Utility conference ponders Islamic State, a mysterious attack and other threats

By Peter Behr | 10/15/2015 07:15 AM EDT

PHILADELPHIA — Headlines from a daylong briefing on cyberthreats to the electric power grid:

  • The Islamic State group is now using the Internet to launch cybersecurity attacks at U.S. targets.
  • The startling April 2013 sniper assault that knocked out a Pacific Gas and Electric Co.’s Metcalf substation is looking like the work of an insider.
  • In just a year, the number of cyberattacks using sophisticated concealment techniques tripled, to 90 percent.
  • But on the other side: A cybersecurity defensive screen developed by the Pacific Northwest National Laboratory has achieved a "breakthrough" in threat detection for U.S. electric power companies.

As speaker followed speaker at the conference here yesterday, hosted by the North American Electric Reliability Corp., the evidence mounted of an escalating arms race between attackers and their targets that is compelling government and private-sector defenders to stand together closer than ever before.

Caitlin Durkovich, Department of Homeland Security assistant secretary for infrastructure protection, warned that U.S. critical infrastructure was a terrorist target. The Islamic State group "is beginning to use the Internet, and to perpetrate cyberattacks, and they understand the importance of critical infrastructure," she told the NERC conference. Other experts said terrorists aren’t believed to have the technical capability to take down parts of the grid.


She also disclosed the first clue from U.S. officials about the source of the late-night substation attack outside San Jose, Calif., in which the attacker or attackers cut fiber-optic communications cables connecting to the 911 emergency service before unleashing a high-power rifle fusillade that riddled an essential cooling system for the station’s transformers.

Publicity about the attack prompted the Federal Energy Regulatory Commission to direct NERC to come up with new physical security regulations for critical power sector infrastructure on a rush schedule. Jon Wellinghoff, then FERC’s chairman, called it the most significant terrorist attack ever against the power grid, but the Federal Bureau of Investigation challenged that conclusion, saying it had no evidence of any motive.

Durkovich told the NERC conference yesterday, "This is something that is still under investigation, but if you look at the Metcalf attack that happened in Silicon Valley, the knowledge of the individual or individuals who perpetrated that attack — where the cyber lines were, where transformers were, what they needed to do to potentially disable and disrupt the operation of that substation — required some significant knowledge.

"And while we have not identified who perpetrated that, there is some indication that it is an insider," she said. She did not elaborate on either the Islamic State activity or the Metcalf investigation.

She advised the industry representatives, "Think about who you hire."

Mark Fabro, president and chief security scientist for the cybersecurity firm Lofty Perch, stressed the increasing threat from advanced cyberattack programs with sophisticated features to hide from cyberdefenses.

"From the beginning of last year to the end of last year, you went from a 30 percent to almost a 90 percent usage of what is going to be in excess of 500 unique evasive techniques that are now in malware," Fabro said.

The evasion techniques include timing features designed to keep attack software programs dormant when investigators are looking for them, and malware with auto-start features that can go into action without an incoming command, he said.

Gerry Cauley, NERC’s president and CEO, reiterated U.S. security officials warnings that cyberattackers had succeeded in implanting reconnaissance programs inside control room systems.

"There really hasn’t been a significant operational impact on the grid, despite the threats and the risks," Cauley said. Instead, incursions that have gotten through have been intended to map control systems, a possible prelude to a future attack.

State-sponsored cyberattackers and terrorists "are really taking a long-term view," he added. "They are actually in our control systems. … They are embedded."

‘A lot of activities going in the right direction’

But Cauley also reported a major step by the utility sector to protect itself from attacks entering via the Internet.

A cybersecurity defensive screen developed by the Pacific Northwest National Laboratory has achieved a "breakthrough" in threat detection for U.S. electric power companies, he said.

PNNL’s Cybersecurity Risk Information Sharing Program (CRISP) has been deployed to monitor public Internet traffic into and out of a group of utilities, to provide a new level of screening and analysis of probes and attacks on utilities, he said. He did not identify the companies.

"We’ve got a lot of activities going in the right direction," he said. He urged the conference audience to maintain vigilance and treat even the smallest sign of attack as if it were the tip of an invasion. "It’s like Whac-A-Mole on a continuing basis," he said.

Durkovich listed several DHS initiatives to protect the power sector: a recently concluded review of the most critical substations on the high-voltage grid and completion of a "playbook" to guide utility operators and first responders in confronting an armed attack on grid facilities, or a combined physical and cyberattack. The manual will be tested at NERC’s GridEx III attack simulation exercise next month, she said.

She also promised that DHS would push harder to declassify threat information. "We are living in an age where we cannot operate in a classified environment. The threat is too dynamic."

Tim Roxey, vice president and chief operating officer of the Electricity Information Sharing and Analysis Center at NERC, offered encouragement. "From an adversary’s perspective … it’s not extremely easy. No single operating environment is exactly like another," he said. "Many substation environments are different. There needs to be some level of knowledge to make a successful attack.

"You can certainly exfiltrate data. You can disrupt," he said, adding, "To have a high confidence [that] you know what is going to happen when you start this attack … and you can repeat that over and over, is very difficult to achieve.

"You do have the upper hand," he said. "Defense is doable. You can win."