Challenges of cyber threat in Electric GRID operations

Introduction

The electric industry is experiencing a rapid rise in cyber threats, which pose various risks such as blackouts and safety incidents. To address these challenges, utilities cannot rely solely on their own efforts. Instead, they should seek out partnerships and technologies, from specialized ICS cyber security firms, that cater to their operational requirements and business goals. Electric utilities play a crucial role in supporting critical infrastructure, making them prime targets for adversaries seeking to disrupt their operations and impact the lives of those who rely on them. The increasing interconnection between IT and OT networks within electric utilities' industrial control systems (ICS) has expanded the potential attack surfaces, exposing these organizations to new threats and compromises that were previously unseen.

In the past few years, there has been a consistent increase in advanced cyber threats targeting the infrastructure of the electric grid, aiming to cause substantial disruptions in its operations. Substations play a crucial role in generating and transmitting electricity, making them a prime objective for these attacks. Successful cyber intrusions can lead to the disconnection of generation and transmission lines, ultimately resulting in grid failures and extensive blackouts.

Sophisticated malware framework aiming to attack electric sub stations.

In the year 2016, a malware framework called CRASHOVERRIDE was created and deployed to target electric grids. This incident took place in Kiev, Ukraine and specifically targeted a transmission substation, causing significant disruptions to electric grid operations. Again, in April 2018, there was another cyber incident reported by the Dragos Intelligence team. This incident affected numerous electric utility organizations, forcing them to shut down communication connections and experiencing difficulties in data processing. The cause of this incident was traced back to a commonly-used business tool. Throughout 2018, the Dragos Threat Operations Center (TOC) actively engaged with various electric-focused utilities. This highlights the increasing number of adversaries specifically targeting the electric sector. During the year 2022 a major power utility company in India was also impacted with cyber attack on their IT network but the adversarial attempt was detected preventing lateral movement to the OT network.

To effectively combat these threats, electric utilities need to have a comprehensive understanding of their environments and the adversarial tradecraft used against them. They also need to be equipped with the necessary tools to identify and respond to these threats. This is where there is a need for ICS specific cyber security tools. These ICS Cyber Security platform provides industrial organizations with comprehensive network asset visibility and identification. It also utilizes intelligence-driven threat behaviour analytics to provide insights into potential threats. Additionally, it offers a workbench with step-by-step playbooks to guide organizations in investigating and responding to incidents.

Difficulties in Ensuring the Cyber Security of Electric Utilities

The electric grid can be broadly classified into three main functions: electricity generation at power plants, transmission of electricity over long distances at high voltage, and distribution networks that deliver power to customers at lower voltages. Throughout these transmission and distribution systems, there are substations that play a crucial role in transforming voltage levels, acting as switching stations and feeders, and providing fault protection. Various industries contribute to the electric grid, and due to their unique characteristics, it is essential to have a deep understanding of their systems and communications. Consequently, there is no universal security approach that can be applied to all, as it necessitates a comprehensive comprehension of the diverse and heterogeneous environments in which they operate.

?

Electric utilities face several challenges of which the most fundamental cyber hygiene issues encompassing are;

1)??? Insufficient visibility into the ICS environment and asset management.

2)??? Limited resources for a dedicated ICS security team.

3)??? Inadequate understanding of OT-specific threats and appropriate response strategies for such incidents.

Challenge: Insufficient ICS Visibility & Asset Management

To effectively prevent, detect, and respond to threats, electric utilities must possess a comprehensive understanding of their ICS environments, including knowledge of their owned assets and a deep insight into asset communications. However, for a skeleton ICS cybersecurity team expanded from the IT side to the OT side, manually monitoring and tracking thousands of assets on a network spanning hundreds of miles is an unreasonable task. The lack of automated asset management will always hinder the ability to obtain an accurate overview of the ICS environments, manually locate each asset, and keep pace with a vast and ever-changing network.

?

Solution:

Here we will need an ICS cyber security platform that can identify and visually map assets across the utility network. The advanced passive asset discovery features of such a Platform, along with its distinctive mapping and zoning functions, enable analysts to achieve a thorough comprehension of their assets that goes beyond just understanding transmitted protocols. This allows analysts to visualize their assets in a user-friendly map view for easy categorization. Analysts have the capability to efficiently categorize their assets into custom zones, access a device's history and last seen time, analyse protocols including ICS protocols through deep packet inspection, and set up alerts for any new devices detected on the network. Analysts are able to utilize data from various origins such as asset identification details, packet captures, logs (System, Event, PLC, RTU), historians, and network traffic. This allows them to merge and consolidate the different data outlets into a single location, ultimately decreasing the time spent on searching for data and facilitating a comprehensive view of their industrial operations from multiple data sources.

?

Challenge: Insufficient Resources for an Exclusive ICS Security Team

Numerous industrial organizations, such as the electric utility, encounter limitations in terms of resources and budget, coupled with a noticeable scarcity of skilled ICS professionals overall. Frequently, IT teams are burdened with the responsibility of filling the void in OT security, which can result in their workload becoming overwhelming due to the lack of additional resources and expertise required to effectively extend their operations to the OT domain.

?

Solution:

To address these challenges, utilities should form a team of engineers from IT and OT network and train them from a specialised ICS cyber security firm. This will impart ?specialized knowledge in ICS, enabling them to operate independently, learn from experienced practitioners with years of hands-on ICS security expertise, and leverage team's knowledge to complement any areas where they may be lacking. The ICS cyber security Platform incorporates threat behaviour analytics developed by their Intelligence team, which is based on the adversaries specific to ICS that they monitor. These analytics are integrated into the platform to furnish analysts with alerts rich in context and accurately identify malicious activities. Unlike traditional anomaly-based detection methods, the threat behaviour-based detections of these ICS cyber security Platform offer more effective threat identification and reduce the number of false positives received by analysts by delivering alerts with detailed explanations for each alert. Threat behaviour analytics, which encompass adversary tactics, techniques, and procedures, are continuously monitored and updated by the threat intelligence team. This not only assists the utility's ICS security team in maximizing their resources but also instils a high level of confidence in threat identification within their environment.

Challenge: Lack of Insights into OT-Specific Threats and How to Respond

The most common challenge that utility companies face is a lack of visibility into the threats specifically targeting their networks and the knowledge of how to respond to them.

?

Solution:

To address the challenges faced by the utilities, we should focus on enhancing the visibility of ICS adversaries that target the electric industry. We should keep an eye on the four threat actors which are publicly known for their specific targeting of electric utilities: RASPITE, ELECTRUM, COVELLITE, and ALLANITE. This ensures that the treat intel team within the utility companies not only gain insight into any threats or vulnerabilities specifically affecting the electric industry, but also receive recommendations on how to detect and mitigate them effectively.

Conclusion

This article explores the benefits of investing in an Industrial Cybersecurity Platform, which offers thorough industrial asset identification, threat detection, and response capabilities for the electric utility industry. By addressing the challenge of low visibility of ICS assets and environments, scaling resources for dedicated ICS security, and enhancing understanding of threats and response strategies, organizations can effectively safeguard their operations.