It has been suggested recently that cybersecurity considerations for the power grid need to be incorporated into the U.S. presidential campaign. Indeed, according to an interview published by the Energy Times[i], journalist Ted Koppel stated: “this is an issue that deserves the attention of presidential candidates, and I’m hoping that at some point or another it will be on their agenda. It needs to be. It’s not something that can easily be handled after the fact.”
When we consider cybersecurity considerations for the grid, we have to consider two components; vulnerabilities and the probability that such vulnerabilities will be exploited.
Reports of vulnerabilities against IoT devices have ranged from connected cars to medical devices. There’s even been a report of a child’s toy doll being exposed as having vulnerabilities that could impact the privacy of the child. A key question, however, is whether these weaknesses have been exploited? In many cases the answer is invariably “no,” or at least, “not that we know of.”
Malicious actors typically target point-of-sale devices and automatic teller machines (ATMs), which leads us to conclude that the threats being targeted are, for the moment, primarily the ones that can be easily monetized. Within the energy sector, for example, there have been known instances of devices being compromised, but generally those that caused physical damage to a cyber-related intrusion is limited to two very public cases.
Despite such sparse case studies, however, there is an emerging trend that may change the number of public case studies into a more worrying number of affected victims. The recent whitepaper Hidden Data Economy highlighted an example whereby access to compromised critical operations was being sold. In this case, it was access to the HMI of a hydro electric generator. This demonstrates that the vulnerability clearly exists, and the barriers to entry for actors wishing to cause damage is decreasing. While the actual number of known examples of compromised organizations pales into insignificance when compared with other sectors, there is no doubt that the impact of vulnerabilities being exploited is high, and the probability that an attack will be carried out is likely to increase (as technical barriers are at their lowest).
While I welcome a discussion on cybersecurity for critical infrastructure as part of the presidential debate, ensuring that cybersecurity continues is a priority and not something solely discussed every four years.