: the incongruence of legacy system OT with up-to-speed IT.
According to Avertium, the networks that energy infrastructure writ large is predicated on is usually a heterogeneous mix of old and new. As operational technology’s development predated the IoT status quo of infinite, boundless connectivity, it wasn’t built to be connected to anything. Through this primitive lens, an industrial control system that transmits electricity from point A to B built decades ago cannot be faulted for not being prescient. Prior to 2010, there was little to no convergence of operational technology and informational technology; their fusion is a relatively modern phenomenon. Failure to fully understand this phenomenon is synonymous with failing to understand the correct operational environment when trying to mitigate a cybersecurity crisis.
Figure 9. Diagram Exhibiting the IT - OT convergence.
If a state-of-the-art IT, multi-hundred GigaWatt solar farm with commensurate IoT security control panels is being installed in your home, that level of novelty only stretches so far. To efficiently route the electricity into a cluster of homes or a commercial facility, there must be an endpoint that connects the solar panel farm to an overarching grid, which in turn interconnects to an even larger state or regional transmission operator’s OT. If the latter two grids are merely just getting by, entirely bereft of security controls, then is it futile to even bother with security measures for the solar panel mechanisms? A “mixture of legacy and modern equipment…means that some systems won’t be able to be patched or hardened”. Software and firmware updates don’t retroactively function for operational technology systems that were installed in the 1970s. Providing secure, up-to-par updates for only half your energy apparatus is a moot endeavor when the 25-year-old grid it is connected to is mostly comprised of legacy systems.
The deluge of renewable energy construction as mandated by the state, federal and local level has not done a stellar job of explaining how the aging grids are going to accommodate the perilous centrifuge of legacy systems along with the latest and greatest in technology. In fact, the grid exoskeleton of the United States is in such desolate shape that renewable technology providers are facing mounting hurdles in costs for upgrades to transmission lines. “Many give up. Fewer than one-fifth of solar and wind proposals actually make it through the so-called interconnection queue”. What transpires is an exasperating, overly bureaucratic rulemaking process that results in little tangible action. While informational technology races ahead, the obstinate nature of operational technology operators’ renders it a wicked problem. Executives and legislators are caught in the somewhat understandable quagmire of not wanting to take a vital artery out of commission, and there is a fundamental obligation to evade that which incurs substantial cost. But they must be of the perception that outdated operational technology infrastructure is superabundant with vulnerabilities that a.) provide fertile ground for a malicious actor to launch a cyber disruption or attack and b.) cause hindrances for the very same renewable technology they demagogically champion. Cyber adversaries will persistently target aging OT infrastructure if they know little action is being taken to update them. Energy infrastructure administrators can’t be peeved to initiate a holistic revamp of the entire system, as that would mean shutting down entirely and invoking ire from their commercial and private consumers. Furthermore, upgrading an entire OT system can cost a substantial amount, one “major U.S. regional utility” quoted an “overall programmatic update at over $100 million”.
Energy infrastructure’s decentralized supply and value chains are also key macro-vulnerabilities to magnify within the prism of cybersecurity. As national, federal and state energy supply chain processes have become more digitized, they have also heightened their vulnerability to “risk in digital components”.
Since the utility, energy provider supply chain is so intricate, malicious actors have several low-barrier entry points at the informational technology or the operational technology level. At a birds-eye recognition, a quintessential energy plant’s supply chain consists of the firmware; which represents the “read-only memory” for low-level control, i.e. any component of the software that has a memory capacity to allow the hardware to work in tandem with its software compatibilities, the software; the applications that run supported by the firmware; the virtual platform; which ties together the applications, and the data itself – the building blocks of the inputs and outputs for the software. Each of these components operate in harmony to maintain resilience, but should one of them be targeted, chaos can ensue. As these systems – even the informational technology ones – were designed to be centralized in the latter part of the 20th century when cyber was nothing more than the erstwhile “consensual hallucination” ruminated upon by William Gibson, no care was taken to account for the possibility that if one supply chain component is disrupted, the rest can’t operate successfully.
CISA’s report on Cyber-Physical Security Considerations states that “a single compromised manufacturer or poorly secured” component could compromise utility systems. Moreover, specific issues in the supply chain require specific issues: malignant actors could prey upon the suppliers of “key operational” components to preclude a swift return to operationality. In official governmental testimony delivered to the U.S. Congress, renowned cybersecurity firm Dragos identified a malware capability nicknamed PIPEDREAM that was developed by a “capable strategic state adversary”. PIPEDREAM yielded the ability to permeate the industrial control system, a core tenet of operational technology, and distort various elements of an energy producer’s supply chain orthodoxy, ranging from the temperature maintenance at the generation level all the way to transmission equipment for commercial or personal use. It is also evident that energy manufacturers take an additive approach to the supply chain in lieu of a reductive one.
Energy infrastructure operators are so driven by growth that they construe their energy supply chain as a series of analytic-reduction segments as opposed to perceiving it in a holistic system-manner. To preclude a disabling of the energy supply chain, energy administrators need to “clear out” subcategories of their supply chain. As part of NIST’s “U.S. Resilience Project” report, a key step to securing the supply chain is to diminish the units in it altogether and sublimate it to its core. This entails getting rid of “unnecessary system services, programs, and capabilities…guest accounts and ensuring that passwords and authentication are sufficiently complex”.
Furthemore, these supply chains do not consist of proprietary materials and components. Utilities and energy companies alike need to demand “vendor self-disclosure” from the copious third-party providers and ensure that they are cyber-compliant with the best accreditation standards and practices possible. In doing so, designated cybersecurity teams at energy companies can be a harbinger for a dialogue of honesty and transparency. It is of paramount importance that third-party vendors “stay current on emerging vulnerabilities” – these businesses that sell millions of dollars worth of equipment to energy providers should view mastery of supply chain security controls as a competitive advantage; a means through which more clients can be obtained. Supply chain managers must take it upon themselves to embrace a level of alert skepticism when vetting third-party vendors, as the latter’s heedlessness could result in devastating consequences. Third-party produced chain components combined with a patchwork of informational technology entry points render the supply chain a heavily intertwined, and therefore centripetally vulnerable, facet of energy infrastructure.
A fitting segue from the broader supply chain discussion is to magnify the issue of decentralization and a U.S. energy company’s “attack surface”.
In antiquated times, the antecedents of cybersecurity professionals would praise a practice known as “air-gapping”. Air-gapping in its most conventional sense simply refers to the notion of physically separating or isolating digital assets in a remote location. Thus, the logic was the existence of a back-up in a separate environment allays concerns about a central set of infrastructure being damaged. As technological breakthroughs evolved, more nuanced types of increasingly digital air-gaps became prevalent, and conjecturally air-gapping was practiced because it is a relatively easy action to execute. Storing a backup of a master system in a second location sounded like an expedient practice.
However, a consensus of experts find that the sophistication and pernicious nature of today’s OT-targeting cyber disruptions render air-gapping a somewhat useless practice. Prior to the IT/OT convergence displayed in Figure 7, physical air-gaps were effective because they had no network addendums and were not digital beings. But in today’s aeon of hyperconnectivity, championing this type of decentralization can backfire and actually increase a cyber adversary’s “attack surface” – the area of an organization that is susceptible to being hacked. Energy companies are uniquely vulnerable to breaches with devastating consequences because of their attack surface. Unlike parochial schools, hospitals, police stations and other municipality or region-specific amenities of modern society, energy companies’ services are predicated on being far-reaching. The vast majority of utility companies provide electricity, heat and or gas for millions of people in several states; companies like Liberty Utilities even supply services to both regions of the U.S. and Canada. An average top-25 U.S. power company will operate over 121 plants and 94,000 miles of distribution, and that doesn’t even begin to discuss the hundreds of digital components and IT/OT pieces necessary for transmission to be received by commercial and personal consumers. As a result, the “attack surface” for an energy company is more decentralized and therefore more attractive for a threat actor to go after.
Justin Gerdes of Energy Monitor fittingly described this issue as a “Catch-22”: decentralization has its benefits, and with blockchain technology – the very same specialized ecosystem that permitted the FBI to recoup the Colonial ransom – coming to the forefront, the act of decentralizing shows no signs of halting. But everytime a new battery storage monitor, thermostat, or electric vehicle charging station is erected, another node is produced. The greater the number of nodes, the greater the amount of connectivity to the originating energy company = the greater the attack surface. This is concerning to the utmost degree as this is almost unique to the energy industry. “The digitalization wave in the oil and gas industry is creating new access points in industrial networks for hackers to exploit”, warn GlobalData.
The final macro-vulnerability of the energy industry is simply to do with its role as a key component of critical infrastructure. Energy infrastructure in the U.S. falls within the inextricable liminal space of both the public and private sectors. This signifies that an American energy company is a two-pronged target for cyber criminals: an attack can a.) be interpreted as an affront to American quotidian life, especially because the energy sector is one that all the other 15 critical infrastructure sectors rely on to varying degrees, including those pertinent to the financial and economic health of the nation.
At a time when Russia’s military invasion of Ukraine has incited debates and conversations about the delicate balance of the geopolitics of energy. Russia has leveraged its cyber offensive capabilities to jam signals, intercept communications, and destroy satellite receptors providing integral information against their Ukrainian belligerents. While Russia – much to the surprise of experts including current CISA head Jen Easterly – has not launched a full-scale cyber attack on Ukrainian infrastructure, Ukraine’s Computer Emergency Response Team (CERT) has found that Russia has attempted to launch “destructive actions” argeting commercial organizations for both the purposes of destabilization and financial gain.
The people of Ukraine are no stranger to Russian cyber-aggression; dozens of malware disruptions on Ukrainian critical infrastructure have been traced to its pugnacious neighbor. In 2015, Russia was culpable for several power outages impacting over 225,000 Ukrainians – it became evident that a form of malware was the culprit. The malware, later nicknamed BlackEnergy, was a Distributed Denial-of-Service (DDoS) disruption. DDoS’s overwhelm a server with an uncontrollable “flood” of internet traffic in an attempt to overwhelm, and eventually crash, a network, therefore rendering it fruitless for its native users. The BlackEnergy malware had infected supervisory control and data acquisition (SCADA) systems as well as industrial control ones; it had been disguised through ostensible Microsoft Word and PowerPoint files. According to TrendMicro, these attachments were fabricated to appear as if they had originated from Ukrainian lawmakers. The BlackEnergy malware exposed just how vulnerable and brittle the Ukrainian grid was, and how a nation-actor like Russia could utilize cyber as an instrument to accomplish its then-mission of annexing the Crimea region. While the world’s media did not give this action the commensurate attention it deserved at the time, this incident remains infamous in the chronology of energy-cybersecurity watershed moments.
In January of this year a Slovakian cybersecurity firm certified reports that a Russian state-sponsored group known as “Sandworm '' had launched a mass-deletion wiper form of malware onto a leading Ukrainian energy company’s networks. According to a few accounts, Sandworm in some incarnation had also been responsible for the aforementioned 2015 Ukraine grid offensive.
The concern surrounding the bellicose posture of Russia is further exacerbated by nefarious non-state or state-sponsored malware groups that operate from China, North Korea, Iran and scattered segments of Eastern Europe.
Last month, the U.S. Senate Energy and Natural Resources Committee had a special convening to discuss the mounting threats originating from the aforementioned sovereignties. This meeting occurred shortly after the publication of the 2023 Annual Threat Assessment Report, compiled by the Office of the Director of National Intelligence. The report outlines China as the broadest “and most active cyber threat to the U.S. government and private sector networks”, while the saber-rattling Russia was regarded as “the top cyber threat specifically targeting critical infrastructure”. The Report alarmingly disclosed to the public for the first time that “Russian-connected hackers” attempted to take “almost a dozen” American power plants and natural gas sites offline at the outset of the Russian invasion in February of 2022.
The above vulnerabilities are extremely multitudinous; beyond that they require coherent frameworks and mastery of cyberspace to properly vanquish in a world wherein cyber weaponry is frighteningly becoming more menacing by the second. The upcoming section prescribes consolidated solutions on what the public and private sectors must espouse now to prepare.