At a coal-fired power plant in Alabama last year, federal officials sat down with a security guard to discuss a serious breach of protocol.
The guard’s interview with the Office of Inspector General agents did not go well. They issued a report to their bosses at the Tennessee Valley Authority, the government-owned corporation that provides electricity to much of the southern United States.
The security contractor was fired. His offense? Plugging a USB stick into a TVA computer at a checkpoint in the Widows Creek power plant.
Neither the USB nor the computer was found to have any viruses or malicious files. But the strict response is consistent with power producers’ efforts to root out potential threats to their control networks.
"The concept of flash drives or any kind of portable data storage is extremely critical in power plants," said TVA spokesman Jim Hopson. "When you access it on the computer, it’s a two-way street, so things that are on that device can get into the computer without you even realizing it."
Hopson said all employees and contractors are tested annually on best practices for cybersecurity, and the login screens of all internal TVA computers display a security warning.
"It all starts with one having a clear policy and making certain that people know and follow it," he said. "Unfortunately, if someone chooses to not follow it, [that involves] making certain that they no longer could potentially create a threat."
The U.S. government learned that lesson the hard way. In 2008, infected thumb drives shared among military bases across the Middle East were found to have caused one of the most significant cyber breaches in the history of the Pentagon. The Defense Department’s response to the intrusion, dubbed Operation Buckshot Yankee, was a catalyst for establishing the U.S. Cyber Command.
Like military networks, many of the industrial control systems that run power plants, refineries and other critical infrastructure are separated from the public Internet and its security risks. But thumb drives offer attackers an easy way to jump past an "air gap" and into the operational network.
Most computers are programmed to automatically open media on a USB stick, a function hackers can exploit to spread malicious files. The autorun feature can be disabled in a computer’s BIOS, although some take a more old-fashioned approach.
"In really high-risk environments, I’ve had clients take an epoxy and just [glue] the USB drive," said Sharon Chand, a director in Deloitte’s cyber risk services practice. She said improper use of the devices "comes up often" in her work with energy companies.
Electric utilities have paid closer attention to their USB ports ever since the infamous Stuxnet worm spread via thumb drives to its target computers in Iranian nuclear facilities. Five years after its discovery, Stuxnet remains one of the few pieces of malware known to have damaged industrial control systems.
In spring 2010, before news of the Stuxnet worm broke, the Department of Homeland Security warned that USB drives "can threaten control system networks just as easily as enterprise networks."
The agency’s Industrial Control Systems Cyber Emergency Response Team cited research showing that about a tenth of all malware samples are designed to take advantage of USBs to spread from network to network.
"Certainly it’s frightening when it’s into a nuclear environment, but I think other segments of the marketplace have struggled with that same sort of use case," Chand said.
She recommended that companies look for ways to better train their employees before resorting to more drastic measures like gluing USB drives shut. "The people aspect of security is often the one that can be the most impactful," Chand said.
Thumb drives’ convenience is part of what makes them such a threat to grid operators.
"The prevalence of people coming in with their USB devices and plugging them into the controller networks is actually pretty high, and the utilities are quite seriously concerned about it," said Thurston Brooks, marketing vice president at PFP Cybersecurity.
Researchers at PFP are looking for ways to allow utilities and other customers to use USBs without cumbersome precautions. Brooks said he has seen critical infrastructure firms buy USBs in bulk, check them with the best available malware detection tools, seal them off in the building where they’ll be used and allow just one checkout. "They basically use it and then throw the USB away," he said.
PFP is trying to apply its signature technology, "power fingerprinting," to USB drives to show if they have been altered by hackers (EnergyWire, Feb. 2). Many critical sectors, such as the nuclear industry, have to worry about whether USBs were corrupted at some point from their manufacture to final delivery.
Despite the supply chain risks, TVA does allow limited use of thumb drives within its power plants. But much like the process Brooks described, each drive is carefully vetted, and, when approved, can never leave the facility. They’re also password protected.
"You have to balance out the reasonable efforts to create a secure [computer] with, do you want to handicap its use as a data processor? So you’ve got to find that balance," said Hopson of TVA. "USBs are ubiquitous in the civilian world, and we know a lot of people use them at home. They’re wonderful devices. But just like any storage device, you have to be careful."