Thursday, September 6, 2018
Cyberattacks on U.S. energy systems have become unavoidable, and enough have been successful that the sector and its regulators are increasingly focused on mitigation, response, and recovery, reports S&P Global Platts. Within the past six months, news has surfaced that hackers breached an industrial control system at a U.S. power plant, infiltrated a third-party data system used for scheduling gas flows on pipelines, and broke into email accounts at the Federal Energy Regulatory Commission. To date, no major impacts have been reported, but the energy industry is confronting the risks.
Preparation is similar in ways to how utilities respond to a natural disaster: reparing for an event, communicating throughout the storm, deploying assets to recover, and relying on mutual assistance within the industry. “Mutual assistance is something that’s normal when you have weather-related outages but not necessarily the norm in cybersecurity,” according to Gladys Brown, who chairs the National Association of Regulatory Utility Commissioners’ committee on critical infrastructure. “Over the last 18 months, they’ve been doing more and more of that.”
One key difference is that storm damage is more predictable than the effects of a cyberattack, so mutual assistance in the case of a cyber incident has to be up and running with far less notice. The April attack on the thirdparty systems highlighted the vulnerability that energy companies also expose themselves to when they inevitably engage an outside entity to manage some part of their business.
Jim Linn, a cyber expert affiliated with the American Gas Association, compared the incident to a hack into retail chain Target’s systems in 2013 that resulted in customer data being stolen. Linn is the executive director at the Downstream Natural Gas-Information Sharing and Analysis Center, or DNG-ISAC. It coordinates sharing of cyber threat information. To limit cyber threat entry points, DNG-ISAG members have been developing procurement guidelines for safely choosing third parties and incorporating government recommendations, according to Linn. “We’re still wrestling through that, having the right agreements in place, having the right protections in place,” he said.
S&P Global Platts notes that communicating across the industry about threats and protection protocols has proved central to strategy. The U.S. Department of Homeland Security (DHS) recently said Russian government- backed hackers gained access to U.S. electric utilities’ industrial control systems during a cyberattack campaign that spanned 2016 and 2017. The Wall Street Journal in a July 23 article said DHS officials indicated that the campaign, which is likely still ongoing, has attacked “hundreds of victims” and could have caused grid blackouts.
However, a DHS spokesperson later said the hackers only breached an industrial control system on “a very small generation asset” that could have been isolated from the rest of the grid. “Would-be cyber attackers are savvy, imaginative, and determined. They never stop trying to think of ways to penetrate our systems. That means we have to be knowledgeable about the latest methods and remain vigilant,” Consolidated Edison spokesman Alan Drury said. To maintain that awareness of new threat information, ConEd is in regular contact with regulators and the federal government.
Both the power and gas industries have worked to be able to operate in degraded conditions without digital overlay, experts said. Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, highlighted spare equipment programs with the logistics to deliver parts throughout North America, redundancies in the system, and the “nature of the grid to be reengineered in real time if necessary” as ways his sector can limit the impacts of cyber attacks.
“The threat actor has now spent a lot of time and resources attacking a system, and the attack is not likely to be as successful as it would be but for some of the mitigating activities that the industry is undertaking,” Aaronson said of this deterrence method. He also commented that the U.S. government’s willingness in 2018 to point to Russian threat actors as the culprits behind certain attacks, and to impose sanctions, is emblematic of another central defense component—consequences for hackers. That the government can impose consequences on attackers “really highlights the value of the industry/government partnership in not just helping us to better prepare and protect our systems, but also to have a response to our adversaries that shows that we as a nation, both public and private sector, are in lockstep,” Aaronson said.
(SOURCE: The Weekly Propane Newsletter, September 4, 2018. Click subscriptions tab above for more information.)
Preparation is similar in ways to how utilities respond to a natural disaster: reparing for an event, communicating throughout the storm, deploying assets to recover, and relying on mutual assistance within the industry. “Mutual assistance is something that’s normal when you have weather-related outages but not necessarily the norm in cybersecurity,” according to Gladys Brown, who chairs the National Association of Regulatory Utility Commissioners’ committee on critical infrastructure. “Over the last 18 months, they’ve been doing more and more of that.”
One key difference is that storm damage is more predictable than the effects of a cyberattack, so mutual assistance in the case of a cyber incident has to be up and running with far less notice. The April attack on the thirdparty systems highlighted the vulnerability that energy companies also expose themselves to when they inevitably engage an outside entity to manage some part of their business.
Jim Linn, a cyber expert affiliated with the American Gas Association, compared the incident to a hack into retail chain Target’s systems in 2013 that resulted in customer data being stolen. Linn is the executive director at the Downstream Natural Gas-Information Sharing and Analysis Center, or DNG-ISAC. It coordinates sharing of cyber threat information. To limit cyber threat entry points, DNG-ISAG members have been developing procurement guidelines for safely choosing third parties and incorporating government recommendations, according to Linn. “We’re still wrestling through that, having the right agreements in place, having the right protections in place,” he said.
S&P Global Platts notes that communicating across the industry about threats and protection protocols has proved central to strategy. The U.S. Department of Homeland Security (DHS) recently said Russian government- backed hackers gained access to U.S. electric utilities’ industrial control systems during a cyberattack campaign that spanned 2016 and 2017. The Wall Street Journal in a July 23 article said DHS officials indicated that the campaign, which is likely still ongoing, has attacked “hundreds of victims” and could have caused grid blackouts.
However, a DHS spokesperson later said the hackers only breached an industrial control system on “a very small generation asset” that could have been isolated from the rest of the grid. “Would-be cyber attackers are savvy, imaginative, and determined. They never stop trying to think of ways to penetrate our systems. That means we have to be knowledgeable about the latest methods and remain vigilant,” Consolidated Edison spokesman Alan Drury said. To maintain that awareness of new threat information, ConEd is in regular contact with regulators and the federal government.
Both the power and gas industries have worked to be able to operate in degraded conditions without digital overlay, experts said. Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, highlighted spare equipment programs with the logistics to deliver parts throughout North America, redundancies in the system, and the “nature of the grid to be reengineered in real time if necessary” as ways his sector can limit the impacts of cyber attacks.
“The threat actor has now spent a lot of time and resources attacking a system, and the attack is not likely to be as successful as it would be but for some of the mitigating activities that the industry is undertaking,” Aaronson said of this deterrence method. He also commented that the U.S. government’s willingness in 2018 to point to Russian threat actors as the culprits behind certain attacks, and to impose sanctions, is emblematic of another central defense component—consequences for hackers. That the government can impose consequences on attackers “really highlights the value of the industry/government partnership in not just helping us to better prepare and protect our systems, but also to have a response to our adversaries that shows that we as a nation, both public and private sector, are in lockstep,” Aaronson said.
(SOURCE: The Weekly Propane Newsletter, September 4, 2018. Click subscriptions tab above for more information.)