Electric cooperatives are one of the fastest growing groups of internet service providers in the U.S. But one expert told Fierce that if they’re not careful to properly secure their broadband systems, they could leave the door open for attackers looking to hold the network – or even the power grid – hostage.
It’s no secret that utilities are increasingly a target for cyberattacks. Mark Dehus, director of threat intelligence for Lumen’s Black Lotus Labs, pointed to the Colonial Pipeline hack and attempts to compromise Ukraine’s power grid as recent examples of such threats. While utilities generally have pretty beefy security measures in place, the introduction of new broadband services can expose critical control systems to the internet.
“If in any way the broadband management ecosystem is at all tied into the power grid management ecosystem…when those two control planes are intermixed, a threat can pivot from the broadband side into the power control side. And that is incredibly scary,” Dehus said. He added a threat is less likely to start on the power side and move into the broadband system because the exposure on the broadband side is going to be greater since it is connected to the internet.
To be clear, Dehus said the standard practice across the industry has been to isolate power grid management from other systems. However, Dehus noted there’s a cost burden associated with doing so and it’s possible smaller, less well-funded co-ops have made control plane decisions based on the financial implications rather than security factors.
Fierce reached out to the National Rural Electric Cooperative Association (NRECA); Conexon, which works with co-ops to deploy broadband services; and Dominion Energy seeking more information about co-op security practices but did not receive any responses before deadline.
IEEE Senior Member Jack Burbank seconded the idea that while smaller co-ops might be tempted to link systems it is critical to maintain some separate between them.
"It is tempting, especially for smaller organizations, to want to control costs by managing and controlling multiple systems from the same network, same workstations, etc. It is never a good idea to "cross the streams" in this way. Cyber attacks usually follow 'kill chains', and they're called chains for a very good reason. A would-be attacker will almost never go directly after the system they are actually interested in," he explained. "They will go after the weakest target that gives them access."
In terms of what an attack might look like, Dehus said the two most likely objectives of a hacker would be system disruption or ransom. He said the attacks in Ukraine were an example of the former. And in the case of the latter, an attacker could hold either customer data or network operation for ransom. A data ransom was what happened in the Colonial Pipeline case, he added.
“It wasn’t the actual pipeline itself that was compromised, it was the ancillary systems,” he explained. “But the organization didn’t know if the control systems had been affected as part of that operation. And so, the fact that they couldn’t bill customers, combined with the fact that they were uncertain whether the industrial control systems had been accessed or tampered with resulted in the shutdown.”
For co-ops, the impacts of an attack could range from data loss and potential fines for privacy violations to trivial outages or a system-wide shutdown that could potentially have greater impacts upstream, Dehus said.
The takeaway, Dehus concluded, is that co-op leadership should be paying close attention to issues like these. In terms of best practices beyond maintaining separate management systems for power and broadband assets, Dehus said co-ops can ensure they have good patching in place and closely monitor attack surfaces. Traffic anomalies on industrial control systems should be fairly easy to spot given these usually have fairly regular patterns, he said.
That said, keeping management systems separate doesn't necessarily require separate infrastructure. Burbank acknowledged there are ways to provide dual functionality for different systems using the same infrastructure, but cautioned these require "good design and good policy."
"Strong cryptographic separation between the systems, like in the form of strong Virtual Private Network (VPN) technology, can allow someone to run essentially two independent networks over the same physical infrastructure...But they must also remember that policy, and administrative practices play a huge role," he said. "Zero trust principles will play a huge role here, and here I mean both in terms of zero-trust technology and zero-trust policy."
Burbank concluded:"Can it be done? Absolutely. Is there increased risk? Undoubtedly. Can that risk be mitigated and managed to acceptable levels? Yes. All it takes is careful and intentional design, both of technology and policy."
This story has been updated to include comments from IEEE.