Cybersecurity, Volt Typhoon & The Grid

Uploaded on 2024-02-23 in FREE TO VIEW

Brought to you by CYRIN

The grid is where it all begins. As the foundational piece of the nation’s infrastructure, a cyber-attack on the grid can put all critical infrastructure at risk. A major attack on the grid could be transformational and catastrophic, impacting water, sewer, power, communications, and financial systems, eventually impacting food, transportation, and healthcare.

As just one example, cars will continue to operate until they run out of fuel. However, charging stations or gas pumps run on electricity. Most gas stations have backup generators, but those are intended to be temporary. If the grid is out for an extended period, those generators and charging stations will eventually fail.

This vulnerability opens the door for maliciously motivated nation states to step in and hack the systems that supply and uphold critical infrastructure, essentially everything that allows us to function as a modern society. At one time, hackers were focused on espionage and data theft. Now, however, there is another objective: disruption of critical infrastructure.

These “aggressive cyber operations” can not only take down infrastructure but also “induce societal panic,” as Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), put it in June to the Aspen Institute.

In short, an attack on the grid makes it challenging for the country being targeted to respond. That’s why recent reports from the Five Eyes intelligence alliance - the U.S., Canada, Australia, New Zealand, and the U.K. - are particularly alarming. Five Eyes warned that Volt Typhoon, the Chinese state-sponsored hacking group, had been doing its thing for at least five years. According to the most recent disclosures, Volt Typhoon is not just positioning itself to disrupt communications, but preparing for “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

Who’s On First?

This begs the question: What is being done to detect and shore up these vulnerabilities? In other words, who is watching the store?

In the United States, the power system consists of more than 7,300 power plants, nearly 160,000 miles of high-voltage power lines, and millions of low-voltage power lines and distribution transformers, which connect 145 million customers. Today, oversight of the grid is the responsibility of a patchwork of federal and state authorities.

The 2005 Energy Policy Act designated the Department of Energy’s Federal Energy Regulatory Commission (FERC) as the primary authority over power generation and transmission across the United States. FERC oversees the cybersecurity standards for the bulk power system and has designated the North American Electric Reliability Corporation (NERC) with the authority to set and enforce standards, including those related to cybersecurity.

FERC sets the policies and rules, while NERC, as the electric reliability organization, focuses on the technical details to ensure that the power grid remains reliable and secure.

The industry partners with other federal government organizations, such as the National Institute of Standards and Technology (NIST) and federal intelligence and law enforcement agencies. The grid also has its own Electricity Information Sharing and Analysis Center (E-ISAC).  Established in 1999, the E-ISAC was created to reduce cyber and physical security risk to the North American electricity industry through information sharing, curated analysis, and security expertise. The E-ISAC is operated by NERC and is organizationally isolated from NERC’s enforcement processes. 

However, jurisdiction of local-level retail power distribution, which delivers that power to end users, and includes investor-owned utilities, public power utilities and electric power cooperatives, falls under the authority of state public utility commissions and portions of that are outside of FERC's jurisdiction. State utility commissions, which regulate rates and are authorized to impose certain requirements on electric utilities, often fall under the jurisdiction of state legislatures. Therefore, state legislatures may determine the breadth of the authority utility commissions have—and whether that authority extends to the realm of cybersecurity.

As information technology becomes more and more a part of operations technology, the growing reliance of the grid on digital systems increases the possibility of cyberattacks.

Reports from the U.S. Government Accountability Office warn that the grid’s generation, transmission, and distribution systems are all increasingly vulnerable to cyber intrusions. Since the 1970s, grid operators have relied on electronic industrial control (IC) centers that are generally unsecured against malware such as the Stuxnet virus, which targeted Iranian nuclear facilities in 2010. In 2019, the U.S. grid was hit by a cyberattack for the first time, though it did not cause any power disruptions.

In early February it was reported in Infosecurity magazine, and multiple other sources, that an advisory was issued from several agencies that the Chinese threat group Volt Typhoon has positioned itself in multiple critical infrastructure sectors including communications, energy, transportation, and water and wastewater. Although the advisory was first issued by CISA in May of 2023, more details were released in early 2024.

Volt Typhoon is linked to China’s Ministry of State Security (MSS) and has been active since at least 2021.

Microsoft warned in October of 2023 that it and other Chinese groups like Circle Typhoon were primed to launch destructive attacks after successfully targeting critical national infrastructure. CISA teams found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. But they warned that what they’ve found to date is likely “the tip of the iceberg.”

Although China is considered the main threat by many, the threat is not just from China. On Nov. 25, an Iran-linked hacker group - with ties to the Iranian state itself - took control of a part of the Municipal Water Authority of Aliquippa, in western Pennsylvania near Pittsburgh. Crews switched to manual systems to deliver water to two towns.

The hackers entered the system through an Israeli-made programmable logic controller, which had been successfully targeted in attacks in Israel in the past couple of months.

The warnings are not just coming from CISA. David Pekoske, director of the U.S. Transportation Security Administration which oversees the security of pipelines, ports, railways, and aviation, told the DEF CON conference in August, “time is not our friend in this quest, we need to move very, very quickly. We need to be ready now.”

Considering this situation, possible threats from state actors like Volt Typhoon become that much more alarming. Basic hardware becomes vulnerable and opens more frequent and comprehensive threats from malicious actors.

How Do We Protect The Grid?

How best to protect critical infrastructure – in particular, the U.S. Energy Grid – keeps the U.S. Department of Homeland Security (DHS), the U.S. Department of Energy (DOE), the U.S. Department of Defense (DOD), and the U.S. intelligence communities up at night. In fact, in its most recent Annual Threat Assessment, published in February, 2023, the national intelligence director’s office said, “China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including oil and gas pipelines, and rail systems.” Such a scenario would be catastrophic.

Power companies are utilizing Supervisory Control and Data Acquisition (SCADA) networks, many of which also need to be upgraded in response to growing cybersecurity threats which are escalating in scope and sophistication. The 2021 ransomware attack on the Colonial Pipeline (which caused it to temporarily close) illustrated these increased vulnerabilities, and this is further complicated by the infrastructure’s existence in a digital environment that is internet accessible, so this needs to be monitored as well. NIST is also addressing these challenges.

Although modernizing the grid is currently a government priority, most people agree it needs to happen sooner rather than later. In 2022 the Department of Energy announced a “Building a Better Grid” Initiative with plans to overhaul infrastructure while transitioning to clean electricity by 2035.

A key component of the Building a Better Grid program is to ensure that the country’s electric grid is more resilient to weather patterns and with estimates citing roughly 70 percent of the U.S.’s electrical grid systems as over 25 years old,

Energy officials have concerns about the current power system’s resilience against cyber threats. To mitigate both outstanding threats, Energy will be investing over $20 billion to expand the electrical grid and bring it up to date.

One group elevating preparedness is an organization called The Electric Grid Cybersecurity Alliance. The goal of the organization is to bring utility executives together in a trusted forum to confidently build an industry-wide cybersecurity game plan. The founder of the alliance is John Miri, a 25-year tech and cybersecurity veteran who has spent the last decade in the electric utility industry. Miri says that the stated mission of the Alliance is to “unite utility leaders with one goal: to protect the world’s electric grids from cyberattack.”

In 2022 the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced that it will fund up to 15 research projects “that will establish or strengthen existing research partnerships with energy sector utilities, vendors, universities, national laboratories, and service providers working toward resilient energy delivery systems.”

DOE listed six proposed topic areas for the projects, including:

  • Advanced software solutions with development feedback cycles to explore what works and doesn’t and uncover potential risks.
  • Autonomous cybersecurity tools that automatically detect and mitigate attacks while preventing energy disruptions.
  • Improving design resiliency by investing in research for tools with built-in cybersecurity-by-design.
  • Authentication mechanisms that allow stronger authentications for energy delivery systems.
  • Automated methods to discover and minimize vulnerabilities.
  • Integrating new concepts and tech with existing infrastructure. The focus is on technology that can be retrofitted to the existing infrastructure.

This effort is designed to have researchers develop tools and technologies that enable energy systems to autonomously recognize a cyberattack, attempt to prevent it, and automatically isolate and eradicate it with no disruption to energy delivery.

CYRIN Can Help

According to some estimates, organizations can significantly reduce the cost of a breach by an average of $232,867 through cybersecurity training for their employees.

Training or lack of has consequences. CYRIN can help on several fronts. For the education market, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

For industry we continue to work with our partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

We also work with all our users to create new content which will fit into this rapidly changing cyber landscape. In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: peterschreiber.media

You Might Also Read: 

Is Artificial Intelligence The Answer To The Cybersecurity Skills Shortage?:                                                          _______________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« A European Cybercrime Breakthrough Is Only Half The Battle
Cyber Insurance For Industrial Companies - Its Complex »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZDL Group

ZDL Group

At ZDL (formerly ZeroDayLab) we take a comprehensive view of our clients cyber security risks and provide quality services to address those risk

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Forensic Control

Forensic Control

Forensic Control specialise in providing simple & straightforward Cyber Security to organisations, helping them assess, prevent and respond to cyber threats.

Securely

Securely

Securely Ltd. is an IT consulting and services firm specializing in PKI solutions and products.

Cybrary

Cybrary

Cybrary is an open-source cyber security and IT learning and certification preparation platform.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

vdiscovery

vdiscovery

vdiscovery is a provider of proprietary and best-in-breed solutions in computer forensics, document review, and electronic discovery.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

CMMI Institute

CMMI Institute

CMMI Institute enables organizations to elevate and benchmark performance across a range of critical business capabilities, including product development, data management and cybersecurity.

Cynamics

Cynamics

Cynamics is the only network monitoring solution built specifically for Smart City, Public Safety and Critical Infrastructure networks.

Base Cyber Security

Base Cyber Security

Base Cyber Security is an information and cyber security talent service provider and career specialist.

Parameter Security

Parameter Security

Parameter Security is a provider of ethical hacking and information security services.

MetaCert

MetaCert

MetaCert’s Zero Trust browser software reduces the risk of organizations being compromised with a phishing-led cyberattack by more than 98%.

Neptune Cyber

Neptune Cyber

Neptune is a cyber security company that works exclusively in the marine sector. Our team combines experts in shipbuilding, maintenance and operations and cyber security testing and design.

Assura

Assura

Assura provides innovative cybersecurity advisory and managed services to all industries including government, healthcare, financial, manufacturing, and transportation sectors.

SignPath

SignPath

SignPath provides leading-edge software and SaaS services that ensure code integrity from development to distribution.