The devastating and destructive Sony Pictures Entertainment hack has elicited cries of "cyberwar" from pundits and policymakers alike. In recent days, former Speaker of the US House of Representatives Newt Gingrich has weighed in alongside Senator John McCain declaring Sony the US's first "cyberwar" (and the US the loser).
Even as the Obama administration seeks to tamp down talk of computer wars and retaliation, experts agree that, when cyberwar does reach our shores, the most likely targets won't be Hollywood movie studios. Instead, it may be the critical infrastructure – the systems that keep our society and economy humming.
In fact, in just the past three months, senior US government officials have warned of computer attacks on the nation’s critical infrastructure with growing urgency. Attacks are not just possible, they are already happening, they say.
First came an alert in October from the Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT). It warned critical infrastructure operators about malicious software known as BlackEnergy used in attacks on industrial control systems.
Then, on Nov. 20, the government’s most senior cyber warrior, the National Security Agency's chief Adm. Michael Rogers, told Congress that the government was aware of wide-spread and concerted efforts by nation-state actors to use malicious software and online attacks to infiltrate, study, and – potentially – cripple US critical infrastructure, including the nation’s electric grid.
"There are those industrial control systems that can shut down and forestall our ability to operate … basic infrastructure, whether it’s generating power across this nation, whether it’s moving water and fuel,” Admiral Rogers told the House Select Intelligence Committee.
At the top of the list of targets for a crippling hack: North America's vast and vulnerable electrical grid.
Rogers, who also serves as the head of US Cyber Command, gave a dire assessment of the security of the US grid to an audience of energy company executives in October. In that speech, Rogers said that the power infrastructure was not designed to stand up to today's attacks. "Power ... is one of the segments that concerns me the most," he said, according to a report by CNN, which obtained a transcript of the speech.
For security experts who have been working within the power sector, however, the dire warnings are not news. They would not have been news last year, or the year before. In fact, Rogers’ dim assessment of the US power sector’s readiness to face and withstand a cyberattack has been shared and articulated within the power industry for seven years.
Why is it that the US power grid in 2014 is not better prepared to keep nation-state hackers at bay, or to withstand a critical cyberattack? Some of the power industry’s top experts on cybersecurity say that the fault may lie with the industry itself, which has downplayed the risk of cyberattacks on the power grid.
Aurora: a canary in the substation?
To understand the current consternation about the vulnerability of the power grid to cyberattack, you need to roll back the clock to 2007 and an obscure test conducted by the Department of Homeland Security and known by the code name Aurora.
First identified by researchers at the Idaho National Laboratory (INL) in 2006, the vulnerability now known as Aurora first raised Homeland Security eyebrows in a now-famous DHS-sponsored test conducted at INL in March 2007.
In that test, DHS procured and installed a 2.5 Megawatt generator and connected it to an electric substation, then set it running – a configuration typical of a utility substation operation and validated by industry experts. Next, INL researchers hacked into industrial software that controlled protective relays, a kind of circuit breaker that protects valuable equipment from dangerous power fluctuations. In the test, the relays were rapidly opened and closed using the software, creating what’s known in as an out-of-sync or out-of-phase condition.
Imagine what would happen were you to drive down the highway in your car at 70 miles per hour and then abruptly throw your car’s engine into reverse. In the Aurora test, the generator was the car engine.
A video of the INL test showed the generator twitching and shaking as it tried to manage the tremendous torque created by the shifting load demands. Eventually, smoke began bellowing from the generator as it literally tore itself apart.
The power industry has known about out-of-phase dangers for almost a century. But an attack triggered remotely by hackers had only been hypothesized. The INL test proved that cyberattacks that could cause physical damage were very real. The tape soon leaked to CNN.
The political backlash from Aurora (or, at least, CNN’s outing of it) was immediate. There were hearings on Capitol Hill within weeks of the CNN report and urgent calls for utilities to secure their systems against cyberattack.
The Federal Energy Regulatory Commission (FERC) demanded regular updates from utilities about their efforts to mitigate Aurora. FERC agents spent much of the next year conducting audits of 30 utilities – a representative sample of the organizations making up the US electrical grid – about their efforts to mitigate the Aurora vulnerability on their networks. And, in September 2008, FERC’s Chairman told the House Energy and Commerce subcommittee that 23 out of 30 interviewees failed to mitigate Aurora effectively, based on FERC’s audits, further raising alarm.
Assurances of security – but little proof
What happened next is a matter of intense debate within the power sector and critical infrastructure circles. If you ask utility industry representatives, the story is that US utilities took the Aurora test seriously, checked their own infrastructure for exposure and, where appropriate, took steps to address the threat that the researchers demonstrated.
“Aurora is an example of a vulnerability being identified, shared broadly within our community and the community taking action to remediate and mitigate affected systems,” says Scott Aaronson, the senior director of national security policy at the Edison Electric Institute, which represents shareholder-owned utilities.
Gerry Cauley, the president and chief executive officer of the North American Electric Reliability Corporation (NERC), a nonprofit regulatory body, reiterated that position by e-mail. “Today, the majority of the North American asset operators report that they have fully mitigated cybersecurity risks from Aurora or that Aurora does not apply to their systems.”
But some cybersecurity experts in the power industry strongly disagree with those assessments. One of them is Joe Weiss, a 40-year veteran of the energy sector who spent 18 years as a nuclear power engineer. For the past 15 years, he has been focused on the issue of cyber risk in the power sector. One of the US's leading experts on the security of the electric grid, Mr. Weiss is regularly consulted on issues related to industrial control system security.
Within the industry, though, Weiss is a frequent source of consternation. He speaks openly about issues that many within the sector would rather be handled internally. And when Weiss speaks, it's with the exasperated incredulity of an engineer who foresees trouble, but can’t get anyone to take him seriously.
“The electric industry, in reality, has done an inadequate job of securing the electric system,” he says. “Is cyber a household word in the electric sector? Yes. Are they trying to address cyber vulnerabilities in ways that will make sure all systems are secure? No.”
Lost in translation
At the heart of Weiss’s beef with the power industry is his belief that utilities and their representatives in groups like NERC and the Edison Electric Institute take far too narrow a view of Aurora: treating it as a warning about a specific vulnerability affecting a specific type of asset (a generator connected to a substation) and under conditions very favorable to attackers.
You can hear it in the response of officials like Scott Aaronson of the Edison Electric Institute, who described Aurora, thinly, as “a proof-of-concept that used perfect information in a controlled lab setting.”
For Mr. Aaronson and other power sector representatives, Aurora was less an all-hands-on-deck emergency than a teachable moment. For Aaronson, the message was about the need for better coordination between government and industry on cyberthreats and vulnerabilities. “I think with subsequent vulnerabilities there has been better socialization,” he says. “We need to insure that the right people get the right information at the right time.”
Scott Saunders, the Information Security Officer at the Sacramento Municipal Utility District, articulates a similar point of view. “The threat identified by Aurora is one that many utilities, under a system perspective scheme, already had devices in place,” he says. “When you get down to the engineering of that: it’s a physical issue and there are controls available. ”
Like other power industry officials, Mr. Saunders was reluctant to discuss specific defenses that his employer has used. And he chose his words carefully when asked about the real significance of the Aurora test. “Its not a hot topic,” says Saunders. “How can I characterize this? Aurora is a threat that we have – but a threat that we have mitigated. For that reason we are concentrating on other emerging threats.”
That's a mistake, according to Perry Pederson, who was director of control systems security program (CSSP) at the Department of Homeland Security when the Aurora test was conducted.
“It’s a vulnerability,” says Mr. Pederson of Aurora. “If it were the consequence of one system, one generator, one power plant – that would be inconsequential,” he says. But Aurora applies to “anything running synchronously to the grid,” Pederson notes – a much larger set of potential targets.
Now, with the discovery of malware such as BlackEnergy, both Pederson and Weiss say the utilities should be even more concerned about an Aurora-like attacks.
The industry doesn’t share that view. Asked whether the BlackEnergy news has changed the industry’s assessment of the viability of an Aurora-like attack, NERC chief executive Cauley says: "To date, there have been no reports of a BlackEnergy impact to generators and the bulk power system."
Utilities and their industry representatives maintain that securing critical infrastructure from cyberattack is all about risk management: leveraging excellent and comprehensive intelligence to understand the threats that exist and taking reasonable precautions against them.
“You can have all the controls in place, but there are more bad actors than good actors defending critical infrastructure,” says Saunders from Sacramento Municipal Utility District. “It’s going to be impossible to zero proof against threat actors.”
The proper approach is to manage risk. Saunders compares it to automotive safety. “I can’t wake up this morning and get in car and say, ‘No matter how I get hit, I’ll be fine.’ " In that case, the solution is to buy cars with safety features such as air bags and to stop at red lights.
The same model applies to protecting critical infrastructure, he says. “I do all these things to minimize risk and its okay in every part of my life and every other sector. We need to decide that it’s okay in our sector, too.”
But Pederson, who is now a principal at Langner Associates, a critical infrastructure consulting firm, argues that there is too much reliance within the power industry on risk-based calculations taken from the business world, that are ill-suited to the protection of critical national infrastructure.
“There are all these convoluted risk calculations,” says Pederson. “When you take a risk-based approach to Aurora, the risk looks pretty low and therefore there is no compelling argument to spend money.”
But Pederson says the cost of failure is so high that utilities should hold themselves to a higher standard – one closer to the standard used in the nuclear power sector, which sets a high bar for assurance for both critical systems and down-stream support systems.
“Let’s set Aurora aside for the moment and say that it’s a valid vulnerability and everyone fixed it,” says Pederson. “What I try to point out to folks is how much effort went into finding it. It didn’t drop out of the sky," he says. "Those kind of vulnerabilities – who knows how many of them there are? There are untold numbers.”