In the realm of cyberwarfare, attacking a U.S. power plant indicates an extreme level of aggression with a calculated intent to harm and disrupt. Two years ago, it happened in Oklahoma…
Photo by greenbutterfuly - stock.adobe.com
Sunny skies, 60 degree temperatures and light breezes. At Western Farmers Electric Cooperative (WFEC), the morning held all the right ingredients for an uneventful day in the electric utility business, with one exception. Somewhere in rural Oklahoma, an intruder picked the lock at a high voltage substation, hacked a network device, and began working his way toward the inner sanctum of utility control systems, the Supervisory Control and Data Acquisition (SCADA) network controlling the flow of power to more than half a million homes and businesses. Noting unusual online activity, the FBI notified the generation and transmission cooperative immediately. Within seconds, WFEC emergency response teams shifted into overdrive, setting in motion protocols, policies, and practices designed precisely for this moment.
“To an electric utility, a compromised SCADA system is the equivalent of a five-alarm fire,” says Mike Meason, WFEC manager of technical services.
Charged with ensuring WFEC’s strong cyber defense, Meason recalls that day as a series of near-calamitous events that would test the co-op’s preparedness at multiple levels. He ought to know: He engineered every scenario, from the phony FBI alert to the break-in and other dastardly doings, as a vigorous professional training ‘boot camp’ known in the security realm as a hybrid live fire exercise. Such vulnerability assessments are recommended by the National Electric Reliability Council (NERC), the Department of Homeland Security, and the Rural Utility Service (RUS) to test a utility’s hands-on response and recovery to events that could threaten the nation’s power supply.
Swapping white hat for black, Meason spent more than three months crafting the framework of the day’s developments. With military-like precision—not to mention a generous dollop of diabolical genius—he created the perfect electric utility “day from hell.”
Staged physical and cyber break-ins forced WFEC physical, cybersecurity, and field teams to respond under pressure. Key staff conveniently “in surgery” for the day thrust other employees into surprise leadership roles. Ongoing media requests for information required clear and consistent communication between all departments. And then, to ensure no departmental cage went unrattled, Meason threw in a 6.0 earthquake. The quake triggered simulated equipment failures at multiple locations, calling safety and repair crews into the field while tech teams working at the substation were ordered back to the office in compliance with disaster safety protocol. The following day, employees gathered to discuss their day in the hot seat; a full report published later laid out the co-op’s strengths and weaknesses.
“The whole idea behind the exercise is not to be afraid of finding out where your weaknesses lie, because that’s exactly what it’s designed to reveal. The fact that you’re measuring your preparedness at all means you’re doing well,” Meason says.
In the dark realm of corporate espionage, cyber warfare, and cybercrime, finding and exploiting an organization’s weakest link is priority No. 1. Live fire exercises are one way to tease out soft spots. Mike Prescher, cybersecurity expert at Black and Veach, worked with Meason on the training. Prescher says companies who perform live fire drills typically inform employees that the exercise is forthcoming, but don’t tell them when it will occur or what it will entail.
“It’s kind of like getting hit in the jaw. If I tell you I’m going to hit you in the jaw, and then I do it, nothing prepares you for what it really feels like,” Prescher says.
Even more covert—some might say, downright sneaky—are red team assessments. Performed by third-party security firms whose teammates often include former military, police, or security professionals, the red team approach offers the warning of a ninja and typically follows three to six weeks of intense physical and cyber reconnaissance. As the chief security officer for Kansas City-based security firm, Ravenii, Michael Yelland says understanding the adversary is vital.
“It’s all about painting a picture. We find out employee names. We get their email addresses. We sit in the parking lot and watch people come and go. We study their dress code. The more research we do, the higher our rate of success,” he adds.
Disguises, lies, “borrowing” identities, psychological manipulation, picking locks, scaling fences, hiding in bathrooms after hours, are all part of the red team’s clandestine skill set. Other tools in their bag of tricks: altered USB drives and charger cables, badge duplicators and printers, electronic pickpocket devices, bolt cutters, radio/wi-fi sniffers and signal disrupters, 50 feet of rope.
“We’ve used high-tech gear to bypass a locked door, but sometimes all it takes is a manila folder, a piece of wire and some baby powder,” Yelland admits. “On average, it’s very low tech, common items, and environment-aware situations that gain us access.”
One of Yelland’s favorite ploys, known as “tailgating,” plays on the chivalrous tendencies of Midwestern menfolk.
“If a male employee is walking toward the door and I send in a woman carrying an armload of pizzas, I can promise you that man will hold the door open and let her waltz right in,” Yelland says.
While human nature will continue to present problems for security-conscious companies, Yelland stresses the same imperfect people can forge a formidable barrier with the right training. When the transmission cooperative KAMO Power hired Ravenii to perform security assessments for its member co-ops, it wasn’t multi-layered firewalls, locked doors, or high-tech security cameras that thwarted red team penetration attempts; it was people. Bound by principles that include cooperation among co-ops, the co-op willingness to share intel about suspicious tactics proved highly effective. Even more ironic, they did their communicating the old-fashioned way—over the phone.
As the nation’s power supply network marches toward increased reliance on internet-connected devices, industry watchdogs such as the Edison Electric Institute and NERC are urging electric utilities to improve communication among themselves and other stakeholders as a way to shore up defenses. Training, practice, protocol, communication: When the cyber alarm sounds calling “all hands on deck,” it won’t fall to one utility or one tactic to save the day; it will require every one.