Power plants are one of the most vitally important components of modern civilization’s infrastructure. A disruption in energy production impacts all aspects of society from healthcare to national security. Eliminating a country’s ability to generate energy is a powerful weapon that demands effective defensive measures.
At one time, power plant security only involved physically protecting facilities and generating equipment. The computerization of the industry has made it exponentially more challenging to maintain power plant security. The use of IoT devices has further complicated the security landscape. Each device provides another potentially compromised entry point into the network.
It is still possible to physically attack a power plant, but many of the top threats facing the industry today come from cyberattacks. Protecting the power generating infrastructure from this danger entails implementing advanced security methods and strengthening those already in place.
Why power plants are vulnerable to attack
Several factors contribute to the security vulnerabilities of power plants:
Control systems are no longer air-gapped
At one time, information technology (IT) and operational technology (OT) networks were air-gapped, meaning there was no direct link between the two entities. Advances in automation have resulted in merged systems that present a clear danger. Malicious actors who gain access to the IT infrastructure may also be able to compromise and disrupt the OT systems required to generate power.
Hackers are always searching for systems with weak authentication that can be easily compromised. Network-accessible devices with weak or default passwords can serve as a gateway to more critical systems.
Failure to install security updates
The lack of dedicated IT teams can make it difficult to promptly install software security patches and updates. This allows hackers to exploit known security vulnerabilities repeatedly.
Expanded attack surface
The number of entry points for hackers has expanded due to IoT devices and the need to access systems remotely via VPNs. Accelerated work from home initiatives spurred by the COVID-19 pandemic also contribute to this security vulnerability. Every legitimate access point into a power plant’s networks can be compromised by malicious actors for nefarious purposes.
The threat is real
A few examples should dispel any doubts that cyberattacks pose a significant threat to the world’s ability to generate power. The Russian attacks on Ukraine’s power grid in 2015 and 2016 are one of the most egregious illustrations of the disruption that can be caused by a cyberattack. It is the first confirmed case of hackers taking down a power grid, and it left hundreds of thousands of citizens without electricity. Power was restored to most customers in a few hours, but the hackers overwrote firmware, making it impossible for technicians to remotely operate their equipment.
It is believed Russian hackers were also responsible for the SolarWinds incident, which affected thousands of customers in ways that have not yet been fully understood. The hackers introduced malware attached to a popular monitoring tool’s software update. This allowed them to create backdoors and gain unauthorized access to a wide variety of systems.
Approximately 25% of the electric utilities that comprise the North American power grid downloaded this software. Hackers often deploy malware with long-term aims in mind and the final reckoning of the damage caused by this hack may not be known for years. Many other software products in use could be similarly compromised.
Proactively addressing power plant vulnerabilities
Multiple layers of defense are required to fully address power plant security vulnerabilities. Here are some of the measures power plants’ decision-makers can implement to increase the security of their facilities:
Physical access to a computing environment cannot be controlled by firewalls or other automated processes. Plants should require badge access to sensitive areas and closely scrutinize unfamiliar contractors or technicians. It only takes a few seconds for malware to be loaded to a machine by a malicious insider.
Access to systems should be strengthened by the adoption of two-factor authentication (2FA), mandating best practices for complex passwords, and shortening password expiration policies.
Patch testing and implementation
Security patches need to be tested and implemented quickly to minimize the time available to hackers for exploiting the identified vulnerability.
Users throughout the organization need to be educated concerning the risks associated with phishing emails or other campaigns designed to trick them into giving up login credentials or inadvertently spreading malware.
Increased security testing
Implementing system penetration and physical security testing are necessary to identify areas that need to be made more secure.
The risks to power plants cannot be overemphasized. Organized hacker groups, often backed by rogue nation-states, are constantly searching for ways to attack the nation’s power grid. They may be waiting patiently for an opportune time to unleash the attack. The necessary tools to strengthen security are available. It’s up to power plant management and the industry as a whole to ensure they are implemented so the lights stay on for everyone.