While most are getting ready for the holidays, this month marked a time of several attacks on the U.S. electric grid, and the Security Industry Association (SIA) is hoping a recent webinar will help educate utilities on how to better protect their infrastructure in light of these incidents.
Responding to Recent Incidents
At the beginning of the December 6 webinar, Leveraging Technology to Protect Utilities, Ron Hawkins, Director of Industry Relations at SIA, explained how gunfire disabled 2 substations in Moore County, North Carolina, on December 3, which highlighted the vulnerability of the electrical grid. This incident resulted in 45,000 customers losing their power for several days.
After this webinar, it was reported that substations were attacked at least 6 times in Oregon and western Washington. In fact, according to NPR, there are about 55,000 electrical substations across the United States, so utilities are urged to do what they can to prevent them from being victims of sabotage. On December 15, the Federal Energy Regulatory Commission (FERC) instructed the North American Electric Reliability Corporation (NERC) to assess security standards at transmission stations, substations, and associated centers. It will conduct a comprehensive study and report back with recommendations by April 2023.
Statement from SIA
SIA issued a statement on December 5 stating that “the risk of cyber and physical attacks, including ones similar to what occurred this weekend, can be mitigated and vulnerabilities can be reduced by having appropriate training, programs, and policies in place, and by adhering to NERC standards. Drones, insider threats, copper theft, sabotage, and even terrorism are just a few components of the threat environment that utilities security practitioners must address 24/7.”
Recent Drone Attacks
Five professionals spoke during SIA’s webinar on the issue of drones entering utility infrastructure airspace. Joey St. Jacques, who currently serves as chair of SIA’s Utilities Advisory Board, is Global Director at Feenics, and was a senior management member of physical and cybersecurity and business continuity of Hydro Ottawa, stated that it’s important for utilities to incorporate better risk mitigation into their plans.
St. Jacques also referenced relevant drone events that included what was identified as the first attempted drone attack on the nation’s electricity infrastructure in July 2020, Ukrainian soldiers using drones to surveil Russian troops in August 2022, and unidentified drones spotted near offshore installations before the Nord Stream pipeline was attacked in September 2022.
An Interconnected Infrastructure
St. Jacques further added, “The management of multiple interdependencies between sectors is essential to prevent cascading impacts.”
Therefore, tabletop exercises should continue to take place between the private and public sectors to help protect the nation’s critical interdependent infrastructure, such as chemical facilities, commercial facilities, critical manufacturing, dams, defense industrial bases, emergency services, energy, financial, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors, nuclear materials, nuclear waste, transportation systems, and water.
Casey Flanagan, Cofounder and President of AeroVigilance and former electronics technician of the Federal Bureau of Investigation (FBI) Counter-UAS Program, explained that drones are not toys, and the federal government considers them unmanned aircraft.
The federal government is concerned because functionality of drone technology could negatively impact:
- The national airspace system
- The radio frequency spectrum
- Public safety
- Critical infrastructure
The four agencies that can detect and mitigate drones are the departments of:
- Homeland Security
Flanagan further noted there are two bills, Senate Bill 487 and House Bill 9849, being discussed by Congress to extend statutory authority, giving state, local, and tribal governments the ability to enforce drone regulations near critical infrastructure. He also explained that the government has been slow to react to the ever-changing world of technology.
The SIA webinar’s second session, “Avoiding VTD’s: The Importance of Vetting 3rd Party Vendors,” led by Christopher Walcutt, Vice President of Strategy at DirectDefense focusing on utility cyberattacks, discussed vendor-transmitted diseases (VTDs).
“If you don’t want a VTD, you have to know where your partner’s been or at least have a frank conversation about it,” Walcutt said.
He further explained that it’s important for companies to know their vendors and other business partners to avoid VTDs. Specifically, he recommends companies protect what’s connected to their network by:
- Understanding their critical functions
- Determining compliance requirements
- Creating a structure for the continuity of operations
- Protecting off-premises storage of data
“Most architectures in the industrial space were not designed to withstand cyber threats and this is because a lot of these systems use components that you can’t apply typical IT security controls,” Walcutt continued, adding that organizations need to have the tools and education to deal with this.
He added that a Verizon 2022 Data Breach Investigations Report shows that the manufacturing industry is being targeted for espionage, denial-of-service attacks, credential attacks, and ransomware, in addition to revealing a high rate of backdoor incidents in 2021 and that the supply chain was responsible for 62% of system intrusion incidents throughout the year.
Walcutt also warned municipalities that are “smart cities” to be cautious of the vendors they work for regarding street lighting, Wi-Fi poles, and advanced metering, stating, “Most organizations are not taking steps or have budgetary constraints in mind.”
How to Protect Your Ecosystem
When it comes to third-party vendors communicating with your server, you should “monitor it and determine whether it needs to stay on all the time. Lots of remote access can be shut off when it’s not being used. It’s a little bit more of a burden on IT staff but from a threat standpoint it is one of the better ways to go about this,” Walcutt continued.
Other steps when dealing with third-party vendors include:
- Checking contractual language
- Asking the right questions
- Doing an analysis and understanding upfront risks
- Determining protective systems
To watch the webinar, please click here.