Old Equipment Is a Smart Move for Utility Cybersecurity

Utility cybersecurity receives its fair share of press. While once a low level concern, utilities are responding to a changing operating and technology landscape with enhanced cybersecurity practices and investments. And while traditional thinking would be to apply cutting-edge and innovative security solutions to tackle the growing problem, that is not necessarily the case.

In a surprise move, the US Senate passed the Securing Energy Infrastructure Act (SEIA) in July 2019. This legislation seeks to limit the potential for cyber attack by leveraging low tech redundancies, like manual procedures controlled by human operators. Defense measures are typically slow moving and often trail the more innovative methods of attack. Rather than trying to keep pace with a rapidly evolving threat environment, why not remove digital attack vectors altogether?

What Is SEIA?

In 2016, SEIA was spearheaded by Senator Angus King (I-Maine) and introduced with Jim Risch (R-Idaho), Martin Heinrich (D-New Mexico), and Susan Collins (R-Maine). This bipartisan bill targets vulnerabilities created by digital software systems by using air-gapped equipment (i.e., a computer or network that has no network interfaces connected to other networks). While this does little to protect against physical threats or the potential for insider attack, it does work to close off primary software-based attack vectors.

Specifically, the bill includes the following goals:

• Establish a 2-year pilot program with National Laboratories to identify security vulnerabilities and test the efficacy of air-gapped equipment
• Establish a working group to evaluate the National Laboratories’ technology recommendations and develop a national cyber-informed strategy
• Require the Secretary of Energy to submit a report to Congress summarizing the results of the program and working group
• Define covered entities under the bill as segments where a cybersecurity incident could result in catastrophic effects

Why Is SEIA Needed?

This bill is in response to a growing threat landscape that has placed market participants on edge. Cybersecurity is of critical importance when it comes to the electric power industry. This sector has been disproportionally targeted by threat actors for a number of reasons, including society’s reliance on critical infrastructure, weak endpoints at the grid edge, and a growing surface area for attack:

• Critical Infrastructure: Electric power systems fall into this classification due to the critical nature of electricity service. The architecture of power control systems and cascading power delivery make the sector particularly vulnerable to attack.

• Weak Endpoints: While the quantity (surface area) of endpoints is of concern to utilities, so is the quality of these devices.

• Surface Area: Utilities have deployed billions of networked sensing devices, increasingly further out to the grid edge. This has drastically increased the surface area for attack—defined as the different nodal points where an unauthorized user can enter the network or extract data. 

Look Back to Move Forward

The world has witnessed the potential implications of a large-scale cyber attack. In December 2015, Ukraine was subject to a targeted malware attack that successfully breached three network operator human-machine interfaces and took down 27 substations (225,000 customers). Other notable examples are the infamous StuxNet and WannaCry incidents, which targeted Iranian industrial control systems and Indian electricity distributors (among other industries), respectively.

Senator Angus King referenced the Ukraine incident in his appeal to the Senate Committee on Energy and Natural Resources’ Subcommittee on Energy, mentioning that “it does grow out—to some extent—of the experience in Ukraine where it found that it had analog and human intervention at certain key points.”

There is no one size fits all approach to cybersecurity. A holistic and layered strategy will need to be in place in order to secure the wide breadth of utility assets. But for the most critical of utility touchpoints, looking backward may help lead us forward.