Electric co-ops are prepared for cyber-attacks
By Thomas Kirk
The specter of cyber-attacks on our nation’s critical infrastructure brings to mind Hollywood depictions like War Games or Mr. Robot. But how dangerous are cyber-attacks? Currently, cyber-attacks are one of many risks electric utilities have to manage, but the threat to sensitive data and financial accounts is larger than it is to the physical grid itself. According to Chris Inglis, former deputy director of the National Security Agency, “I don’t think paralysis [of the electrical grid] is more likely by cyber-attack than by natural disaster. And frankly, the number-one threat experienced to date by the U.S. electrical grid is squirrels.”
While there are examples of cyber-attacks on utility systems, they’re rare. A recent cyber-attack on distribution control systems in Ukraine led to an outage that affected 225,000 customers in December 2015. In the case of the Ukraine attack, electricity was restored within three to six hours by manually operating switches. Some firmware was permanently damaged, but there was no damage to generation equipment.
A cyber-attack – especially cybercrime – is a risk for electric utilities. Every year, cybercrime costs the U.S. billions of dollars. For electric cooperatives, the average cyber insurance claim costs $733,000 according to Bill West, vice president of underwriting at Federated Rural Electric Insurance Exchange. To protect against malicious hackers, cooperatives are implementing different defensive strategies including penetration testing, staff training, application whitelisting and investing in innovative research and development.
Penetration testing involves paying a third party to hack your network from the outside. Penetration testers, or pen testers, provide a report of the exploits they used in order to show the utility its areas for improvement. The goal is to find weaknesses that are visible to attackers and to patch them before malicious hackers discover them.
Electric co-ops are also investing in staff training to teach employees how to recognize threats. According to Damon Drake, cyber security engineer at Seminole Electric Cooperative, “Technology is only about 10 percent of the protection, because it’s only as good as the people behind it.” Often hackers will target people rather than systems through phishing – emails designed to make you click a link, or social engineering, which manipulates people into clicking a link, visiting a specific web page or sharing confidential information. Typical cyber security training includes ways to identify common scams and how to stay safer online.
Another emerging strategy is application whitelisting. This is best understood as the reverse of blacklisting, which is how many spam filters and anti-virus programs run. Blacklisting is a way to maintain a list of all malicious programs and block them when they appear. In whitelisting, only programs on an approved list are allowed to run. This helps to prevent unidentified malicious programs from running and gives the co-op tighter control over what programs are allowed.
Lastly, electric co-ops are investing in innovative research. The Department of Energy is providing support in a $15 million, three-year partnership with the National Rural Electric Cooperative Association (NRECA) and the American Public Power Association. NRECA will use its $7.5 million share to make cutting-edge cyber security expertise and technology more accessible to the co-op community.
Tips to avoid becoming a cybercrime statistic
While electric co-ops are taking steps to protect the network, there are several steps you can take to protect your personal information online.
- Don’t give out secure or confidential information to anyone you don’t know, or whose identity you can’t verify. This includes both on-line and on the phone.
- Keep your software up to date.
- Think before clicking any links or opening attachments in an email. Many viruses can “spoof” the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it’s legitimate before opening any attachments. If an email link or attachment seems suspicious, don’t open it. If it happens at work, report it to the appropriate person on your staff as suspicious.
- Use strong passwords or passphrases with a mix of characters, and don’t reuse the same password for multiple sites no matter how strong it is. If a site is compromised, then that password is compromised, and any other sites that use that same password are vulnerable as well. Consider investing in a password manager.
- Be careful using any public wifi network. Network traffic can be easily monitored. Logging into your bank account or other sensitive sites from an open wifi network can compromise your security.
No single list of tips is comprehensive or guaranteed to keep you safe. Exercise good judgment and continue learning about ways to protect yourself against cybercrime.
Thomas Kirk is a technical research analyst specializing in energy efficiency and renewable energy for Business & Technology Strategies (BTS) as part of the Arlington, Va.-based National Rural Electric Cooperative Association.