In the wake of a White House cybersecurity order to block foreign-made equipment that could threaten the power grid, some experts are raising the alarm about a more common hacking risk: software vulnerabilities.
In one case, a Fortune 500 electricity company recently installed a turbine that arrived loaded with decades-old cybersecurity weaknesses in its core operating system, according to a source familiar with the situation.
Such software bugs can open the door for hackers looking to wreak havoc on U.S. energy companies. The glitches can often be fixed with a simple update or "patch," but equipment vendors may not have ways to find the problems in the first place, according to Amir Preminger, vice president of research at industrial cybersecurity firm Claroty.
"Some companies we actually had to call on their landline to find somebody to answer, because email didn't work," Preminger said.
A May 1 executive order from President Trump took aim at risks from potential backdoors in grid equipment like power transformers and circuit breakers, which experts say are less ubiquitous but likely harder to uproot.
The order has not yet been implemented, and the Department of Energy recently released a request for information on how best to carry it out (Energywire, Aug. 27). Energy industry sources say any product bans will likely focus on physical hardware rather than the computer software that is often used in U.S. and foreign-made equipment alike.
A recent Department of Homeland Security warning raised red flags about software vulnerabilities already present in the grid. The alert from DHS's Cybersecurity and Infrastructure Security Agency said nation-state hackers routinely target internet-facing industrial control systems, referring to the computer technologies that manage the grid and other critical infrastructure (Energywire, July 28).
Another report by Claroty found that the majority of industrial control system vulnerabilities discovered this year can be exploited remotely. Claroty also found that there has been a 10% increase in software vulnerability disclosures compared to last year and over 75% are classified as "high" or "critical" flaws.
Preminger noted that as new vendors enter the energy space, the number of vulnerabilities will increase as well — though he added that a greater number of software bugs doesn't mean that hackers are taking advantage of them.
Vulnerabilities are frequently discovered by cybersecurity researchers and firms who want to fix them, and an increase in disclosures may simply mean there are more people working on making a given piece of software safer, Premiger said.
Popular software products often carry bits of code borrowed from earlier computer programs, and as versions build on one another, vulnerabilities can persist for years, or even decades in some cases.
A series of 19 recently discovered flaws in an online communication protocol shows how widespread old and buggy software can become. The vulnerabilities, dubbed "Ripple20," affect software from internet technology firm Treck Inc. and apply to devices in the medical, transportation, telecommunications and energy sectors. Some of Ripple20's most troublesome snippets of computer code date back to the 1990s.
Brian Proctor, director of strategic operational technology at cybersecurity firm Forescout Technologies Inc., said he worked with the cybersecurity firm that discovered Ripple20 to assess the scope of the problem for critical infrastructure operators. He said it could take months, or even years, before the vulnerabilities are fixed in some electric power networks.
"Depending on kind of what makes and models are vulnerable for these utility vendors, we're talking a significantly large portion of assets that you'd find in a electric substation could be impacted," Proctor said. "So this is actually a really big deal."
But not all vulnerabilities are created equal, said Reid Wightman, principal vulnerability researcher at industrial cybersecurity firm Dragos Inc. Many of the Ripple20 vulnerabilities are rarely found in industrial devices, which mitigates much of the danger. Additionally, hackers would have to be into the network already to take advantage of some of the flaws.
"If they're at that level of your network, they probably got access to some engineering systems or even [human machine interface] systems and could probably do some pretty bad stuff without using this bug," Wightman said.
Steven Naumann, chief technical adviser for grid advocacy group Protect Our Power, said DOE and the Federal Energy Regulatory Commission may not be equipped to regulate certain supply chain security issues like vulnerabilities in grid equipment.
"FERC has jurisdiction over the bulk power system; they have no jurisdiction over vendors," Naumann said. He added that most companies likely "wouldn't want to have more regulation than is needed."
Naumann said that more cooperation is needed between vendors, utilities and the federal government through business contracts, which would sidestep jurisdictional issues posed by setting binding standards.
"The suppliers want to supply reliable equipment, the utilities want to operate reliably, and the government wants the system to stay up for national security and economic security," Naumann said.
FERC has already adopted a new critical infrastructure protection standard that requires utilities to develop risk mitigation plans for threats to the supply chain. That rule is set to take effect next month (Energywire, April 21).
FERC also recently released a notice of inquiry asking utilities whether market incentives would help utilities move past the "baseline" cybersecurity protections offered by following the new guidelines.
Other efforts to mitigate vulnerabilities are also playing out through private deals between cybersecurity firms and utilities, Naumann noted.
A recent partnership between Siemens Energy AG and the New York Power Authority launched a cyber hub last month aimed at managing grid cyberthreats (Energywire, July 29).
"When you're looking at the supply chain, it really has to become a matter of confidence in the vendor, and part of confidence in the vendor is confidence in their supply chain program," Naumann said.