Navigant Research Blog

Hacks, Hacks Everywhere: FERC, US Energy Grid, Atlanta Are All Targets

— April 3, 2018

Like Amazon deliveries, cyber attacks keep showing up on a regular basis. In recent days: the US charged nine Iranian citizens with a state-sponsored attack against a range of companies and agencies, including the Federal Energy Regulatory Commission (FERC); the Trump administration blamed Russia for ongoing attempts to hack the US energy grid and other critical infrastructure; and key parts of Atlanta’s municipal computer system were knocked out by a ransomware attacker. Reports like these are becoming all too common.

State-Sponsored Attacks Warrant Concern

The first two raise serious red flags. State-sponsored attacks fall into the highest level of sophisticated cyber attacks. The hackers use the most advanced tools to break in, and with governments behind them they have nearly limitless resources to achieve their nefarious goals. Plus, they have the time to mount attacks over years if need be, probing on many fronts for the weak spots, and lurking in the background of computer systems or devices with almost undetected code. The Iranian attackers were said to have been operating from 2013 until the end of 2017, or roughly 4 years.

Hacking a federal agency or probing critical infrastructure poses dangerous threats. Messing with critical infrastructure can be viewed as an act of war, or a precursor to such hostilities. These types of attacks are not new, of course, and more than likely the US itself engages in these cyber techniques of probing and spying on friends and enemies on a regular basis. Experts warn that state-sponsored attacks are growing in scale, frequency, and sophistication, according to Leo Taddeo, chief information security officer at Cyxtera, a provider of infrastructure security solutions.

To Thwart Cyber Attacks, Cities Must Plan and Budget

Atlanta’s case is somewhat more benign. The attack kept some customers from paying bills, and residents were unable to access court-related information. As much as 4 days after the initial report of the attack the city’s servers were still struggling to enable online bill payments or the collection of fees. Moreover, the city had not said whether it would pay the ransom demand or not. For Atlanta, this cyber attack must sting, since it prides itself as a leading-edge smart city. Part of being on that leading edge, though, is accepting risks that come with newer technologies and learning hard lessons. The lesson here: make sure you plan and budget for the latest tools and best people to thwart cybercriminals, because this type of threat is not going away anytime soon.

These cyber attacks underscore the challenges of a connected Internet of Things (IoT) world. As governments, corporations, and utilities take advantage of IoT technologies, they must keep security measures at the forefront of all they do (see Navigant Research’s report, Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem, for practical steps to reduce the risks posed by cyber attacks). A smart grid or a smart city looks rather dumb when the security piece gets short shrift.


High Stakes Blockchain Applications Are a New Frontier for Cybersecurity

— November 30, 2017

Blockchain-Based Systems Are Only as Strong as Their Weakest Link

On November 16, the US Patent and Trademark Office released a patent filed by Nasdaq that describes a blockchain-based architecture that could be used to track the ownership and transaction of stock market assets.

Nasdaq is part of a wave of big name organizations globally—including banks, utilities, and the Pentagon—that have announced plans to experiment with blockchain to determine whether it can help their organizations run more smoothly, efficiently, and securely.

As the hype train charges onward and expectations skyrocket, there is a real risk that in the rush to generate solutions to increasingly complex high stakes problems, adopters will forget that simply adding blockchain doesn’t make a system bulletproof. Before integrating blockchain into keystone systems like stock exchanges or electricity grid operations, it’s important to understand where blockchain brings security to a system, where it doesn’t, and how it interacts with other pieces of the puzzle.

Blockchains Are Built on Security and Cryptography Principles

Blockchain architectures are considered a robust and highly secure means of storing information for several reasons:

  • The blockchain is stored across a decentralized and distributed network of many computers, creating a redundant record with no single point of failure.
  • Network nodes use a resource-intensive cryptographic process to reach majority consensus on the chronology and validity of transactions between nodes.
  • The full record of information stored on the blockchain is auditable by any node in the network.

In combination, these properties make the blockchain ledger itself resilient to attacks. Indeed, despite soaring valuation that provides a $140 billion incentive for hackers, the underlying architecture of Bitcoin has never been broken.

Determined Hackers Will Work Around Unbreakable Cryptography

Rather than attacking the blockchain itself, hackers have repeatedly exploited weakness in the hardware and software components of the system—the personal computers and devices that make up the nodes of the network and the software applications that enable autonomous transfers and digital contracts. It’s the cryptographic analog of identity theft: a thief doesn’t need to smash their way into a bank vault if they can clone your credit card.

White hat hackers used exactly this principle to gain irreversible control of users’ Bitcoin wallets by exploiting a hole in cellular text messaging protocols. A hacker famously exploited errors in an Ethereum smart contract to steal $31 million  from early backers of a startup. The blockchain preserves an immutable open record of the thefts for all to see, but it also makes them irreversible.

Planning Ahead

The electricity system is a frequent target of cyber attacks backed by powerful antagonists. To date, no blockchain architecture has yet been subjected to a stress test of the magnitude we might expect if it were supporting, say, the automated demand response capabilities of a microgrid in an urban financial district. Potential applications in these systems are among the most transformative opportunities for blockchain, but will also be among the most prone to cyber attack and the hardest to field test at scale.

Until a set of comprehensive security standards for blockchain-based systems is developed, Nasdaq and any organizations seeking to adopt blockchain-based solutions must recognize that blockchain does not inherently provide end-to-end security. For blockchain to be part of the solution requires thoughtful implementation and proactive design that maximizes security at the ends of the chain. Every link of the system must be evaluated for security and potential vulnerabilities, and adopters should be especially cautious about entrusting critical systems to the technology.


Cybersecurity Pros Are Hiding the Breaches: This Must Stop

— May 31, 2017

Even the security good guys are failing us. That’s the upshot from the new survey of cybersecurity experts conducted by Bromium, a cybersecurity firm based in Cupertino, California.

The company surveyed attendees at the RSA Conference 2017 and others as part of a combined extended study and found startling results:

  • On average, 10% of security professionals said they had paid a ransom or hid a breach without telling their team members (5% at RSA, 15% in the extended study). Note: some 638 million ransomware attacks took place in 2016, which implies that tens of millions of such attacks are likely going unreported.
  • On average, 35% of security professionals said they went around, turned off, or bypassed their own corporate security settings (38% at RSA, 32% in extended study of United States and United Kingdom security professionals).

The folks at Bromium said the results “kind of blew their minds.” No kidding. This level of failure to act is shocking. But on further analysis, perhaps understandable. The bad guys have both the incentives and easy access to the tools needed to break into servers and cause havoc.

For grid operators, this is not good news. An updated U.S. News & World Report article last year noted it took hackers just 22 minutes to get employees at an electric facility north of Seattle to bite on phishing emails. It was only an exercise, but proved the point that the grid is vulnerable and that humans are often the weakest link.

Security Fatigue

One of the root causes among cybersecurity professionals for this lack of diligence is security fatigue, as pointed out in a TechRepublic story. The National Institute of Standards and Technology (NIST) defines this fatigue as “weariness or reluctance to deal with computer security.” The author recommends that companies reduce such fatigue by boosting the relevance and importance of security alerts to an IT team and emphasizing the need for constant security vigilance.

It is hard to argue with that recommendation. However, I would take things a step further: institute regular focused training on how to combat threats combined with controlled drills or testing, like the one at the plant near Seattle. It is unacceptable that people we need to trust have such careless attitudes and avoid actions in the face of threats. It is hard to admit, but we are in far deeper trouble on this front than imagined. We must do better.


Patch or Perish: NERC-CIP and the Lesson of the WannaCry Worm

— May 16, 2017

Last Friday and over the weekend, thousands of computers were infected with the Wana Decrypt0r 2.0 or WannaCry worm. The rapid spread of this malware was due to its ability to seek out other computers on the same network, be that at work or a cafe, and then infect those systems as well. Once a computer is infected, the user’s system files are encrypted and they are given the choice to lose their files or pay a bitcoin ransom of $300. The worm interface motivates the user by not only threatening the imminent loss of data, but also upping the ransom. Racketeering and extortion are now fully a part of life in cyberspace.

(Source: Securelist)

NERC-CIP Guidelines Work

Unfortunately, there is no equivalent of RICO on the Internet. However, for the electric utility industry, there are enforceable guidelines that are designed specifically to prevent this kind of event from affecting the stability of the grid. North American Electric Reliability Corporation (NERC) guidelines for Critical Infrastructure Protection (CIP)-007-6 R2 state the following:

“A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.”

The policy further states:

“At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation.”

Cybersecurity Housekeeping

Over a month ago, Microsoft released a critical security bulletin update, MS17-010, which specifically stated, “This security update is rated Critical for all supported releases of Microsoft Windows.” The means to use this exploit effectively were freely available to hackers (and others) via information leaked from the National Security Agency (NSA).

The alert was issued by Microsoft on March 14 and the outbreak became widespread on May 12, indicating that all utilities could have reviewed and updated their patch management systems during the intervening period. Electric utilities were also protected by other systems that provide them with a defense-in-depth strategy.

NERC-CIP 007-R1 states that:

“Where technically feasible, enable only logical network accessible ports that have been determined to be needed … disabling or restricting (others).”

Researchers know that the initial component of the worm was designed to scan the local network for systems that have TCP port 445 open and are able to act as a gateway to the Internet using the DoublePulsar backdoor. This backdoor was used to retrieve the ransomware and install it on the local computer.

The CIP guidelines require that ports that are not necessary, as well as those that are known to be vulnerable, be blocked. It is common knowledge among cybersecurity practitioners that port 445 should be blocked at the firewall level as well as on the computer. Any entity that performed this basic level of cybersecurity housekeeping would have prevented infection of their systems.

Standards Frameworks Work, Too

Good cybersecurity is not just a product of having the latest firewalls and security systems in place; it is also the product of having a program in place, like adherence to CIP standards, that sets a policy and specific procedures that must be followed. Companies and organizations that do not adopt a standards framework, such as CIP, will increasingly be at the mercy of Internet racketeers and extortionists.


Blog Articles

Most Recent

By Date


Building Innovations, Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Finance & Investing, Policy & Regulation, Renewable Energy, Transportation Efficiencies, Utility Transformations

By Author

{"userID":"","pageName":"Cyber Attack","path":"\/tag\/cyber-attack","date":"6\/23\/2018"}