Cybersecurity, Volt Typhoon & The Grid
Brought to you by CYRIN
The grid is where it all begins. As the foundational piece of the nation’s infrastructure, a cyber-attack on the grid can put all critical infrastructure at risk. A major attack on the grid could be transformational and catastrophic, impacting water, sewer, power, communications, and financial systems, eventually impacting food, transportation, and healthcare.
As just one example, cars will continue to operate until they run out of fuel. However, charging stations or gas pumps run on electricity. Most gas stations have backup generators, but those are intended to be temporary. If the grid is out for an extended period, those generators and charging stations will eventually fail.
This vulnerability opens the door for maliciously motivated nation states to step in and hack the systems that supply and uphold critical infrastructure, essentially everything that allows us to function as a modern society. At one time, hackers were focused on espionage and data theft. Now, however, there is another objective: disruption of critical infrastructure.
These “aggressive cyber operations” can not only take down infrastructure but also “induce societal panic,” as Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), put it in June to the Aspen Institute.
In short, an attack on the grid makes it challenging for the country being targeted to respond. That’s why recent reports from the Five Eyes intelligence alliance - the U.S., Canada, Australia, New Zealand, and the U.K. - are particularly alarming. Five Eyes warned that Volt Typhoon, the Chinese state-sponsored hacking group, had been doing its thing for at least five years. According to the most recent disclosures, Volt Typhoon is not just positioning itself to disrupt communications, but preparing for “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
Who’s On First?
This begs the question: What is being done to detect and shore up these vulnerabilities? In other words, who is watching the store?
In the United States, the power system consists of more than 7,300 power plants, nearly 160,000 miles of high-voltage power lines, and millions of low-voltage power lines and distribution transformers, which connect 145 million customers. Today, oversight of the grid is the responsibility of a patchwork of federal and state authorities.
The 2005 Energy Policy Act designated the Department of Energy’s Federal Energy Regulatory Commission (FERC) as the primary authority over power generation and transmission across the United States. FERC oversees the cybersecurity standards for the bulk power system and has designated the North American Electric Reliability Corporation (NERC) with the authority to set and enforce standards, including those related to cybersecurity.
FERC sets the policies and rules, while NERC, as the electric reliability organization, focuses on the technical details to ensure that the power grid remains reliable and secure.
The industry partners with other federal government organizations, such as the National Institute of Standards and Technology (NIST) and federal intelligence and law enforcement agencies. The grid also has its own Electricity Information Sharing and Analysis Center (E-ISAC). Established in 1999, the E-ISAC was created to reduce cyber and physical security risk to the North American electricity industry through information sharing, curated analysis, and security expertise. The E-ISAC is operated by NERC and is organizationally isolated from NERC’s enforcement processes.
However, jurisdiction of local-level retail power distribution, which delivers that power to end users, and includes investor-owned utilities, public power utilities and electric power cooperatives, falls under the authority of state public utility commissions and portions of that are outside of FERC's jurisdiction. State utility commissions, which regulate rates and are authorized to impose certain requirements on electric utilities, often fall under the jurisdiction of state legislatures. Therefore, state legislatures may determine the breadth of the authority utility commissions have—and whether that authority extends to the realm of cybersecurity.
As information technology becomes more and more a part of operations technology, the growing reliance of the grid on digital systems increases the possibility of cyberattacks.
Reports from the U.S. Government Accountability Office warn that the grid’s generation, transmission, and distribution systems are all increasingly vulnerable to cyber intrusions. Since the 1970s, grid operators have relied on electronic industrial control (IC) centers that are generally unsecured against malware such as the Stuxnet virus, which targeted Iranian nuclear facilities in 2010. In 2019, the U.S. grid was hit by a cyberattack for the first time, though it did not cause any power disruptions.
In early February it was reported in Infosecurity magazine, and multiple other sources, that an advisory was issued from several agencies that the Chinese threat group Volt Typhoon has positioned itself in multiple critical infrastructure sectors including communications, energy, transportation, and water and wastewater. Although the advisory was first issued by CISA in May of 2023, more details were released in early 2024.
Volt Typhoon is linked to China’s Ministry of State Security (MSS) and has been active since at least 2021.
Microsoft warned in October of 2023 that it and other Chinese groups like Circle Typhoon were primed to launch destructive attacks after successfully targeting critical national infrastructure. CISA teams found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. But they warned that what they’ve found to date is likely “the tip of the iceberg.”
Although China is considered the main threat by many, the threat is not just from China. On Nov. 25, an Iran-linked hacker group - with ties to the Iranian state itself - took control of a part of the Municipal Water Authority of Aliquippa, in western Pennsylvania near Pittsburgh. Crews switched to manual systems to deliver water to two towns.
The hackers entered the system through an Israeli-made programmable logic controller, which had been successfully targeted in attacks in Israel in the past couple of months.
The warnings are not just coming from CISA. David Pekoske, director of the U.S. Transportation Security Administration which oversees the security of pipelines, ports, railways, and aviation, told the DEF CON conference in August, “time is not our friend in this quest, we need to move very, very quickly. We need to be ready now.”
Considering this situation, possible threats from state actors like Volt Typhoon become that much more alarming. Basic hardware becomes vulnerable and opens more frequent and comprehensive threats from malicious actors.
How Do We Protect The Grid?
How best to protect critical infrastructure – in particular, the U.S. Energy Grid – keeps the U.S. Department of Homeland Security (DHS), the U.S. Department of Energy (DOE), the U.S. Department of Defense (DOD), and the U.S. intelligence communities up at night. In fact, in its most recent Annual Threat Assessment, published in February, 2023, the national intelligence director’s office said, “China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including oil and gas pipelines, and rail systems.” Such a scenario would be catastrophic.
Power companies are utilizing Supervisory Control and Data Acquisition (SCADA) networks, many of which also need to be upgraded in response to growing cybersecurity threats which are escalating in scope and sophistication. The 2021 ransomware attack on the Colonial Pipeline (which caused it to temporarily close) illustrated these increased vulnerabilities, and this is further complicated by the infrastructure’s existence in a digital environment that is internet accessible, so this needs to be monitored as well. NIST is also addressing these challenges.
Although modernizing the grid is currently a government priority, most people agree it needs to happen sooner rather than later. In 2022 the Department of Energy announced a “Building a Better Grid” Initiative with plans to overhaul infrastructure while transitioning to clean electricity by 2035.
A key component of the Building a Better Grid program is to ensure that the country’s electric grid is more resilient to weather patterns and with estimates citing roughly 70 percent of the U.S.’s electrical grid systems as over 25 years old,
Energy officials have concerns about the current power system’s resilience against cyber threats. To mitigate both outstanding threats, Energy will be investing over $20 billion to expand the electrical grid and bring it up to date.
One group elevating preparedness is an organization called The Electric Grid Cybersecurity Alliance. The goal of the organization is to bring utility executives together in a trusted forum to confidently build an industry-wide cybersecurity game plan. The founder of the alliance is John Miri, a 25-year tech and cybersecurity veteran who has spent the last decade in the electric utility industry. Miri says that the stated mission of the Alliance is to “unite utility leaders with one goal: to protect the world’s electric grids from cyberattack.”
In 2022 the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced that it will fund up to 15 research projects “that will establish or strengthen existing research partnerships with energy sector utilities, vendors, universities, national laboratories, and service providers working toward resilient energy delivery systems.”
DOE listed six proposed topic areas for the projects, including:
- Advanced software solutions with development feedback cycles to explore what works and doesn’t and uncover potential risks.
- Autonomous cybersecurity tools that automatically detect and mitigate attacks while preventing energy disruptions.
- Improving design resiliency by investing in research for tools with built-in cybersecurity-by-design.
- Authentication mechanisms that allow stronger authentications for energy delivery systems.
- Automated methods to discover and minimize vulnerabilities.
- Integrating new concepts and tech with existing infrastructure. The focus is on technology that can be retrofitted to the existing infrastructure.
This effort is designed to have researchers develop tools and technologies that enable energy systems to autonomously recognize a cyberattack, attempt to prevent it, and automatically isolate and eradicate it with no disruption to energy delivery.
CYRIN Can Help
According to some estimates, organizations can significantly reduce the cost of a breach by an average of $232,867 through cybersecurity training for their employees.
Training or lack of has consequences. CYRIN can help on several fronts. For the education market, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.
For industry we continue to work with our partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.
We also work with all our users to create new content which will fit into this rapidly changing cyber landscape. In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!
Image: peterschreiber.media
You Might Also Read:
Is Artificial Intelligence The Answer To The Cybersecurity Skills Shortage?: _______________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible