A deep dive into US GAO Critical Infrastructure Protection report

by Paresh Borkar

In our earlier blog US Electric Grid is “becoming more vulnerable to cyberattacks” says US GAO, we talked about US GAO assessment report [GAO-19-332] pertaining to Critical Infrastructure Protection at Electric Grids. In this blog, we will do a deep dive to better understand specifics from the report. For a high level overview of the report findings please refer to earlier blog.

The reliability of the electric grid – its ability to meet consumers’ electricity demand at all times – has been of long-standing National interest. The grid comprises of three distinct functions: Generation & Storage, Transmission and Distribution. This is depicted and explained in the figure below:

The Grid is historically considered to be resilient, since grid operators have been able to respond quickly to adverse consequences of an accident (like damage from major hurricane or a falling tree). However, restoration from a cyber-related event may be more challenging.

The grid is vulnerable due to:

  • Industrial Control System devices
  • Consumer IoT devices connected to the Grid’s distribution network
  • Global Positioning System (GPS).

Grids employ industrial control systems (ICS), which are typically network based systems that monitor and control sensitive processes and physical functions, like the opening & closing of circuit breakers on the grid. Early ICS operated in isolation, running proprietary control protocols using specialized hardware & software. And these were in physically secured areas, and not connected to other IT systems. However ICS are changing in ways that offer advantages to system operators but also make these more vulnerable to cyber attacks. For example – proprietary devices are being replaced with cheaper and more widely available devices that use traditional IT networking protocols – including those that support remote access. Further ICS are being implemented using traditional IT computers and operating systems, which facilitate easy interconnections. As a result, the skill required to attack ICS is decreasing, as tools for exploiting ICS vulnerabilities become more widely available.

There is increased risk that malicious actors may be able to exploit vulnerabilities in ICS devices before patches can be applied. According to Department of Homeland Security (DHS) the number of vulnerability advisories for ICS devices has steadily increased, from 17 advisories in 2013 to 223 advisories in 2018 (please see chart below)

Researchers found that malicious actors could compromise a large number of consumer IoT devices (like high-wattage IoT devices – air conditioners and heaters) and turn these into botnets. These botnets subsequently could be used to launch a coordinated attack aimed at manipulating the demand across distribution grids.

The grid is dependent on GPS timing to monitor and control generation, transmission and distribution functions. According to DOE, the GPS signal is susceptible to exploitation by malicious actors.

GAO report mentions that FERC-approved cybersecurity standards do not fully address the NIST Cybersecurity Framework’s five functions as below:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Electric Grid operators need to be cognizant of the observations from the GAO CIP report and leverage these to improve their cybersecurity posture.

Let us look at a recent vulnerability affecting industrial systems: CVE-2019-10923 affects Siemens Industrial Real-Time (IRT) devices and successful exploitation of this vulnerability could cause a denial of service condition. This CVE has a CVSS 3.0 score of 7.5.  The related ICS-CERT Security Advisory [ICSA-19-283-01] mentions that this vulnerability is “remotely exploitable and requires low skill to exploit”.

ThreatWatch provides vulnerability advisory coverage from ICS-CERT (recommended by DHS) and beyond to provide real-time vulnerability intel to organizations. This coupled with our unique approach of providing real-time impact assessment on organization systems (ICS devices, OS, hardware and more)  without the need for any scans results in a complete solution. For more details, write to us at info@threatwatch.io

We are participating in the CyberCon at Anaheim Convention Center [November 19th – 21st 2019]. Drop us a note for a meeting.

Leave a Reply

Your email address will not be published. Required fields are marked *