In April, the Biden administration launched a 100-day plan to upgrade power grid cyber security through a series of voluntary initiatives and the establishment of an incentive-based framework to catalyse public-private partnerships, which aim to mitigate emerging threats and security vulnerabilities. Notably however, several high-profile cyber-attacks have curtailed the Biden administration's push to upgrade national grid output, while exposing notable security vulnerabilities.
Outdated grid technology and an increasingly decentralised power grid are compounding US government efforts to mitigate these vulnerabilities and emerging threats. As companies look to integrate renewable energy sources and emerging technologies, this creates an increasingly complex set of potential vulnerabilities, requiring a parallel-development track to build out cyber security functions and threat mitigation efforts.
We expect US federal government initiatives to support industry awareness and improve long-term security capabilities. However, we also assess that the threat landscape, especially regarding ransomware groups, will remain persistent, prompting energy providers to regularly update security protocols and collaborate with US government cyber officials.
The phased integration of smart grid technology continues to create capability gaps for industry stakeholders. As a result, companies must maintain an agile cyber response plan, implementing a multi-front cyber strategy to effectively monitor and respond to possible attacks. A greater onus on private sector collaboration with the federal government will also play a notable role in the overall cyber security of energy grids.
Ageing US Infrastructure and Rising Cyber Attack Prevalence
In late April, the Department of Energy (DoE) and the Cybersecurity and Infrastructure Security Agency (CISA) released plans for a coordinated 100 Day Plan to bolster cyber security capabilities across US critical infrastructure, including a particular focus on improving electric utility providers. This comes as the Biden administration faces mounting pressure to patch up vulnerabilities in America’s ageing power grid and address cyber-physical system (CPS) threats.
A CPS is a system designed to orchestrate “sensing, computation, control, networking and analytics” to interact with the physical world, underpinning IT, operational technology (OT) and Internet of Things (IoT) efforts, where security considerations transcend the cyber-physical domain. In the loss of human life alone, IT service management firm Gartner predicts the financial impact of CPS attacks will top USD 50 billion by 2023. This does not include the significant costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss.
Improving cyber security protocols and advanced public-private partnerships are key components in addressing CPS threats. President Biden’s looming USD 2 trillion infrastructure development project highlights this need through fund allocation for security revamping. However, given the extensive amount of time necessary to upgrade these projects, businesses should remain aware of contemporary cyber threats and the impact of emerging cyber security trends to safeguard operational capabilities.
A series of high-profile cyber attacks against CPS over recent months catalysed federal government efforts to strengthen US cyber security capabilities. Energy Secretary Jennifer Granholm emphasises the need to “address an increasing scope of cyber security challenges facing American infrastructure". This includes the February cyber attack in Oldsmar, Florida, which saw a lone hacker gain access to a water treatment facility and attempt to compromise the plant's integrity via its supervisory control and data acquisition system (SCADA). Despite a manual override catching the activity, which sought to increase levels of sodium hydroxide (a corrosive chemical) in Oldsmar’s water supply, the ease of access achieved by a lone “opportunist” hacker exposes the lack of adequate protection protocols in place for key infrastructure functionalities.
2021 Cyber Attacks on Infrastructure and Vulnerabilities Identified
A debrief provided by CISA claims this attack was the result of an unknown cyber threat actor “exploiting cyber security weaknesses, including poor password security, and an outdated operating system”. The incident highlights the insufficient “threat bridge” CPS protection creates within an organisation's critical infrastructure. It is also worth noting this breach occurred two days before Tampa, Florida, hosted Super Bowl LV, prompting local infrastructure operators to audit security systems on the day of the game for similar activity. Although there is no evidence to suggest the attack intended to disrupt the sporting event, the follow-on effect of a successful operation in Oldsmar, which is less than 30 miles from the Super Bowl venue, would generate serious security concerns, causing the diversion of law enforcement, and a potential postponement of the game.
The ransomware attack on the Colonial Pipeline, a major fuel provider for the US East Coast, further illuminates CPS vulnerabilities present across key infrastructure sectors. In the case of Colonial, a lack of sufficient data backups and compromised critical functions forced the company to temporarily shut down operations. Colonial's decision subsequently caused short-term fuel shortages and social unrest along the East Coast. The company ultimately resolved the issue by agreeing to pay USD 4.4 million to the hacking group despite initially denying reports of any ransom negotiation.
Unlike Oldsmar, the Federal Bureau of Investigation (FBI) attribute this attack, one which displays high-grade complexity and scalability, to a new cyber criminal group known as DarkSide. Prior to this incident, DarkSide targeted critical infrastructure in South America, including two attacks on Brazilian electro utility companies Copel and Electrobras in early 2021, forcing both firms to temporarily suspend select operations. Despite DarkSide only starting its operations in August 2020, the group's tactics and targeting indicate that it is composed of veteran cyber criminals capable of undertaking sophisticated operations. Further afield, there are noteworthy similarities between DarkSide's ransomware, and the code developed by the REvil ransomware-as-a-service (RaaS) group. Potential cooperation with REvil could explain the discrepancy between DarkSide's recent emergence and its highly technical capabilities.
The above cyber-attacks compound a fragile cyber outlook for Q1 2021, underscored by the monumental SolarWinds attack, which compromised an estimated 9 federal agencies and private sector companies through SolarWinds' Orion management tool. This attack – attributed with high confidence by Washington to the Russian Advanced Persistent Threat (APT) Group 29 – is a foray into the grey zone of ‘supply chain’ cyber attacks, an area previously considered low-risk due to collateral damage rates and a high degree of exposure to law enforcement.
US Infrastructure Vulnerabilities Challenges
As the cyber threat landscape becomes increasingly volatile, an ageing power grid heavily reliant on private distribution systems further complicates security implications. According to data out of Texas A&M, 68% of Americans obtain electricity through investor-owned entities, most of which lack notable government oversight in operating domains, especially in remote regions, leading to lagging maintenance levels and backup energy systems. The series of outages across Texas in February 2021 underscore these vulnerabilities, where state electricity providers issued a series of rolling blackouts as record cold temperatures drained electricity quotas, causing several deaths and severe disruption to physical business operations. Coupled with insufficient cyber security components to mitigate a low-grade threat, the impact of the events in Texas on the livelihoods of US residents' compounds CPS threats faced by US infrastructure as it undermines public confidence and elevates the risk of social unrest.
Decentralised forms of energy production are on the rise as renewable energy sources, including solar panel home installations and wind farm development, grow in popularity. To enable more efficient grid management, the DOE is prioritizing the development of a “smart grid” that would leverage a suite of technologies to “allow greater responsiveness in connecting power producers and consumers”. However, modernisation of the US energy grid expands the “attack surface” for hackers, providing more access routes as companies integrate additional information and communications technology, link networks and multi-layer software. One example is the construction of autonomously controlled energy storage systems (ESS) in several US states, including California. This technology is key to integrating renewable energy sources into a future smart grid configuration due to their large storage capabilities.
The DOE notes that the successful implementation of these digital systems requires a parallel path of security planning, through upgrading electronic industrial control centres in service since the 1970s and 1980s, expanding security investment, and improving information sharing with government cyber security entities.
US Government Response
Several federal agencies, including the DOE, Environmental Protection Agency (EPA) and FBI, are collaborating to upgrade the US grid's cyber security protocols. The 100-day DOE power grid initiative involves a Request for Information (RFI) for electricity suppliers and related companies, calling on industry representatives to submit plans to shore up cyber security supply chains.
This sprint will focus on industrial control systems (ICS) and operational technology (OT) upgrades, providing a platform to address other critical infrastructures in conjunction with the Biden administration’s infrastructure expansion programmes.
These developments coincide with a 60-day Department of Homeland Security (DHS) initiative on ICS security beginning in June, which aims to assess risks arising from the use of cyber-physical systems in water, electricity and natural gas infrastructure.
All the above projects will receive executive support through a new Cybersecurity Safety Review Board, established by President Biden via an Executive Order issued on 12 May. The Board will work to establish a baseline cyber response ‘playbook’ to assist with federal network protection, providing minimum agency standards as the government transitions to cloud services and a "zero-trust" operational model.
Additionally, President Biden’s ambitious USD 2 trillion American Jobs Plan allocates USD 20 billion for energy infrastructure modernisation investments, including cyber security updates. Grant eligibility is based on compliance with DOE standards, which will include grid protection requirements. This is in tandem with another USD 650 million going to CISA to improve risk mitigation efforts.
Separately, the Biden administration’s push to crackdown on Russia’s malicious cyber activity is ramping up, with the Treasury Department sanctioning 32 individuals and organisations allegedly involved in the recent string of cyber attacks, including Russian intelligence entities and several tech firms. While Moscow denies state-backed involvement, the over-exposure of these high-profile hacks is having an impact on Russian cyber crime circles, causing groups to reduce their digital footprint. Following the Colonial Pipeline attack, DarkSide posted to the Exploit hacking forum claiming it is closing criminal operations after losing access to its “public data leak site, payment servers, and CDN servers” following law enforcement operations. This comes days after President Biden spoke on ramping up cyber security efforts, calling on other governments to tighten enforcement mechanisms.
Notably, DarkSide had all postings removed on the ‘XSS’ Russian cyber criminal forum, as the site providers grow wary of scrutiny by Russian security services. More specifically, the forum posted “Peskov (Presidential Press Secretary for President Putin) is forced to make excuses in front of our overseas ‘friends’, this is a bit too much”. However, both the law enforcement operation and server bans are likely temporary setbacks, as DarkSide and other ransomware entities reconfigure personas and shift recruitment focus elsewhere.
Moving into Q3 2021 there is a growing emphasis on a public-private partnership to advance US grid security, meaning energy providers must prepare to restructure internal cyber security functions to best match a collaborative working environment. This includes more liberal information sharing initiatives and the ability to audit multi-source data at a rapid pace, enabling federal enforcement agencies to support incident response programmes more effectively. This signals a departure from the “regulate and punish” avenue of cyber security compliance, as the sprint programmes launched by the DOE and DHS take on a more voluntary approach.
Government contractors should continue to update security capabilities in line with existing cyber security requirements, including the Cybersecurity Maturity Model Certification (CMMC) programme, Supplier Performance Risk System (SPRS) registration, and compliance with applicable National Institute of Standards and Technology (NIST) recommendations. Sibylline expects the federal government to strengthen its cyber security posture by building on these existing programmes, making it important for contractors and energy providers to monitor relevant updates.
Notably, DHS released a new cyber security directive requiring pipeline owners and operators to report any cyber incidents to CISA. The DHS directive mandates these entities designate a "cybersecurity coordinator" to handle breaking developments on a 24/7 basis. Despite over 3,000 pipeline companies operating inside the US, the US Transportation Security Administration (TSA) discovered that only six government employees were constantly monitoring the cyber security needs for almost 3 million miles of pipeline across the country. Homeland Security Secretary Alejandro Mayorkas subsequently redoubled efforts to "work closely with our private sector partners to support their operation and increase the resilience of our nation's critical infrastructure".
State-level lawmakers are reportedly planning to supplement this set of federal initiatives by providing another set of regulatory guidance that operators must adhere to. Notably, Connecticut and Florida are tabling bills to set up an online audit database of all cyber attacks, while several states, including California, Iowa, New Jersey and New York, plan to update their cyber security operating protocols.
Forecast and Implications
Over the short-to-medium term, Sibylline expects heightened alert levels and government risk mitigation capabilities to moderately reduce ransomware threats to entities operating in critical infrastructure. However, the overall ransomware threat landscape remains largely unchanged.
The risk levels for opportunistic attacks, like the one launched against the water treatment facility in Oldsmar, Florida, will remain a notable and enduring threat. However, the announcement by prominent cyber criminal groups, such as REvil, that they will no longer be allowing their affiliate hackers to target organisations in the "social or government sectors" due to the aftermath of the Colonial Pipeline hack should reduce the threat to some entities operating in critical infrastructure. Nevertheless, we also assess that there is a notable risk of high-profile ransomware groups, such as Ryuk, continuing to exploit panic and fear caused by the Covid-19 pandemic environment to target industries of interest, such as healthcare, finance or technology. To this end, we assess that such activity will further elevate the financial and reputational risks that ransomware poses to businesses across all sectors.
Going forward, the phased integration of smart grid technology will continue to generate capability gaps for energy companies. In response, energy industry stakeholders must continue to adapt cyber response plans, promoting a work culture based on security and resilience while implementing holistic management and defence mechanisms that improve prevention, monitoring, response and recovery capabilities.