Cyber Security: Power Outages Caused by Animals

I just came about the following website that reports many serious "attacks" on the electric power grids:

https://www.cybersquirrel1.com/

It seems that animals are more serious "attackers" of the power grid than hackers ...

Fortunately researchers are "looking" beyond animals ... to humans ... 

Click HERE for information about a crucial R&D project at KIT (Karlsruhe Institute of Technology): "Weak point analysis in energy system protocols"

Siemens SIPROTEC 5 Relays With Various CPU Variants Have Security Issues

Please note the following information made public by US-Cert_CISA ... in case you use SIPROTEC 5 Relays:

EXECUTIVE SUMMARY

CVSS v3 9.8

ATTENTION: Exploitable remotely/low attack complexity

Vendor: Siemens

Equipment: SIPROTEC 5 relays

Vulnerabilities: Classic Buffer Overflow

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or trigger a remote code execution.

Click HERE for the complete just updated report.

Ten Years After Stuxnet Went Public - And Now?

One of the senior experts in cyber security wrote today:

"Recently many of us noted the 10th Anniversary of when Stuxnet went public. Some commentators think it was for cyberspace a “Hiroshima” type of event. Some have been saying that there have been no other events like it since and this puzzled me. So I wrote my thoughts down to share."

http://scadamag.infracritical.com/index.php/2020/07/31/perhaps-we-are-missing-a-lesson-from-stuxnet/

Another senior expert is wondering why there is little information disclosed and lack of guidance about control system cyber security incidents that can affect multiple facilities in multiple industries:

https://www.controlglobal.com/blogs/unfettered/information-sharing-on-control-system-cyber-incidents-is-not-working-and-that-can-be-deadly

Both are worth to read!

PhD Student Working On Cyber Security In Critical Infrastructures

Fredrik Heiding (PhD Student) wrote the other day:

Fredrik Heiding, PhD StudentNetwork and Systems Engineering
KTH, Royal Institute of Technology

I am doing a PhD on cyber security in critical infrastructure. Currently I study the security trends for critical infrastructures in Europe, analyzing where it is heading and how it is developing. To strengthen the study I have identified seven general questions, they are general in nature so they can be answered by people in critical positions without revealing sensitive information.

Here are the Questions from Fredrik and Answers from a very senior expert:

Vytautas Butrimas

Cybersecurity consulting

See also: http://blog.nettedautomation.com/2020/06/scada-security-matters-should-matter.html
Vytautas Butrimas wrote in the introduction to his answers:

This a particularly interesting time in CIP. I come from and IT background and have focused mostly on the cybersecurity of industrial control systems in the past 10 years. This has been a long learning curve for I found that my IT knowledge did not provide enough to understand the engineering and laws of physics that are dominant in the monitor and control of physical processes found in the pumps and compressors on fuel pipelines, treatment of drinking water, routing of trains, and the generation and distribution of electricity. One needs to know the implications and peculiarities between working IT office time and real time to work in this field.
I looked at your questions and will give brief answers.  If you wish to further discuss them with me then we can do so offline.

---------------------------------

Question 1:

What concerns for the future do you have regarding cyber security in critical infrastructure?

Answer 1:

How the introduction of increased complexity of systems (systems of systems, adding more sensors, increased connectivity) will be managed without taking away from safety, reliability and performance.

Question 2:

Over the past decade, digital attacks have become more central to the security of critical infrastructure. Do you think the trend will continue to increase or culminate?

Answer 2:

There are some signs that things will get better but at the same time they will get more complicated.  Security practitioners need to realize that much more attention is needed where the physical process is taking place and the devices closest to it that are monitoring and controlling it, not where they are being monitored by humans in a remote location or control room.  ** One more thing we should not just be focused  on „ATTACKS“.  We also have to consider unintended actions or accidents. As the complexity of systems and connectivity of devices increases so will the unintended or „why did that happen?“ incidents.***

Question 3:

What relevant research or technological advances do you find most interesting for the future?

Answer 3:

Have to think about this one.  It feels we are all trying to keep afloat in a tsunami of technological advances.  The ones that worry me the most are the new features which also come with vulnerabilities that need to be addressed before a malicious group decides to exploit them.

Question 4:

Do you see IIoT (Industrial Internet of Things) as an opportunity or a concern, if both, which part is greatest (positive or negative)?

Answer 4:

I see it mostly as a concern (see my earlier answers). I suggest watching a video available on youtube called "Brave New Internet 4.0 " by one of your famous countrymen, Ralph Langner.  The questions and concerns he raised in that lecture IMHO have not been addressed.

Question 5:

Do you have plans to, or do you think that you will expand the cyber security department in the coming years?

Answer 5:

I am currently working my out of "mandatory retirement" and am not in position in expand anything (perhaps later this year I will change my answer).  If I was in a position of influence at an operator of CI (energy sector for example) I would do my best to set up some support for the senior engineer of the plant.  When he sees something unusual going in the operation he should be able assign this problem to an security operation center. Could be at least one person or a small team that understands cyber threats and how they could be applied to the engineering side of the operation.  The senior plant engineer has to keep things running and does not have time to stop and investigate something.  He needs someone to help him and a ICS SOC could be a good solution is management is willing to spend the money for the positions and training.

Question 6:

Can you share anything about past attacks/intrusion attempts, both successful and unsuccessful attempts are interesting?

Answer 6:

Look at the freely available information on line. Look up Ralph Langer to learn about STUXNET. It happened 10 years ago and this is probably the most analyzed and documented incident we have today that is publicaly  available.  Much can still be learned for the methods continued to be applied today. In 2014 in Germany your government (BSI) published its yearly report on cyber incidents.  There is a section devoted to a cyber attack on a steel mill that had an uncontrolled shutdown and resulted in damage. Look at Triton/Trisis/Hatman incident of 2017 where the safety systems of a petrochemical plant tripped not one but twice. Look for video lectures on this from Dale Pedersons S4 conferences in 2018/2019 (see lecture by Julian Gustmanis and by Schneider Electric)

Question 7:

Has the attitude towards cyber security changed in the last 5 years, why and in which way/

Answer 7:

The attitude is changing and for the better. Much better in the engineering community who have  understood how threats from cyberspace can get into their operations. On the other hand as far as government policy makers go they still have a long way to go. Much technical expertise has left government for the private sector leaving some governments blind to some issues. The 3 Little Pigs problem is evident where one thinks one has taken the appropriate measures and build a house of straw or of sticks to protect from the wind and the rain but the possibility of their being a wolf is somehow missed.  You would be surprise at how many government policy makers do not know what scada is and yet think they are doing a great job at protecting critical infrastructure.

--------------------------------

How Serious Are You About Cyber Security For Power Systems?

I know: A lot has been talked and written about Cyber Security for power delivery and many other systems.

BUT: What about insurance that specify coverage for cyber damage? 

You may figure out that your company has insurance covering cyber damage. So far - so good!
Be careful and read the latest development regarding the question, if all damages will be covered by your policy.
Please check the following report and ensure this article is made available to all senior managers and executives immediately ... a famous case (Merck) explains that there may be cases where the insurance companies may not pay at all ... in case of big bang attack ...

Click HERE for the wake-up call for everybody - from Bloomberg!!

How secure are “Air-Gapped” Systems?

Many experts believe that it is sufficient to have an "air-gap" between their system and the internet or other outside systems. Because they expect that an "air-gap" would not allow to attack their system.
Several other experts do not believe that.
A demonstration of a destructive cyber attack vector on “air-gapped” systems will be given during a conference in October 2016:
ICS Cyber Security Conference (www.icscybersecurityconference.com)

Click HERE for the full report.

How to Protect Electric Power Delivery Systems?

These days we see a lot of discussions on security in the domain of electric power delivery systems. One thing is for sure: The power delivery infrastructure is under heavy stress ... just to list a few issues:

1. Aging equipment (primary and secondary).
2. Increasing cyber attacks.
3. Increasing physical attacks.
4. Aging Workforce.
5. Political objective to reduce the rate per kWh of electric power consumed.
6. ...

A lot has been discussed recently regarding these and other issues.

Today I would like to have a brief look on the third bullet "Physical Attack". The Wall Street Journal (WSJ) published the other day a report on physical attacks of substations in the US: "Grid Attack: How America Could Go Dark". After reading these news I decided not to post anything about that report. But: When I got up this morning I read the (bad) news about the tragic attack on humans in Nice (France) last night with 80 people on the death toll of 80, I said to myself, I have to talk about these physical attacks.

First of all, our prayers are for the French people in general and especially for those that have lost one of their loved one, for those that are insured, and those that have experienced this attack.

Second, please read the WSJ report to understand the situation of our - partly very unprotected - electric power delivery system:

Click HERE for the report.

More or less the same could be reported about many substations worldwide.

Next time we may see a truck driving into a major substation, power plant, or high voltage transmission tower, ... How can we protect ourselves and the technical systems that are needed every second in our life?

2. Timothy 3:1-5 says: "1 But understand this, that in the last days there will come times of difficulty. 2 For people will be lovers of self, lovers of money, proud, arrogant, abusive, disobedient to their parents, ungrateful, unholy, 3 heartless, unappeasable, slanderous, without self-control, brutal, not loving good, 4 treacherous, reckless, swollen with conceit, lovers of pleasure rather than lovers of God, 5 having the appearance of godliness, but denying its power."

It is unlikely that all humans will understand the importance of the electric power delivery system (and other critical infrastructures) and to control themselves NOT TO TOUCH the system (AND of course other humans)! So, we have to do our best to better physically protect the crucial stations - which is better than do nothing. Attacks will continue to happen - but we have to spent more resources to increase the physical security.

We all have to accept the increase in your electric power bill - if we want to continue using power whenever we need it - 24/7. I hope that we learn better what the real value of our electric power infrastructure is for our daily life!

Ukrainian Power Grid -- Cyber Attack is a Wake-Up Call for All of us

"On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service outages due to a third party’s illegal entry into the company’s computer and SCADA systems. ... the strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long‐term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack. ..."

Click HERE for an interesting Report that provides "important details surrounding the attack, offering lessons learned, and recommending approaches to help the ICS community repel similar attacks."

This and other attacks are Wake-Up Calls for Everybody! We should be aware that to some extent this trend will impact us all one way or the other - sooner or later.

One thing is sure: The future secure delivery of electric power will require more resources and smart people!!