Sophisticated hackers target the electric industry

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonexaminer.com/sophisticated-hackers-target-the-electric-industry/article/2559540

The electric utility sector has vastly improved its cybersecurity as it
moves toward a modern electric grid, but the growing sophistication of
attackers will challenge the industry.

Headline-grabbing stories about cyberattacks at Sony, allegedly by North
Korea, and U.S. Central Command, allegedly by the Islamic State of Iraq and
Syria, have galvanized Congress to tighten cybersecurity through
legislation. But turf wars between the intelligence community that wants to
keep certain materials classified and the critical networks that want more
information about threats, as well as privacy concerns, have thwarted
previous congressional efforts, and may do the same again under the new
GOP-led legislature.

That's why the electric utility industry isn't waiting. Utilities have
strengthened their coordination on threats to their networks, giving
companies a better understanding of malicious activity coming its way.

And there's a lot of it.

The energy sector was the target of 40 percent of cyber attacks in 2013,
according to the Department of Homeland Security. Security analysts say the
attacks are largely from sophisticated, well-heeled nation-states looking
to inflict damage.

U.S. officials also have warned the electric grid is susceptible to attacks
from nation-states. National Security Agency Director Adm. Michael Rogers
said in November that China and at least one other country can already
cause harm. A December cyberattack that caused physical damage at a German
steel mill also has alarmed the industry, as electric utilities share many
of the same elements — namely, computer systems that control physical
components.

"There's been a very significant focus on protecting critical
infrastructure that has continued to evolve as the threat has evolved,"
said Scott Aaronson, senior director of national security policy with
electric utility industry group the Edison Electric Institute. "There's
been a pretty significant and impressive change in the way the industry
protects itself and matured in the way it talks about the issue."

That's a marked difference from conversations four years ago, when electric
utilities were beginning to install the kits they bought with $3.4 billion
in federal stimulus grants for "smart grid" technology. The devices that
utilities added opened them up to attacks for the first time by
transitioning from closed, proprietary systems to Internet networks that
enabled better monitoring and faster transmission of real-time energy usage
data.

The learning curve was steep. Few senior executives had any cybersecurity
literacy. Utilities, most of which must seek approval from regulators to
raise electricity rates to finance spending, were reluctant to invest in
information technology personnel, training or software to defend their
systems. Many were reluctant to share information about what was happening
to their systems.

The Obama administration is preparing to promote further implementation of
smart grid technology when the Energy Department rolls out its first
"quantitative energy review," which is assessing the nation's
infrastructure. Gib Sorebo, chief cybersecurity technologist at Leidos,
said he thinks cybersecurity will be an element of that plan.

Sorebo said the electric utility culture has changed "to a wide degree" on
cybersecurity, though many are still reluctant to make significant
investments needed to defend against more serious threats. Sorebo said
hackers likely backed by nation-states have performed "reconnaissance" work
that could be used to learn more about a utility to inform a later attack.

Sorebo and others credited the improvement to Obama administration efforts
to develop cybersecurity frameworks that utilities could implement as well
as a 2013 executive order by President Obama that set up a voluntary
information-sharing system. Regulations such as the standards programs from
the industry-backed North American Electric Reliability Corporation also
have helped, as Sorebo estimated that meeting the standards drive half of
utility cybersecurity spending.

Major publicized breaches like the Sony and the Centcom incidents have only
increased urgency.

Electric utilities point to those incidents as reason for federal
legislation that seeks to improve the flow of threat information between
the federal government and the private sector. Sanitize it, strip it of
identifying data, whatever is needed — just give them the necessary
information to defend systems.

"The big ask remains information sharing. The responsibility to protect
critical infrastructure is one that's shared," said Aaronson, who also
works with the Electric Sector Coordinating Council, a group of utility
CEOs who focus on cybersecurity issues. "Without the intelligence-gathering
capabilities and law enforcement responsibility of our federal government,
we're only getting part of the story."

Loosening control of that information will run into familiar roadblocks.
Federal officials have been worried about needing to release too much
sensitive information, and civil liberties groups contend electric
utilities and other infrastructure networks might be forced to hand over
personal information to the government without consent.

"When you grow up in the intelligence community, your whole life is built
up around protecting this kind of information," said Mark Weatherford, a
former deputy undersecretary of cybersecurity at the Department of Homeland
Security who is now principal at the Chertoff Group consulting firm.

"It's going to take a while to change the culture, to break down those
barriers," Weatherford said.

While Weatherford said that easing access to that information is the
"quickest, easiest" thing the government could do, Sorebo cautioned that
it's not going to solve all of utilities' concerns.

"It's sort of viewed as the panacea that all I need is better threat
information. But the reality is it doesn't really help all that much,"
Sorebo said. "They're going to be surprised to a certain extent to see
what's there."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!