Good News, Bad News: Malware in the Grid
There’s Good News and Bad News – the Good News is…
According to Wikipedia, there are more than 240 electric utility companies in the United States. Those companies run power grids with an infrastructure that varies from company to company, and the systems and processes that they use to monitor those infrastructures vary from company to company.
Last week, I read an article, Cyber firms warn of malware that could cause power outages. In a nutshell, the article highlighted the risk of malware that has recently been analyzed by the two firms mentioned in the article. That malware is capable of disrupting electrical power distribution – without overt intervention by a hacker. Such an attack would be similar to the Stuxnet attack on the Iranian nuclear program in 2010. Stuxnet and recently analyzed malware, Crash Override, are built to proliferate wildly but can include code that keeps them covert until they find highly specific software-controlled targets. In the case of Stuxnet, those targets were devices used to control uranium enrichment centrifuges. In the case of Crash Override, the malware could target various control devices in electric power grids. The malware could also be modified (the article says, “easily modified”) to attack other utilities like gas or communications.
Power outages caused by such an attack could last more than a week. Utilities and the various national security agencies are working to prevent and mitigate such a cyber attack, but the Iranians were extremely security conscious – to the extent that their nuclear program computer network was protected by an air-gap. An air-gap refers to the physical isolation of, in this case, the Iranian nuclear network from any other network, particularly the Internet. Nonetheless, Stuxnet (ahem) wormed its way into the target network and caused significant damage.
Cyber defense is extremely challenging because it is, by its nature, reactive. Once malware is identified, the defenses can be tailored and are extremely effective – but not until the malware is known and analyzed. That means that there is and will remain a risk of serious power outages.
Companies and organizations that rely heavily on various utility providers need to consider their options in the event of a prolonged outage of one or more of those utilities. How can an organization maintain operations – or recover quickly? What prior planning and mitigation activities need to be taken?
Each company and organization needs to answer those questions separately. There is no single answer. That means that each company/organization needs to thoroughly analyze the impact of such an outage (recall that Tropical Storm Sandy caused such outages too – it isn’t just the bad guys that pose a risk). Such an analysis needs to include critical suppliers as well as organic operations.
Part of the good news is that with over 240 electric power suppliers, it is highly unlikely that any malware can attack the entire grid – there is significant diversity of vulnerable devices and each such specific type of device would need to be targeted separately.
The bad news is that each utility company needs to have its own cyber defense organization and those organizations are also going to be diverse and of variable capability. This diversity of capability is a vulnerability in itself since each utility will need to define its own defensive approach.
The rest of the good news is that star watching is much better and more spectacular when all the lights go out.