As if ransomware, malware, and phishing were not bad enough, electric utilities now need to worry about new cyber threats emerging from drones, artificial intelligence, and a grid made more vulnerable by the internet of things, or IoT.
“It just brings a total other layer of security issues that we are not prepared for as a population,” said Peter Morin, cybersecurity director at auditing and professional services company KPMG.
The new threats offer up a future in which it is no longer enough for utilities to just secure their information technology networks against hacking. They must also consider the risk of small and inconspicuous drones outside their windows stealing information. They must worry about whether their AI can learn quickly enough to outmaneuver the AI of bad actors. They also must stand guard over a wider universe of resources on their systems: solar panels, smart thermostats, and other IoT devices that offer portals for hackers.
For a mere $500, it’s now possible to build a drone that can hover outside a power plant or utility office and capture digital information, as security firm Bishop Fox demonstrated with its Danger Drone.
The firm designed the drone to show companies what they are up against in an age when hackers can enter the victim’s premises using a drone as proxy for a human. Quiet and lightweight, a drone can carry a powerful computer the size of a credit card. Some describe these drones as flying laptops minus a human at the keyboard.
Also called unmanned aerial vehicles, drones are not all bad news for utilities. As a tool to inspect transmission and distribution equipment, drones are becoming a way to reduce costs, enhance worker safety, and improve response times. They are so effective that Navigant Research foresees a $4.1 billion market for utility drone use by 2024.
However, drones not only can hack but can be hacked. A paper published by the Institute of Electrical and Electronics Engineers warns that hackers could infiltrate a drone and swap out a live feed of inspection footage with a video that shows a proper working system. Their intent would be to mask infrastructure damage to inspectors, so that a malfunction occurs.
In an age when the Department of Homeland Security is warning of efforts by enemy states to disrupt the grid, utilities are likely to feel uneasy whenever they see people taking photos of their facilities. These might just be tourists, but it’s hard for utility staff to know, said Doug Nibbelink, IT security specialist at Holland Board of Public Works, a community-owned utility in Michigan.
Confusion about intent will only grow as drones become more and more commonplace. “Drones just make it a lot easier for anyone — whether their intent is harmless or harmful — to gather information,” Nibbelink said.
The quality of modern photography makes a drone’s work all the easier, especially when you add night vision and zoom lenses. The small size and quiet operations of drones can fool even a vigilant power plant operator. “It’s not going to be as obvious to us as a helicopter hovering around for five minutes, which would cause bells and whistles,” he said.
Artificial intelligence and IoT
Like drones, AI and machine learning offer both threats and benefits to utility operations. AI and machine learning use automated technology to discern information patterns and speed up analysis, unleashing a way to quickly make meaning of massive amounts of data. This approach is especially important to utilities in the age of smart meters, which can collect large amounts of data on customer behavior.
Smart thermostats, like those made popular by Nest, offer a simple example of machine learning, in that they “learn” the energy use patterns of a household and then set temperatures accordingly, to help customers balance comfort and energy efficiency without much effort.
AI and machine learning also may help utilities in their battle against phishing campaigns. “My hope would be that AI can lead to better detection of things that are not legitimate — [such as suspicious] links or emails,” Nibbelink said.
But it’s a double-edged sword, as the technology can be used to more quickly sort through algorithms to undermine IT security efforts. Just as utilities automate data analysis, so do their attackers.
“The big thing we see with AI is that machine learning is now being used not just by good guys but bad guys as well,” said Morin.
For utilities, the threat posed by machine learning comes at a particularly inopportune time. The electric grid is integrating IoT devices to allow for two-way power flow between the grid and rooftop solar panels or complex microgrids. Some people call these devices “back doors” to the grid, as they are not always easy for utilities to visualize on their monitoring systems.
Distributed energy creates more “vectors or surfaces” for cybersecurity attacks against utilities, according to the Navigant Research report Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem.
“IoT hacking is unbelievably effective,” Morin said, noting that hacks have been carried out through common devices such as baby monitors, webcams, and home appliances with Wi-Fi.
Such devices offer portals just as a laptop would, yet we fail to secure them as we would our computers, he said.
“Now our refrigerator has a browser on the front, but it’s not secure,” Morin said.
Equally disconcerting, forms of cyber attack such as phishing and ransomware aren’t going away and will only pose greater threats as technology advances.
For example, potential exists for IoT devices to become victims of ransomware. Imagine, Morin said, that your thermostat is set at 99 degrees by a hacker who tells you that you must pay up if you want the ability to readjust it.
Morin pointed out that the world is expected to have an estimated 20 billion IoT devices by 2020. As more and more devices are used by customers for energy management and production, “you will see a lot more threats than we have today,” he said.
What electric utilities can do
Morin says there are steps electric utilities can take now to help protect themselves against future threats. One step is to bring down what he describes as a barrier between operational technology departments and information technology departments. Right now, cybersecurity is sophisticated for IT but not OT, in his opinion. “They have to start to share,” he said.
Morin also recommends that utilities begin setting up formal programs for IoT security. The risk must be managed enterprise-wide, with buy-in at the CEO level, he said.
From a more technical perspective, it’s important to undertake proper testing of IoT devices used by the utility, such as smart meters, and not just rely on security claims made by the vendor. “Organizations have to do their due diligence,” he said.
It’s also important to define service-level agreements and fully understand how the devices work on the utility system — where they reside, who they talk to, and what controls are in place to protect them, said Morin.
But ultimately, it all comes down to people and their understanding, says Nibbelink, especially as these new technologies open the way for even more sophisticated data collection and phishing expeditions. It becomes more essential to educate employees about cyber hygiene — what emails, links, and downloads to avoid.
“I wish you could just buy a box that you throw onto your network and suddenly it will tell you everything bad that happens — and not be texting you every hour through the night to say, ‘This might be something weird you should look at,’” he said.
But no such box exists, so for now, utilities must remain vigilant and brace for a world in which cybersecurity is becoming more complex than ever before.