Washington — Every day the energy sector faces a barrage of cyber attacks, and just about once a day an attack is novel, something the industry has not seen before but must defend against.
Receive daily email alerts, subscriber notes & personalize your experience.Register Now
Whether hackers are hoping for financial gain or to disrupt the grid, utilities, pipeline companies and federal agencies have no choice but to prepare.
"The problem is there are an infinite number of ways that you can create malware, that you can attempt intrusions," John Bryk, a cyber and physical threat intelligence analyst with the Downstream Natural Gas-Information Sharing and Analysis Center, said in a recent interview. "There's always going to be something new."
The center, launched by natural gas utilities in 2014 to help them prepare for and better understand threats, aggregates cyber risk data to spot trends and communicate back to companies.
Cyber attacks that could cause physical damage are becoming more common. Although an attack is unlikely to bring down the entire grid, the risks have caused some sleepless nights for energy executives.
"The implications of something going wrong is no longer loss of property, it's loss of life," Jed Young, chief information security officer at refining giant Andeavor, recently told a Houston conference.
One of the biggest power and natural gas companies in the world, Dominion Energy, is facing more unique threats than ever before, and its director of information technology risk management said the attacks have escalated most intensely within the past 18 months.
"It's really gotten our attention on what are our levels of defense," Dominion's Tom Arruda said. "How do we protect at each level? And how do we ensure that, if anything were to happen, it would be limited in the scope of what it can do?"
RUSSIA, CHINA, IRAN AND NORTH KOREA POSE GREATEST CYBER THREATS
There are two kinds of digital utility systems that can come under attack: information technology and operation technology. The IT side includes digital communication, data and other material that is connected to the internet in some capacity. Under the OT umbrella reside the systems that manage the movement of electrons through the grid and molecules through pipelines.
Attacks on these two kinds of systems generally are carried out by distinct actors with different motivations, according to Kimberly Denbow, American Gas Association senior director of security, operations and engineering services.
Entities seeking to steal data or to hold companies ransom typically target the IT side of the business, while OT systems are more often targeted by nation states trying to gather information, possibly with the goal of penetrating and controlling the infrastructure, Denbow said. Sam Ellis, Southwest Power Pool director of cybersecurity, offered that those targeting critical energy infrastructure are "just a small piece of the pie."
Attacks on the power grid are "very rare," he said, as most hackers "are usually in it for some kind of financial motive." A recent trend, for instance, has been to breach networks, not to damage them but to gain computing power to mine cryptocurrency for cash or to fund other endeavors, Ellis said.
Still, Russia, China, Iran and North Korea pose the greatest cyber threats to the US as they work to use hacking operations to achieve strategic objectives, Dan Coats, US director of national intelligence, told Congress in testimony on the intelligence community's 2018 assessment of threats to US national security.
For the energy sector, cyber threats range from the "real possibility" of a wide-scale blackout or damage to critical equipment to disruptions of billing processes and loss of customer data, according to Neil Chatterjee, a commissioner at the US Federal Energy Regulatory Commission.
"Regardless of the original motive, when an adversary successfully breaches a corporate network and gains persistent access, that adversary has the capability to steal intellectual property and may even be able to take over systems, potentially causing the disruption or destruction of processes," Chatterjee said.
Despite the frequency of attacks, breaches have remained relatively uncommon, especially on the operational side, and multiple industry observers indicated that the nightmare scenarios of tech-savvy villains bringing down a swath of the grid in one fell swoop are unlikely.
"When it comes to the ability to impact the electric grid, I think people fall into the movie script scenarios a little bit too easily," Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, said.
NO SINGLE POINT OF FAILURE
Aaronson said he was once asked during a hearing at the Michigan state senate whether the plot of the 2007 "Die Hard" film -- which featured a prolonged blackout after a single main power hub was taken out -- was a plausible scenario. The answer was no.
"There is not one computer that operates all of the nation's critical infrastructure. We are not three keystrokes away from a months-long blackout," he said. "In order to execute an attack that had long-lasting impact, you would have to do it in a lot of different places with effectively bespoke malware in each of those places."
He added that there is no single point of failure in the energy grid, or even 12 points of failure. "It would have to be a much bigger and more sophisticated attack, and even still we've got the capacity to respond and recover."
Similarly, gas operations include more pneumatic and mechanical controls, which are built in for redundancy but also allow the system to be operated in the event that the supervisory control and data acquisition, or SCADA, system goes down and are generally designed to respond to changes in system pressures to prevent over-pressurization, Interstate Natural Gas Association of America Security Director Rebecca Massello noted.
"We still can operate gas systems manually. We're constantly teased because we're 'behind the times,' but this is one of those times when it's kind of good to not be on that leading edge," AGA's Denbow said. "We have the technology and everything, but we also have the manual backups."
One of the most well-publicized cyber breaches in the US energy sector occurred in spring 2018. The breach required pipeline operators to override gas dispatching processes that would have otherwise afforded greater automation, but the attack did not prevent the gas from being delivered.
Sometimes hackers targeting energy operations do make it through the barrier. The grid-attacking malware known as CrashOverride left parts of Kiev, Ukraine, without power for about an hour in December 2016. CrashOverride was designed to target industrial control systems.
Some US-based operators and industry observers said that the conditions in Ukraine are different enough from those in the US that domestic utilities do not believe the breach is indicative of a rising threat. Many of the "basic controls" that are common among US energy systems could help protect against what happened in Ukraine, INGAA spokeswoman Cathy Landry said.
"While we may have people that are knocking on our exterior wall ... there's such a well-defined separation between those perimeter-type systems and the systems that control the grid," Barbara Sugg, vice president of IT and chief security officer at SPP, said. "So just having somebody's name and password isn't going to get [a hacker] very far," given the multiple layers of defense in depth and authentication present on the bulk electric system.
Still, that the attackers were able to manipulate a SCADA system and shut off power for any amount of time got the industry's attention.
Ben Read, senior manager of cyber espionage analysis at cybersecurity company FireEye, said that a wider array of attackers have come after industrial control systems, or ICS, in recent years.
"We've seen an increasing number of groups demonstrate capability in dealing with ICS networks," Read said. "I can't say if the overall frequency has increased, but we've seen a proliferation of it."
--Jasmin Melvin, firstname.lastname@example.org
--Sarah Smith, S&P Global Market Intelligence, email@example.com
--Edited by Rocco Canonica, firstname.lastname@example.org
This is the first feature in a three-part series on cyber security in the energy industry. Read Part 2 here: With cyberattacks inevitable, energy sector focuses on response, and Part 3 here: 'Cyber hygiene': Reducing human error key part of fight against digital attacks