Power plants are more connected, creating new cyberthreats

The Internet of Things (IoT) has been a double-edged sword for power plants. On one hand it has offered convenience and more advanced security, but it has also opened the door to threats and attacks that were once not a concern.

Until fairly recently, power plants and SCADA systems were isolated from the rest of the world, said Michael Rothschild, Senior Director of Product Marketing at Indegy. They were not connected to the internet or other systems, making the threat of security incidents very unlikely. Furthermore, the computers used to run industrial processes generally operate for years without any updates or changes.

“The development known as the Industrial Internet of Things or IIoT, has eliminated this buffer zone or ‘air gap,’” Rothschild explained. “By connecting once isolated industrial devices to business networks, IIoT has introduced new security risks that could be right out of a science fiction novel. But they’re not.”

Many rogue factions have specifically targeted critical infrastructure because it is relatively easy and can cause massive amounts of damage, Rothschild said. “We have not seen many catastrophic failures, but there are numerous incidents where proof of concept of attacks have been carried out (e.g., Ukrainian power outage of 2015, Rye Brook Dam attack of 2016, etc.). There are many other incidents where adversaries have gained access to their enemy’s critical infrastructure to create a foothold or what we call ‘red button functionality’ so they can launch an attack at the time of their choosing.”

IoT devices such as internet-connected cameras have also been targeted. Many users do not change the default username and password, which makes searching and hacking video feeds quite easy. There are even a number of websites that note devices connected to the internet in important facilities and show their location. The lack of urgency in changing something as simple as a camera password, leaves the entire surveillance system vulnerable.

IoT is also being used to expand sensor arrays such as pressure, temperature and level across power plants, according to Ernie Hayden, Founder and Principal of 443 Consulting. While this may be great for detailed engineering analysis, IoT devices add more traffic to the wireless network and provide more opportunities for attackers to inject malware into the systems. He added that because IoT devices are becoming more prevalent and important to the operation of the plant, they can also be the medium for a denial-of-service (DoS) attack on the plant by shutting down or overwhelming the wireless system.

“Don’t forget the Mirai attack of a year ago where an attacker took advantage of flaws in many IoT devices and essentially shutdown a DNS service provider. This event showed that IoT devices need to be tested for security flaws before they are sold/deployed,” Hayden reminded.

While IoT has created vulnerabilities, it has also created many opportunities. Matthew LaRue, Senior Account Executive at Convergint Technologies noted how IoT has also allowed for more efficient energy use — using IoT smart devices has allowed consumers and companies to have improved understanding of energy usage.

When it comes to protecting operational technology (OT) systems from digital security threats, Rothschild explained that it requires the same approach used to protect IT infrastructure. While the tools need to be architected for an OT environment, many of the concepts are the same. This includes: maintaining an up-to-date inventory of assets; patching systems when vulnerabilities are discovered; applying a strong access control standard; deploying a strong, multi-disciplinary threat control system consisting of both signature and anomaly detection; and performing regular device checks on OT assets to ensure they are running as expected and have not been compromised.