The nation’s electricity infrastructure could be exposed to the infamous Heartbleed security bug, a possibility that has experts worried hackers could use that vulnerability to access sensitive communications and coordinate a devastating attack that could shut down chunks of the U.S. power grid.
The discovery of the gorily-named security gap—caused by a glitch in widely used OpenSSL software—sent tech giants scrambling several weeks ago for a patch for the websites people use most. But the problem is much more pervasive and poses risks far beyond making passwords and credit card information easier to steal. Attackers could also use Heartbleed to infiltrate the industrial control systems the energy sector uses to keep the electric grid running.
The weakness could allow an intruder to eavesdrop on messages between grid operators and power plants or to monitor communications with transmission substations. James Holler, a grid-security expert at Abidance Consulting in Houston, says an advanced hacker could even impersonate an administrator.
In a worst-case scenario, if a grid operator’s system was affected by the bug, an attacker could send directives to power generators to cut back their output. If they could shut off enough electricity, that could cause rolling blackouts, says Holler. A coordinated assailant could orchestrate blackouts in all three of the U.S. interconnections.
“It would literally bring the grid to a grinding halt,” Holler said.
Andrew Whitaker, a cyber attack expert at Knowledge Consulting Group, says the likelihood of such an attack is extremely small, but “the impact would honestly be catastrophic for the power industry.”
While many companies are seeking private sector advice, the nonprofit industry-run North American Electric Reliability Corporation is providing guidance on how to scan for the bug and protect against it. Still, those efforts are voluntary, and critics say utilities with less resources, as well as small third-party vendors that monitor the grid equipment they supply, might be less likely to prioritize the repairs—leaving a back door open to potential grid attacks.
WARNINGS SOMETIMES IGNORED
The threat posed by Heartbleed could have dire implications for industrial control systems in multiple critical infrastructure sectors, including the chemical and agricultural industries and water and wastewater operations, in addition to the energy industry. Industrial control systems receive data from remote stations and send back commands that are either automated or issued by an operator.
Holler, who consults companies on complying with NERC security regulations, says a hacker could change messages from substations to make operators think they are functioning normally when they are actually out of service. He believes they could also intercept calls to prevent employees from contacting emergency responders after a physical attack.
Interrupting and altering communications would be a heavy lift. And not everyone believes Heartbleed is as dangerous as it sounds, pointing out that even if an attack is theoretically possible it is exceedingly unlikely to happen. Chris Meissner, a senior associate who works on cybersecurity for The Avascent Group, said the kind of attacks Holler describes would require a skillset that is rare in the hired world and difficult to come by on the black market as well.
An attacker would need to be familiar with the OpenSSL vulnerability, which Meissner says is not as easy as media reports would indicate. A hacker would also need an advanced understanding of the various industrial control systems, operating systems and equipment that the power industry uses in order to cause significant damage. That might mean knowing exactly which version of turbines a wind power farm is using, for example.
“These are very, very difficult systems to operate from the outside,” Meissner said.
But concern is high enough that the federal government issued a warning. An alert from the Department of Homeland Security says hackers of “low skill” level would be able to use Heartbleed to access network communications, including transmitted data and passwords. The Federal Energy Regulatory Commission also says it is “following the OpenSSL Heartbleed encryption vulnerability closely, and working with NERC to assure that the vulnerability and mitigation options are quickly communicated to industry to protect the power grid,” according to a spokeswoman.
Still, Meissner says even if a hacker could access network data it would be “sporadic,” and not necessarily useful to someone trying to gain control of a system. Holler counters that a hacker could see when operators take their breaks or record high traffic patterns to time an attack to make it more effective.
To do the substantial damage Holler envisions, an attacker would need network access, which would likely be obtained remotely through the Internet. DHS has made it clear in past guidance that asset owners should make sure their control system devices are not accessible online and isolate them from their business networks and require virtual private networks (VPNs) for remote access. Knowledge Consulting Group recommends never logging on to a public wifi network and using complex passwords and additional identification methods.
But not every company in the industry follows those recommendations or even uses security protocols like OpenSSL.
“The weakest link in your chain is your biggest risk,” says Jerry Irvine, a member of the public-private National Cyber Security Partnership. “While large corporations…may have encryption to get into (their systems), they may also have third-party applications that don’t.”
Some reports have suggested Target was hacked by a connection that its air conditioning system had with its industrial control system.
“There’s a misconception that hackers go directly after companies,” Whitaker said. “What’s been happening the last few years—particularly when you get into nation states attacking organizations within the U.S.—they’re going after the third parties that have access, they’re going after the support companies, they’re going after companies that are doing monitoring, and contractors, because they have access and a lot of times they might be easier to compromise than the organization itself.”
BACK DOOR ATTACKS THROUGH A THIRD PARTY
No one can say for sure how much of the electric industry uses OpenSSL and might be vulnerable, although Holler says “it’s more prevalent than you would think,” possibly between 10 percent and 30 percent.
A bigger problem, says Irvine, is that many vendors who monitor industrial control devices don’t use SSL at all.
“People are communicating to them across the Internet remotely in open text,” Irvine said. “Part of the issue with the critical infrastructure we have today is these devices are unintelligent, low-managed devices that provide very little security at all.” They often don’t have antivirus protection or their software is not updated regularly, he said.
With so many other cybersecurity threats to handle, Heartbleed is on the radar, but it might not be the top priority, said Mark Weatherford, an expert with the Chertoff Group who was formerly deputy under secretary for cybsecurity for DHS and vice president and chief security officer for NERC.
“There’s so many things that energy companies are still working on and still trying to improve upon,” Weatherford said. “This is one of a lot of things that need help, although it’s the most visible and most current for sure.”
Meissner points out, for example, that many control systems still use the default administrator password.
Andy Bochman, an energy advisor who has written on electric sector cybersecurity for the Heritage Foundation, says Heartbleed got a lot of attention but didn’t “bring a night and day change to the security posture of the utilities.”
Still, Whitaker says Heartbleed must be considered a “critical risk” because of the potential damage a hacker could cause. Whitaker has been breaking into systems for two decades and says the bug is one of the top three or four most dangerous he has seen.
Whitaker’s firm has confirmed it’s possible to use the vulnerability to get usernames and passwords, carry out “man-in-the-middle” attacks to intercept messages and impersonate a client or server. While energy companies are moving quickly to eliminate the bug, the fixes make take anywhere from a day to several weeks. And utilities have to take their time and conduct testing to make sure they don’t make any mistakes that might shut off power, Whitaker said.
‘“It’s a time race, but the owners, the operators, in particular a lot of the service providers are moving very fast on the issue,” Meissner said.