Not surprisingly, reports of serious security hacks in the energy industry are back in the news.
Successful hacking of the power grid infrastructure is no surprise to me. In fact, I wouldn’t be surprised if most utilities are already heavily infected with malware and viruses that are mostly immune from conventional antivirus and malware solutions.
The mantra of criminal and nation state level hacking has always been to find high value economic and political targets and exploit them. The most professional hacking projects do not wreak havoc immediately. Instead, they infect and control as many systems as possible stealthily, in order to gain information about the targeted systems and obtain as many redundant control points as possible. Then, when the appropriate time comes, the attacker will strike – and will be very difficult to rid from the infiltrated systems.
The causes of the security weaknesses in the energy sector come down to these facts: 1) the electrical grid is now interwoven with the public Internet, 2) while interfaces between the public Internet and the control grid do have protections, they are not (and never will be) perfect, 3) and users within the control grid infrastructure network receive email and surf the web on their systems, opening them up to be infected and taken over by hackers – and thereby giving external entities access to the grid management.
As an organization selling privileged identity management products for the energy infrastructure, as well as other industries, we’ve found many of the utilities to be completely vulnerable to both internal and external threats, yet unwilling to implement comprehensive and competent security solutions. I attribute the problem to the fact that many senior managers in the utilities industry are more familiar with “Ready Kilowatt”, hostile takeovers, and stock options than cyber-security, threat management, or best practices of IT auditing and mitigation.
My hope is that the recent (and not unanticipated) attacks will wake the utilities industry up to invest in highly skilled IT security staff, a computer CSI department, and the most advanced software security products to protect their critical infrastructure.