The U.S. Government has announced a surprising move to secure power grids by using “retro” technologies. It comes after numerous attempts by foreign actors to launch cyberattacks on so-called critical national infrastructure (CNI).
Nations have been trying to secure the industrial control systems that power CNI for years. The challenge lies in the fact that these systems were not built with security in mind, because they were not originally meant to be connected to the internet.
It is with this in mind that the U.S. has responded with a new strategy: rather than bringing in new technology and skills, it will use analog and manual technology to isolate the grid’s most important control systems. This, the government says, will limit the reach of a catastrophic outage.
“This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyberattacks much more difficult,” said a press release as the Securing Energy Infrastructure Act (SEIA), passed the Senate floor.
When introducing the bill in 2016, U.S. Senators Angus King (I-Maine) and Jim Risch (R-Idaho) said: “Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators.”
SEIA Bill: Next steps
It is an interesting move which is dividing opinion, but the bill is not finalized yet. It will need to be approved by the House of Representatives, where SEIA was introduced as part of the National Defense Authorization Act for Fiscal Year 2020.
If that happens and it’s approved, a two-year pilot would be set up with the National Laboratories to study power grid operators and identify new vulnerabilities. It would also aim to develop new analog devices with the ability to isolate critical systems from cyber-attacks. At the same time, a working group would be set up to test these analog devices.
According to Senators King and Risch, SEIA was inspired by the 2015 Russian attack on Ukraine’s power grid which left the country without power. “The attack could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid,” they said.
SEIA: Understanding the threat
So, what is motivating SEIA? Power grids are a major target for foreign actors. One infamous example of an attack on similar critical infrastructure is the Stuxnet worm which was discovered 10 years ago after it ravaged an Iranian nuclear facility. The result of the cyber-assault was a toolkit designed to specifically target the supervisory control and data acquisition (SCADA) systems that power critical infrastructure.
The figures concur with the threat. According to an April Ponemon Institute report, 90% of critical infrastructure providers say their IT/OT environment has been damaged by a cyberattack over the past two years
The US and UK have been warning recently that attacks on CNI are an increasing threat with the ability to seriously disrupt or even kill. In June, the New York Times reported that the United States is stepping up digital incursions into Russia’s electric power grid. The move was billed as a warning to the Russian president Vladimir Putin showing that President Trump is not afraid to deploy cyber tools in a more aggressive manner.
It is widely agreed that Russia is one of the most accomplished nations in the world in its ability to perform state-sponsored attacks, disinformation and espionage. But China, North Korea and Iran also have dedicated cyber arsenals that are of increasing threat to the West.
The threat is certainly from CRINK (China, Russia, Iran and North Korea), says Ian Thornton-Trump, security head at AMTrust Europe. “But it’s a really niche skill set to look at and target these types of [SCADA-based] systems.”
SEIA: A good idea?
Disconnecting from the internet is a good idea, according to some experts, because manual operations offer more control and lower the risk.
“During the attack in 2015 against the Ukranian power grid, it was the operator’s ability to switch to manual operation that helped them recover quickly,” says Chris Doman, security researcher, AT&T Alien Labs. “The attack was potentially also mitigated somewhat by the lack of connectivity of their systems.”
“Requiring a certain amount of manual operation as standard may be a good way of truly enforcing an air-gapped system,” Doman adds. However, he says this will come at a monetary cost and “it can be very hard to ensure there are no automated workarounds.”
But at the same time, Nigel Stanley, CTO at TUV Rheinland points out that in reality, most industrial control systems have some form of manual over-ride or redundancy in the event of failure. “The problem is that this is costly in terms of manpower and requires access to suitably qualified and experienced staff to take over the system if it fails.”
He says a retro approach is “a poor way to address cybersecurity risk and shouldn’t be considered as a realistic control.”
Indeed, Andrea Carcano, CPO and co-founder of Nozomi Networks says the move by the U.S. government is “surprising.”
“By reverting back to manual controls and removing automation, there will be consequences on the overall running of the power grid and more humans will be required to operate plant machinery which could impact safety.”
In the end, Thornton-Trump doesn’t think taking everything offline is the best way of approaching power grid security: “We don’t need to disconnect from the internet. We need to figure out how to make sure we can’t control systems from the internet–or if we can, we need to be able to do it securely.”
Written by Kate O’Flaherty for Forbes
CS4CA Europe: The annual Cyber Security for Critical Assets summit dedicated to safeguarding European critical industries form cyber threats returns to London in 2019, taking this discussion forward. Join in by registering at: www.cs4ca.europe.com
