Cyber Counter-Attack

About 3:30 in the afternoon last December 23, operators at three electric utilities halfway around the world in western Ukraine found themselves not to be solely in control of their computer terminals. Someone from outside the utilities had taken over the controls and started opening circuit breakers at more than 27 substations, cutting power to more than 200,000 customers. Thousands of fake calls clogged utility switchboards, preventing people from phoning in to get information about the outage. Utility workers switched to manual operations, and it took three hours to restore power.

That’s not a movie plot. And if you missed or forgot about that news report from last year, people who run electric utilities have not. Attention to cyber security at electric utilities has been growing fast in the past few years, and the Ukraine attack pushed that trend into overdrive.

“It’s garnered a lot of attention from the federal government and throughout the industry,” says Barry Lawson, Associate Director of Power Delivery and Reliability for the National Rural Electric Cooperative Association (NRECA).

A big part of Lawson’s job is helping the nearly 1,000 electric co-ops in the country understand digital-age dangers, and ensuring that they know how to protect and secure the power supply, electric grid, and co-op members and employees from internet mischief.

In North Carolina, electric cooperatives are taking a proactive approach to cyber security, building out principles and processes to be ready should a greater cyber threat emerge. And those security precautions go well beyond the IT department.

“There’s a fundamental shift in the way we’re approaching cyber security across the state,” said Ajaz Sadiq, vice president, CTO and CSO for North Carolina’s Electric Cooperatives. “Rather than see it as a checklist of protocols for IT to manage, we’re making it a part of our whole culture. Each employee at the co-op is aware of the risks, how to spot them and how to stop them. This is similar to how North Carolina’s electric cooperatives have benefited from a culture of safety — with safety being a priority from the top of the organization on down.”

While the Ukraine cyber attack has been studied in-depth by U.S. utilities and the Federal Department of Homeland Security, most analysts see a large-scale attack by hackers as unlikely to succeed in this country. The reports characterize the Ukraine attack as extremely well planned and coordinated, but not technically sophisticated.

The Ukraine incident actually started as early as March of last year, when utility workers received e-mails with Microsoft Office documents, such as an Excel spreadsheet, from the Ukrainian parliament. But the emails were not from the Ukrainian parliament. When workers followed the email instructions asking them to click on a link to “enable macros,” malicious malware embedded in the documents ­— called BlackEnergy 3 — secretly infected the system.  Among other capabilities, BlackEnergy 3 can enable an adversary to observe and copy all the keystrokes made on the infected computers, giving hackers passwords and other login information needed to access the utility’s operations control systems.

Defenses against that kind of attack are pretty basic, and you’ve probably even heard the warnings yourself — don’t click on any links or attachments unless you were expecting the message to be sent to you. For cyber threats like this, where employees are targeted as the “weak links” in the security chain, it makes a culture of cyber security all the more critical.

New cyber security standards require upgraded levels of training for utility operators, multiple layers of security to shield operational and control systems from the internet and even stricter procedures for visitor access (physical and electronic) to control rooms.

Electric cooperatives have participated in the North American Electric Reliability Corporation (NERC) standards development process, which has made the electric utility industry one of the nation’s only industries to have mandatory enforceable cyber security standards. Failing to comply with these standards can result in fines of up to $1 million per day, per violation.

Electric cooperatives in North Carolina and across the country are increasing their efforts to enhance and formalize their security plans, processes and controls. For example, NRECA has worked with the Department of Energy to develop software called Essence, which constantly monitors a utility’s system for even a microsecond of irregularity that might indicate some kind of hacking attempt or malware is interfering with the system.

With all that attention to keeping the electricity flowing, Lawson says there’s another major cyber-threat receiving high-priority attention from electric co-ops — protecting data and critical utility information to avoid identity theft of members’ information. He says some co-ops hire firms to periodically try to hack into their computer systems, so the co-op can identify and fix the holes in their security.

Lawson describes a scary world of cyber terrorists, organized crime, issue-oriented groups or just kids in their basement seeing what kind of trouble they can cause on the internet. At the same time, he compares those high-tech threats to risks posed by hurricanes or the everyday need for paying attention to safety at the electric cooperative.

Co-ops regularly use risk assessment and management practices to balance a wide range of threats to their systems.

“Physical security and cyber security are becoming just another cost of doing business,” says Lawson. “You’ll never be 100 percent secure, and all you can do is try your best to keep up with the bad guys. It’s a fact of life in these days and times we’re living in.”