Navigant Research Blog

High Stakes Blockchain Applications Are a New Frontier for Cybersecurity

— November 30, 2017

Blockchain-Based Systems Are Only as Strong as Their Weakest Link

On November 16, the US Patent and Trademark Office released a patent filed by Nasdaq that describes a blockchain-based architecture that could be used to track the ownership and transaction of stock market assets.

Nasdaq is part of a wave of big name organizations globally—including banks, utilities, and the Pentagon—that have announced plans to experiment with blockchain to determine whether it can help their organizations run more smoothly, efficiently, and securely.

As the hype train charges onward and expectations skyrocket, there is a real risk that in the rush to generate solutions to increasingly complex high stakes problems, adopters will forget that simply adding blockchain doesn’t make a system bulletproof. Before integrating blockchain into keystone systems like stock exchanges or electricity grid operations, it’s important to understand where blockchain brings security to a system, where it doesn’t, and how it interacts with other pieces of the puzzle.

Blockchains Are Built on Security and Cryptography Principles

Blockchain architectures are considered a robust and highly secure means of storing information for several reasons:

  • The blockchain is stored across a decentralized and distributed network of many computers, creating a redundant record with no single point of failure.
  • Network nodes use a resource-intensive cryptographic process to reach majority consensus on the chronology and validity of transactions between nodes.
  • The full record of information stored on the blockchain is auditable by any node in the network.

In combination, these properties make the blockchain ledger itself resilient to attacks. Indeed, despite soaring valuation that provides a $140 billion incentive for hackers, the underlying architecture of Bitcoin has never been broken.

Determined Hackers Will Work Around Unbreakable Cryptography

Rather than attacking the blockchain itself, hackers have repeatedly exploited weakness in the hardware and software components of the system—the personal computers and devices that make up the nodes of the network and the software applications that enable autonomous transfers and digital contracts. It’s the cryptographic analog of identity theft: a thief doesn’t need to smash their way into a bank vault if they can clone your credit card.

White hat hackers used exactly this principle to gain irreversible control of users’ Bitcoin wallets by exploiting a hole in cellular text messaging protocols. A hacker famously exploited errors in an Ethereum smart contract to steal $31 million  from early backers of a startup. The blockchain preserves an immutable open record of the thefts for all to see, but it also makes them irreversible.

Planning Ahead

The electricity system is a frequent target of cyber attacks backed by powerful antagonists. To date, no blockchain architecture has yet been subjected to a stress test of the magnitude we might expect if it were supporting, say, the automated demand response capabilities of a microgrid in an urban financial district. Potential applications in these systems are among the most transformative opportunities for blockchain, but will also be among the most prone to cyber attack and the hardest to field test at scale.

Until a set of comprehensive security standards for blockchain-based systems is developed, Nasdaq and any organizations seeking to adopt blockchain-based solutions must recognize that blockchain does not inherently provide end-to-end security. For blockchain to be part of the solution requires thoughtful implementation and proactive design that maximizes security at the ends of the chain. Every link of the system must be evaluated for security and potential vulnerabilities, and adopters should be especially cautious about entrusting critical systems to the technology.

 

Cybersecurity Threats Mount, but Overall Picture Not So Bleak

— November 16, 2017

Cybersecurity threats keep mounting against the grid, corporations, and individuals. The known attacks and security holes revealed in the past year are real and cause for serious concern. The whole picture, however, might not be as bleak as it first appears if utilities focus on getting ahead of cybersecurity threats. The good guys are in this fight and they have solid tools to keep us safe. Among grid-related threats, at least three incidents stand out as examples of how grim the situation could become if utilities do not proactively address cyber attacks.

It was revealed in August that a foreign power had compromised the state-owned Irish power grid company EirGrid, according to a report by Ireland’s Independent newspaper. When the hack was first discovered, experts said the breach occurred more than 2 months beforehand. At the time, the newspaper’s sources said it was still unknown if any malicious software had made its way into EirGrid’s control systems. Though it is unclear which foreign power was involved, the hackers used Internet Protocol (IP) addresses sourced from Ghana and Bulgaria.

In July, US officials revealed that hackers had penetrated computer networks of companies operating nuclear power stations, other energy facilities, and manufacturing plants. Wolf Creek Nuclear Operating Corp.’s power plant near Burlington, Kansas is one of the nuclear facilities specifically named. The nefarious activity caused the US Department of Homeland Security and the US Federal Bureau of Investigation to issue an amber warning, which is the second-highest rating level. It turns out the hackers were unable to hop from victims’ computers into control systems, and officials said there was no sign of a threat to public safety.

In mid-October, millions of people found out that nearly all Wi-Fi devices were at risk of hijack and eavesdropping because of a bug known as KRACK that exposes a flaw in the common security protocol WPA2. If exploited, a hacker could use a skeleton key to access any WPA2 network without a password. Patches for thwarting the threat have been made available from some vendors, while others are still pending.

Grid Cybersecurity

So, how high are the overall risks? Potentially rather high, but perhaps not as high as one might think for the grid in particular. According to Philip Propes, chief security information officer for the Tennessee Valley Authority (TVA), the situation is not doom and gloom in the electric utility sector. During a recent webinar, he said officials in the utility industry are well aware of cybersecurity issues and many have taken appropriate steps. In TVA’s own case, he says his team is moving from a reactive approach to a proactive approach around security and getting ahead of attacks before an event occurs.

Furthermore, private experts and researchers at the US Department of Energy’s national labs are working on new methods to reduce the threat from cyber attacks. One project at Oak Ridge National Laboratory would set up a private communications and control system for the grid, called darknet, that would operate separately from the public internet. Also, the use of quantum encryption capabilities could add enhanced security for the grid.

Cybersecurity risks should not be taken lightly, but there is no reason to panic. There is a growing sense of urgency among experts and officials to collaborate on robust solutions and progress is being made quietly, despite the mounting threats. For a more in-depth look at how utilities are responding to these threats, check out Navigant Research’s Cybersecurity for the Digital Utility report, written by my colleague Michael Kelly.

 

As Security Threats to IoT Grow, So Do New Solutions and Regulations

— October 10, 2017

Good reasons abound for concerns about the vulnerability of the electric grid to cyber attacks. Likewise, enterprises must confront serious security risks as a growing number of firms adopt industrial IoT (IIoT) technologies. Consumers risk potential hacks as they install IoT gadgets such as smart thermostats or voice-activated devices like Amazon’s Echo in their homes.

Scary Stories

Recent stories paint a dark picture of these risks. A story about Industroyer—a modular malware likened to the notorious Stuxnet worm—sends a sobering message. The story’s author, Robert Lipovsky, says, “Industroyer poses a big threat to industrial systems because it doesn’t exploit any vulnerabilities,” and that its four payload components “are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.” Also, the malware can be reconfigured to attack other energy infrastructures and other industries like manufacturing or transportation.

In the broader realm of well-known Bluetooth technology, the story is much the same. An IoT security firm called Armis has uncovered critical flaws in Bluetooth implementations that could affect up to 5.3 billion devices. The Armis researchers have named this threat vector BlueBorne. So far, nothing untoward has been reported in terms of hacks, and Armis is working with Apple, Microsoft, Google, and Linux developers to quietly coordinate the release of patches to stop potential attacks. But left unchecked, attackers could theoretically take over Bluetooth devices or commandeer their Internet traffic.

Products to Protect against Threats

Despite these ominous stories, technology vendors have new products aimed at reducing security threats. Intel, for example, has a new process called Secure Device Onboarding to ensure a more secure deployment of connected devices for enterprises. The idea is to help industrial customers safely and quickly install IoT devices, such as lighting, sensors, and gateways. The company is working across the ecosystem to help push this new level of security and boost IoT adoption.

Similarly, Cisco is touting enhanced routers for utility customers with security at their core. Executives from Cisco report that security is top of mind for utility and other enterprise customers in the face of the latest cyber threats, and the company is responding to this this demand.

Policy Adaptation

Elected officials in the United States also see the threat to IoT devices, and are pushing new legislation. A bipartisan group of senators has proposed a new IoT Cybersecurity Improvement Act of 2017, which is still working its way toward approval. The law, if enacted, could be one more key driver toward a safer IoT and IIoT world.

In the face of potential IoT-related threats, it might be easy to see only the dark side. To be sure, connected devices are more vulnerable than non-connected ones. Nonetheless, leading IoT vendors, their customers, and even legislators are taking real steps to hinder harmful attacks. This means that the situation has a bright side, too.

 

New Cyberweapons Heighten Grid Concerns

— July 6, 2017

The threat level against grid assets and Internet of Things (IoT) devices keeps rising—or at least we are witnessing a heightened sense of potential disasters. The latest eye opening news was the revelation, or perhaps better put, the confirmation that Russia has developed a cyberweapon that can disrupt power grids—which is not all that surprising considering the suspicious blackout reported last year against the grid in Ukraine.

CrashOveride

Researchers say the Russian malware—known as CrashOveride—is a cyberweapon that could be modified and then deployed against the US electrical grid or the grids of other Russian adversaries. One cybersecurity expert called the latest news a game-changer, while another expert says the latest information connects to an ongoing Russian effort that at one point targeted US industrial control systems in 2014.

The potential threat to the US grid has reached the highest levels of the government. President Trump met recently with leaders from the energy sector and experts in the field of cybersecurity to address the issue and to reiterate his plea for improving the cooperative work between the public and private sectors to protect critical infrastructure like the grid. The meeting followed the president’s May executive order, which in part called for an assessment of how prepared the country is should a significant cyber attack cause prolonged power outages.

Little Known Nuclear Site Intrusion

While the Russian cyberweapon story captured headlines, a lesser known threat against US nuclear power generation sites has surfaced. Officials are investigating a cyber intrusion affecting several nuclear power sites, according to E&E News. Details are few, but officials have confirmed they are unpacking a secretive cyber event code-named Nuclear 17. There is no evidence nuclear energy assets were compromised, but such a cybersecurity breach at closely guarded nuclear reactors would appear to indicate an escalation of hackers’ abilities to probe such sensitive infrastructure.

In the IoT world, no new major attacks have been reported, but the threat against connected devices remains relatively high. One noted expert believes the situation is worse than most people think. We are “one disaster away from government doing something,” says Bruce Schneier, CTO of IBM Resilient, a fellow at Harvard’s Berkman Center and a board member of Electronic Frontier Foundation. He argues that IoT industry stakeholders need to help shape smart regulations or run the risk of operating under stupid government rules. His point is well taken, and aligns with what I’ve said in a previous blog about stakeholders focusing on strong security measures. It’s a way to keep systems and people safe and to shape best practices that regulators could view as a framework for reasonable or smart IoT regulations.

Pay Attention, Don’t Panic

Given where we are with cyber attacks, whether against grid assets or IoT devices, we should be concerned, but I see no need for panic. As bad actors with increasingly powerful tools come to light, there is a clear need for stepped up action by grid operators, technology vendors, and regulators. Presumably, important action is taking place behind the scenes. But it would be comforting to know with more certainty that government and industry stakeholders are cooperating and pushing real measures to minimize the risks to the grid and to people.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Transportation Efficiencies, Utility Transformations

By Author


{"userID":"","pageName":"Cybersecurity","path":"\/tag\/cybersecurity","date":"12\/18\/2017"}