Washington — Cyberattacks on US energy systems have become unavoidable, and enough have been successful that the sector and its regulators are increasingly focused on mitigation, response and recovery.
Receive daily email alerts, subscriber notes & personalize your experience.Register Now
Within the past six months, news has surfaced that hackers breached an industrial control system at a US power plant, infiltrated a third-party data system used for scheduling gas flows on pipelines, and broke into email accounts at the US Federal Energy Regulatory Commission. To date, no major impacts have been reported, but the energy industry is confronting the risks.
Preparation is similar in ways to how utilities respond to a natural disaster: preparing for an event, communicating throughout the storm, deploying assets to recover and relying on mutual assistance within the industry.
"Mutual assistance is something that's normal when you have weather-related outages but not necessarily the norm in cybersecurity," according to Gladys Brown, who chairs the National Association of Regulatory Utility Commissioners' committee on critical infrastructure. "Over the last 18 months, they've been doing more and more of that."
One key difference is that storm damage is more predictable than the effects of a cyberattack, so mutual assistance in the case of a cyber incident has to be up and running with far less notice.
The April attack on the third-party systems highlighted the vulnerability that energy companies also expose themselves to when they inevitably engage an outside entity to manage some part of their business.
Jim Linn, a cyber expert affiliated with the American Gas Association, compared the incident to a hack into retail chain Target's systems in 2013 that resulted in customer data being stolen.
Linn is the executive director at the Downstream Natural Gas-Information Sharing and Analysis Center, the DNG-ISAC. It coordinates sharing of cyber threat information. To limit cyber threat entry points, DNG-ISAC members have been developing procurement guidelines for safely choosing third parties and incorporating government recommendations, according to Linn.
"We're still wrestling through that, having the right agreements in place, having the right protections in place," he said.
Source: S&P Global Platts Market Intelligence
COMMUNICATION IS KEY
Communicating across the industry about threats and protection protocols has proved central to strategy.
The US Department of Homeland Security on Monday announced that Russian government-backed hackers gained access to US electric utilities' industrial control systems during a cyberattack campaign that spanned 2016 through 2017.
The Wall Street Journal in a July 23 article said DHS officials indicated that the campaign, which is likely still ongoing, had attacked "hundreds of victims" and could have caused grid blackouts.
A DHS spokeswoman later said, however, that the hackers only breached an industrial control system on "a very small generation asset" that could have been isolated from the rest of the grid.
"Would-be cyber attackers are savvy, imaginative and determined. They never stop trying to think of ways to penetrate our systems. That means we have to be knowledgeable about the latest methods and remain vigilant," Consolidated Edison spokesman Alan Drury said.
To maintain that awareness of new threat information, ConEd is in regular contact with regulators and the federal government.
Both the power and gas industries have worked to be able to operate in degraded states without digital overlay, experts said. Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, highlighted spare equipment programs with the logistics to deliver parts throughout North America, redundancies in the system and the "nature of the grid to be re-engineered in real time if necessary" as ways his sector can limit the impacts of cyberattacks.
"The threat actor has now spent a lot of time and resources attacking a system, and the attack is not likely to be as successful as it would be but for some of the mitigating activities that the industry is undertaking," Aaronson said of this deterrence method.
Aaronson noted also that the US government's willingness in 2018 to point to Russian threat actors as the culprits behind certain attacks and to impose sanctions is emblematic of another central defense component: consequences for hackers.
SANCTIONS ON ATTACKERS
That the government can impose consequences on attackers "really highlights the value of the industry-government partnership in not just helping us to better prepare and protect our systems, but also to have a response to our adversaries that shows that we as a nation, both public and private sector, are in lockstep," Aaronson said.
When Dominion Energy's cyber team discovers a vulnerability or hears of a cyber incident, the group's first step is figuring out whether the threat is one the company and its infrastructure are exposed to, according to Tom Arruda, director of information technology risk management.
"[We] prove that to each other through a series of challenges -- challenging questions about what we're hearing, what we know the attack vector has been, what we know our defensive controls are -- to ensure that we don't have any immediate action that needs to be taken," Arruda said.
The sector has come to accept that prevention alone is not an option, according to Aaronson. Trying to stop the threat of cyber attackers is equivalent to "trying to stop the waves from crashing into the shore -- you can't do it," he said.
-- Jasmin Melvin, email@example.com
-- Sarah Smith, S&P Global Market Intelligence, firstname.lastname@example.org
-- Edited by Gail Roberts, email@example.com
This is the second feature in a three-part series on cyber security in the energy space. Read Part 1 here: Energy industry faces unprecedented cyber threats almost daily, and Part 3 here: 'Cyber hygiene': Reducing human error key part of fight against digital attacks