A few years ago, cyberattacks with physical effects, like Stuxnet, were relatively unheard of. In the last few years, this paradigm has changed with many cyberattacks targeting physical systems and critical infrastructure.
For attackers seeking physical impact and lifestyle disruption, the power sector is an ideal target. The intricacies of power systems result in more vulnerabilities, and a successful exploit can have cascading effects.
In this article, we'll explore the domino effect that cyber-attacks have on electric grids, the impact of third-party risk, and strategies to bolster the sector's cybersecurity defenses, preserve the operation and service of all ecosystem players, and ensure the ongoing integrity of the entire utility sector’s value chain.
The Electricity Value Chain: A Web of Vulnerabilities
The modern electric grid is a complex network of power generation, transmission, and distribution systems, each in turn made up of power plants, substations, transformers, and millions of miles of power lines. This intricate system relies heavily on digital infrastructure and connected technologies to operate efficiently, monitor demand, and ensure a continuous, stable supply of electricity—which makes it (and its processes) vulnerable to a multitude of potential vulnerabilities along the electricity value chain.
The average age of power generation equipment in the US is 28 years old, and these systems were designed and built before cybersecurity was a concern. Consequently, many power plants have systems that haven't been updated, leaving them open to potential threats. Moreover, as Operational Technology (OT) networks become more integrated with IT networks to ease monitoring and upkeep, it heightens the risk of these dated systems facing malicious attacks.
Ransomware attacks and data breaches pose an operational threat to electric power plants and clean energy generators, and could trigger dangerous service interruptions and other public safety issues. Many electrical power plants and components of the electric grid (e.g., aged power plants and substations) rely on legacy systems and protocols designed without online security in mind; these systems more often harbor hidden vulnerabilities waiting to be exploited by cyber attackers. The Industroyer attacks against Ukraine provide a clear example of the threat that malware can pose to a power grid. The country has suffered multiple attacks in 2016 and 2022, causing blackouts in Kyiv.
Physical security weaknesses can often provide cyber attackers with ideal entry points to grid control systems, where they can surreptitiously plant malicious software and backdoors. Once exploited, compromised transmission systems can lead to blackouts over vast regions, darkening cities and overloading systems to dangerous levels, causing physical damage that can take weeks, if not months, to repair.
Like power generation systems, power distribution systems also commonly rely on outdated communications protocols and legacy SCADA systems with critical vulnerabilities. To make matters worse, many of these systems are accessed remotely without modern authentication and encryption mechanisms. A cyber attacker looking to cripple the electrical distribution infrastructure may selectively target areas for widespread mayhem, leaving crucial services like hospitals, emergency services, and water treatment plants without power.
Electric utilities rely on a vast network of third parties, suppliers, and vendors for critical equipment and software. A supply chain attack involving a compromised third-party product or service in the wild can have far-reaching consequences, resulting first in the infiltration/compromise of the utility company’s network, followed by potential negative impacts downstream.
Similarly, digital transformation initiatives also introduced a range of potentially vulnerable systems. Internet of Things (IoT) systems have notoriously poor security, using default passwords, outdated software, and weak encryption. While car manufacturers brag about vehicle connectivity, the reality is vehicles collect large volumes of sensitive data, and the growing EV trend means that these data-hungry systems are directly linked to the power grid.
The possible fraudulent use of customer billing details (such as names, addresses, and payment card information) by smart device providers is widely recognized. Yet even data from smart devices that appears innocuous can severely harm utility customers if compromised. For instance, while the consumption data from a smart meter aims to help users gauge and lower their electricity use, it can also expose their daily routines, inadvertently indicating when a residence is empty, making it an attractive target for theft.
Like electrical utilities, smart devices have vulnerabilities and cyber-physical impacts as well. Access to a smart meter could allow an attacker to disrupt electricity service or an EV could be hacked with devastating results.
The Hidden Adversary: Third-Party Cyber Risks
Within these risks, there's a hidden adversary: the potential for a bad actor to exploit you through one of your third parties.
The risk of attacks against third-party technologies, applications, and vendors has grown significantly for utilities in recent years. In fact, data shows that 67% of breaches are through a third party. As utilities become more interconnected and reliant on third-party providers, more vulnerabilities and cyber risks are introduced.
Complex Supply Chain
Utilities commonly have complex, expansive supply chains. Third-party suppliers of equipment, services, and software provide significant benefits to the enterprise but also create additional attack vectors for cybercriminals to exploit.
While utilities are held to high cybersecurity standards and may have robust security programs, third parties and contractors are not held to the same standards and as a result, their cybersecurity standards may be weaker. An attacker who exploits a third-party's weak spots can gain access to the utility’s IT environment.
How CyberGRX helps: Predictive Risk profiles can help you gain an initial view of an incoming vendor’s security posture, enable security teams to identify gaps and recommend areas of concern to explore further, and accelerate the procurement process overall.
Lack of Visibility
Ensuring full transparency into the cybersecurity measures of third-party vendors is a daunting task. Without comprehensive insight into both direct and indirect supplier security, pinpointing and tackling the most pressing risks becomes tough.
CyberGRX’s Portfolio Risk Findings provides context into the magnitude of your security gaps across your entire third-party portfolio. With Framework Mapper, you can dive deeper into a specific vendor’s control coverages against industry frameworks, like NIST 800 and NERC CIP, or apply a Threat Profile to view a how well a third party rates against controls commonly exploited in attacks.
The energy sector is subject to an array of regulations for storing and securing customer data, and there are penalties for not compliance. Portfolio Risk Findings and Framework Mapper both make verifying vendor compliance significantly easier.
However, a compliance-based approach to cybersecurity still leaves a utility vulnerable to hidden risks. Regulations are designed to mandate the minimum acceptable level of security and may not keep pace with evolving technologies and cyber risks. As such, a fully compliant organization can still be vulnerable to third-party data breaches and other cyberattacks. Regulatory compliance is one piece of a more comprehensive risk management program.
If a third-party vendor is the victim of a cyberattack, it may take time for them to identify the issue and report it to their customers and partners. According to the 2023 Cost of a Data Breach report, the time to detect and contain a breach averages 277 days-- a long window which gives cybercriminals greater opportunity to create a backdoor and infiltrate your network, too.
CyberGRX enables continuous monitoring of your third-party ecosystem, providing near real-time alerts when a third party experiences a data leak, domain abuse, a data breach, or dark web activity. Don’t wait for a news headline to learn one of your third parties had an incident—continuous monitoring provides insights to respond as an attack is happening.
Connectivity Equates to Vulnerability
As the world becomes more interconnected, it also becomes more vulnerable. For the energy sector, IT and OT environments are likely to become even more interconnected over time, increasing the likelihood and impact of cyber-attacks. By proactively working to manage third-party risk and protecting the electricity value chain against cyber threats, you can help to ensure the availability and resiliency of the critical services your energy organization provides.
To learn how CyberGRX can help your energy organization improve visibility into your third-party ecosystem and identify your hidden risks, book time with our team.