BreachExchange mailing list archives
Sophisticated hackers target the electric industry
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 2 Feb 2015 19:05:21 -0700
http://www.washingtonexaminer.com/sophisticated-hackers-target-the-electric-industry/article/2559540 The electric utility sector has vastly improved its cybersecurity as it moves toward a modern electric grid, but the growing sophistication of attackers will challenge the industry. Headline-grabbing stories about cyberattacks at Sony, allegedly by North Korea, and U.S. Central Command, allegedly by the Islamic State of Iraq and Syria, have galvanized Congress to tighten cybersecurity through legislation. But turf wars between the intelligence community that wants to keep certain materials classified and the critical networks that want more information about threats, as well as privacy concerns, have thwarted previous congressional efforts, and may do the same again under the new GOP-led legislature. That's why the electric utility industry isn't waiting. Utilities have strengthened their coordination on threats to their networks, giving companies a better understanding of malicious activity coming its way. And there's a lot of it. The energy sector was the target of 40 percent of cyber attacks in 2013, according to the Department of Homeland Security. Security analysts say the attacks are largely from sophisticated, well-heeled nation-states looking to inflict damage. U.S. officials also have warned the electric grid is susceptible to attacks from nation-states. National Security Agency Director Adm. Michael Rogers said in November that China and at least one other country can already cause harm. A December cyberattack that caused physical damage at a German steel mill also has alarmed the industry, as electric utilities share many of the same elements — namely, computer systems that control physical components. "There's been a very significant focus on protecting critical infrastructure that has continued to evolve as the threat has evolved," said Scott Aaronson, senior director of national security policy with electric utility industry group the Edison Electric Institute. "There's been a pretty significant and impressive change in the way the industry protects itself and matured in the way it talks about the issue." That's a marked difference from conversations four years ago, when electric utilities were beginning to install the kits they bought with $3.4 billion in federal stimulus grants for "smart grid" technology. The devices that utilities added opened them up to attacks for the first time by transitioning from closed, proprietary systems to Internet networks that enabled better monitoring and faster transmission of real-time energy usage data. The learning curve was steep. Few senior executives had any cybersecurity literacy. Utilities, most of which must seek approval from regulators to raise electricity rates to finance spending, were reluctant to invest in information technology personnel, training or software to defend their systems. Many were reluctant to share information about what was happening to their systems. The Obama administration is preparing to promote further implementation of smart grid technology when the Energy Department rolls out its first "quantitative energy review," which is assessing the nation's infrastructure. Gib Sorebo, chief cybersecurity technologist at Leidos, said he thinks cybersecurity will be an element of that plan. Sorebo said the electric utility culture has changed "to a wide degree" on cybersecurity, though many are still reluctant to make significant investments needed to defend against more serious threats. Sorebo said hackers likely backed by nation-states have performed "reconnaissance" work that could be used to learn more about a utility to inform a later attack. Sorebo and others credited the improvement to Obama administration efforts to develop cybersecurity frameworks that utilities could implement as well as a 2013 executive order by President Obama that set up a voluntary information-sharing system. Regulations such as the standards programs from the industry-backed North American Electric Reliability Corporation also have helped, as Sorebo estimated that meeting the standards drive half of utility cybersecurity spending. Major publicized breaches like the Sony and the Centcom incidents have only increased urgency. Electric utilities point to those incidents as reason for federal legislation that seeks to improve the flow of threat information between the federal government and the private sector. Sanitize it, strip it of identifying data, whatever is needed — just give them the necessary information to defend systems. "The big ask remains information sharing. The responsibility to protect critical infrastructure is one that's shared," said Aaronson, who also works with the Electric Sector Coordinating Council, a group of utility CEOs who focus on cybersecurity issues. "Without the intelligence-gathering capabilities and law enforcement responsibility of our federal government, we're only getting part of the story." Loosening control of that information will run into familiar roadblocks. Federal officials have been worried about needing to release too much sensitive information, and civil liberties groups contend electric utilities and other infrastructure networks might be forced to hand over personal information to the government without consent. "When you grow up in the intelligence community, your whole life is built up around protecting this kind of information," said Mark Weatherford, a former deputy undersecretary of cybersecurity at the Department of Homeland Security who is now principal at the Chertoff Group consulting firm. "It's going to take a while to change the culture, to break down those barriers," Weatherford said. While Weatherford said that easing access to that information is the "quickest, easiest" thing the government could do, Sorebo cautioned that it's not going to solve all of utilities' concerns. "It's sort of viewed as the panacea that all I need is better threat information. But the reality is it doesn't really help all that much," Sorebo said. "They're going to be surprised to a certain extent to see what's there."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Sophisticated hackers target the electric industry Audrey McNeil (Feb 04)