Co-author Scott Corzine

Most Americans are familiar with the high profile hacking incidents of recent years—the public exposure of Sony Pictures’ private email, for instance, or the theft of credit card information belonging to 56 million Home Depot customers. But the damage from those breaches may pale in comparison to what cybersecurity experts believe is sure to come: a penetrating attack on the power grid.

Hacking into the industrial control systems of our electric infrastructure presents a huge national security risk. Disrupting or sabotaging our power supply would have catastrophic consequences for public safety and health. Yet the electric utility industry remains shockingly ill-prepared to combat the threat but insistent that it has taken adequate precautions. Why? Three reasons: One, a disconnect within individual companies among risk managers, IT, engineering, and operations. Two, the inability to keep pace with an increasingly sophisticated hacking culture that is capable of inserting malicious software (malware) into industrial components; and three, the stance within the industry that it is already doing enough to comply with cybersecurity standards.

The 2013 hack into the controls of a small hydro-electric dam in Rye Brook, NY, by a rogue Iranian group should be a wake up call. The 2015 Ukrainian power utility hack, widely attributed to Russia, is another. Both incidents demonstrated the capabilities of hostile adversaries and the tacit warning that similar damage can be done—perhaps at will—to U.S. utilities. These intrusions, and 750 more that have been identified and catalogued by Industrial Control System (ICS) cybersecurity experts, exposed the grid’s vulnerability, and punctuated the need to move faster in light of the rapid changes to our digital world. With about 6.4 billion devices and control systems connected through the Internet of Things, and nearly 21 billion expected by 2020, the number of entry points of attack is multiplying daily.

Minimizing the risk is not just about training a network IT team. It’s about running a comprehensive and continuous scan of operational technology (OT)—the programmable logic controllers, the mobile devices, the supervisory control and data acquisition systems (SCADA), etc.—and then coordinating OT and IT teams with risk officers and crisis management experts to form a cohesive front capable of responding to an industrial cyber incident.

The idea that minimizing risk can be accomplished through IT alone as if it’s a corporate website is a misconception. See if you can identify other misconceptions about the industry with our true or false quiz.

1. TRUE OR FALSE: Attackers can use the same techniques to penetrate the grid’s industrial controls as they can for hacking into a corporate website.

TRUE: With some variations, hackers can penetrate both kinds of systems through similar illicit means. The Iranian hackers who breached the New York dam reportedly used a simple legal search engine that surfs for unguarded control systems online. As part of the same plot, they also breached 46 of the nation’s largest financial institutions.

2. TRUE OR FALSE: Older analog control systems provide a superior level of protection against cyber attacks.

FALSE: Analog systems may ironically be superior in this instance simply because they are not tethered to microprocessor-based technology, and are thus un-addressable by the network. That makes them less vulnerable to cyberattack. But that doesn’t mean the ongoing modernization of the industry to full digital should be—or even can be—halted; the operational improvements and efficiencies are too great. It simply means that upgraded networks must include far more robust precautions and protection against the threat of attack.

3. TRUE OR FALSE: The standards for industrial controls systems are so complex most hackers do not understand them.

FALSE: If one hacker does not understand a specific system there’s likely another who does—or is willing to sell the hacked specifications on the black market. In 2014, Russian researchers identified almost 60,000 exposed SCADA control systems that had been breached online over the previous year.

4. TRUE OR FALSE: It’s easy to comply with current protective standards for the electric grid set by the authority in charge.

TRUE: Compliance is relatively straightforward because the authority—the North American Electrical Reliability Corporation (NERC), is comprised of the users, owners, and operators of the member utilities themselves. As such, NERC members are allowed to self-certify. However, the standards are considered by leading cybersecurity experts as not sufficiently tough enough and NERC has been slow to place stricter compliance burdens on its members.

5. TRUE OR FALSE: Legislators agree on the need for the government to improve cyber-defense of its own networks, systems, and data related to the grid.

TRUE: Based on Congressional hearings earlier this year, legislators do agree. But there is little consensus about how to improve defense, and a lack of understanding about how to accomplish this. One reason is that the agencies involved, such as Homeland Security and the Department of Defense, operate under their own assumptions and conclusions about the issue, despite meeting three times a year with the FBI’s Cyber Division. Combine that with the fact that hacker sophistication is likely to make any legislation designed to protect the grid outdated by the time it takes effect, and the need for consensus is even more acute.

6. TRUE OR FALSE: The federal government can be counted on to protect us in the event of an attack on the power grid.

FALSE: The United States Computer Emergency Readiness Team (US-CERT) has a rapid response plan in place for attacks, but the agency’s limited resources and the growing sophistication of cyberattacks makes it difficult to keep up with all remedies needed.  Even the Electricity Sector Coordinating Council, made up of power industry CEOs who meet three times a year with the administration, has not found a “silver bullet” to protect the public from viable threats to the power grid.

7. TRUE OR FALSE: Large countries with a strong military pose the greatest cyber threat to the U.S. power grid.

FALSE: Unlike the Cold War years when the U.S. and Russia were the major players on the world’s military stage, anyone can be a cyber adversary—that includes not only new threats Russia and China, but also rogue nations North Korea, Iran, and Syria. Alarmingly, individual and terrorist groups such as ISIS are also just as potent a threat.

8. TRUE OR FALSE - Cyberinsurance policies provide sufficient protection from attacks.

FALSE: While the uptake in cybersecurity insurance policies is growing at 20% annually and written cyberinsurance premiums are expected to reach $7.5 billion by 2020, underwriters are just beginning to understand the risk to industrial assets and the liability from third party losses. How insurance policies respond to the destruction of industrial assets from a successful cyber-attack is in debate and evolving.

9. TRUE OR FALSE: Not all hackers are bad guys.

TRUE: Some large-scale organizations, such as Google, PayPal and Yahoo have a “bug bounty” program that rewards “Whitehat” or ethical hackers, for exposing vulnerabilities in their systems. Any risk management practice worth its salt will feature its own ethical hackers as part of its range of services to probe a client’s defenses, identify vulnerabilities, and propose fixes.

Co-author Scott Corzine is Managing Director of Global Insurance Services in Forensic and Litigation Consulting, Risk Management Service. 

Read the original article on FTI Journal.