I recently watched a disaster response planning video from CISA. This particular video discussed how dependencies between sectors would deepen and widen the impact of a disaster that initially impacted just one sector. The energy sector is particularly interrelated to the other sectors: we need power to run our water purification and pumping, sewage, communications, transportation networks, traffic signals, medical facilities, government facilities, and the list goes on… It’s up at Energy Sector Dependencies and I highly recommend spending time both watching it and thinking about its implications.
Russia’s attack on Ukraine also involved cyberattacks on Ukraine’s power infrastructure. Those cyberattacks are both ongoing and evolving. Recent Chinese attacks on India’s electricity grid have also been reported. It’s no secret that the power grid is an enticing target. That’s why I’m glad that a bipartisan request from both the US House of Representatives and the Senate was sent to the Department of Energy, asking for that agency to take the lead in modernizing our nation’s energy sector cybersecurity.
I live in Texas, so I got a chance to experience life without power in the depths of the winters of 2021 and 2013. While I could always put on more blankets at home, the worst of the power outages were in the dependencies mentioned above. We had: boil-water orders, empty stores, closed restaurants, shut-down bus and train lines, and overwhelmed repair crews.
I’m always happy to welcome modernization for the energy grid and power stations, but I want it done in a way that keeps the sector safe from cyberattacks. The outdated gear that needs to go so that I don’t have another outage due to obsolete equipment is itself quite immune to most cyberattacks. Security through complete obsolescence and inability to communicate across the internet is a very real protection. It’s also a very real cause for physical failure under harsh conditions, so let’s not leave any of that obsolete gear around!
But when we connect modern gear, we’re connecting gear that’s built with current technology in mind. Good-bye obscurity, hello vulnerability. Vendors will still use default username/password combinations that are either easy to guess, like admin/admin or admin/password, or which can be found after three seconds of searching. Legislators are starting to catch up – a bill passed in the UK in late 2021 attaches monetary fines to vendors that offer gear with default usernames/passwords – but there is a long hard road ahead for this easiest of violations to get cleaned up.
Worse than the default username/password is the hard-coded root account. These also have to go. Users are able to change local credentials, but they can’t do anything about an account that is burned into the native code of the device. We can’t have a secure power grid if these are exposed to the internet. But when vendors insist upon being able to reach their gear from anywhere for maintenance and monitoring purposes, what can we do?
We can use security tools that look for these vulnerabilities and then use reports from these tools to hold our vendors accountable. I’ve seen RedSeal show indirect pathways into the network via vulnerable devices used as pivot points and I’ve seen Finite State show both hard-coded passwords and a software bill of materials (SBOM) for IoT and OT gear. Both of these tools are indispensable to the energy sector, in my view.
I do hope the energy sector doesn’t just modernize, but also secures. Because while I can somewhat understand weather- and disaster-related power outages, I have no tolerance for an outage due to someone far away finding that my local substation is wide open after typing in “admin… password…”