POWER August 2015 - 22

Cyber Threats: Is the Sky
Falling or Is the Threat Real?
Sean B. Hoar
I
s the sky falling? No, but are there lessons we can learn from
Chicken Little? Absolutely. False alarms and fear mongering
consume energy we can ill afford to waste, but should some
sort of alarm be sounding? Of course.
The challenge is that alarms have the potential to create
" white noise. " The constant barrage of headlines may desensitize
us to the magnitude of the potential harm. How bad can it be?
Perhaps we should look at a few of the major cyber attacks within
the past 18 months.
Who would have thought that hackers could have stolen over
$1 billion from more than 100 banks in 30 countries in orchestrated
attacks? Who would have thought that hackers could have
compromised more than 80 million user accounts from one of
the nation's largest banks? Who would have thought that hackers
could have accessed sensitive information belonging to 80
million consumers from one of the nation's largest health insurers?
And regarding truly sensitive information, who would have
thought that hackers could have accessed sensitive information
belonging to all current and former federal employees, including
all information about those with security clearances? But does
the energy sector face the same harm?
Not If, but When
We regularly read about stolen consumer information, hacked
healthcare records, or breached government systems, but what
about the critical systems in our energy infrastructure? Stealing
consumer or employee information from an electrical utility
doesn't make for a very sexy headline, but what about the impact
of compromised industrial control systems in the midst of winter?
What about 10,000 commuters jammed for hours due to accidents
caused by disabled traffic lights and disrupted emergency
services? What about 10,000 elderly consumers with no heat
and no ability to call for help? What about healthcare facilities
plunged into darkness, forced to rely upon backup generators in
the midst of surgeries, unable to access critical medical records
on servers knocked offline?
While some perceive it to be the stuff of spy movies, the threat
to the energy sector is real. It is only a matter of time before
it experiences a major information security incident affecting a
large population of consumers. The next big hack in the energy
sector is inevitable; the only questions are: Who will be its victims,
when will it happen, and how bad will it be?
The danger is that entities within the energy sector not only
face the same risks confronted by any business with an online interface,
but they also risk intrusion by potentially grid-damaging
malware that could result in downed services and devastating
humanitarian consequences.
Real . . . and Underreported
A recent report issued by the Department of Homeland Security
22
(DHS) stated that the Industrial Control Systems-Cyber Emergency
Response Team (ICS-CERT) responded to 245 cyber incidents
in 2014 (see http://1.usa.gov/1DfWPdd). The energy
sector, once again, led all other sectors with the most reported
incidents (79). The fact that 32% of the total came from the
energy sector tends to indicate that the threat is real, and that
the energy sector is a major target. Regarding the number of
incidents, it is highly likely that the actual total, and the total
directed at the energy sector, was much higher. As the DHS
stated, " Many more incidents occur in critical infrastructure
that go unreported. "
Of the total, roughly 55% involved advanced persistent threats
or sophisticated actors. The scope of the incidents encompassed
a wide range of threats and methods for attempting to gain access
to both business and control systems infrastructure, including
the following:
■ Unauthorized access to and exploitation of Internet-facing industrial
control system/supervisory dontrol and data acquisition
devices
■ Exploitation of zero-day vulnerabilities in control system devices
and software
■ Malware infections within air-gapped control system networks
■ SQL injection via exploitation of web application vulnerabilities
■ Network scanning and probing
■ Lateral movement between network zones
■ Targeted spear-phishing campaigns
■ Strategic website compromises (aka, watering hole attacks)
The access vector was unknown for a majority of the incidents.
In those instances, the organization was confirmed to be compromised
but the forensic evidence did not reveal a method of intrusion
because of a lack of detection and monitoring within the
compromised networks. Of the known access vectors, however,
social engineering combined with technical subterfuge proved
to be one of the most successful. Spear phishing, or targeted
attacks at individual users, provided access for 42 malicious attacks,
or 17% of the total.
ICS-CERT also received 159 reports involving vulnerabilities in
control systems components in 2014. The majority of vulnerabilities
occurred in the energy sector.
Industrial control systems used to be stand-alone collections
of hardware and software, isolated from most external threats.
Today, widely integrated software applications and Internet-enabled
devices expose these systems to malicious actors who will
exploit vulnerabilities, posing significant risks to human health
and safety, the environment, and business and government operations.
Is the threat real? Absolutely. ■
-Sean B. Hoar is a partner in the privacy and security practice
with Davis Wright Tremaine LLP.
www.powermag.com
POWER | August 2015

http://1.usa.gov/1DfWPdd http://www.powermag.com

POWER August 2015

Table of Contents for the Digital Edition of POWER August 2015

Contents
POWER August 2015 - Cover1
POWER August 2015 - Cover2
POWER August 2015 - Contents
POWER August 2015 - 2
POWER August 2015 - 3
POWER August 2015 - 4
POWER August 2015 - 5
POWER August 2015 - 6
POWER August 2015 - 7
POWER August 2015 - 8
POWER August 2015 - 9
POWER August 2015 - 10
POWER August 2015 - 11
POWER August 2015 - 12
POWER August 2015 - 13
POWER August 2015 - 14
POWER August 2015 - 15
POWER August 2015 - 16
POWER August 2015 - 17
POWER August 2015 - 18
POWER August 2015 - 19
POWER August 2015 - 20
POWER August 2015 - 21
POWER August 2015 - 22
POWER August 2015 - 23
POWER August 2015 - 24
POWER August 2015 - 25
POWER August 2015 - 26
POWER August 2015 - 27
POWER August 2015 - 28
POWER August 2015 - 29
POWER August 2015 - 30
POWER August 2015 - 31
POWER August 2015 - 32
POWER August 2015 - 33
POWER August 2015 - 34
POWER August 2015 - 35
POWER August 2015 - 36
POWER August 2015 - 37
POWER August 2015 - 38
POWER August 2015 - 39
POWER August 2015 - 40
POWER August 2015 - 41
POWER August 2015 - 42
POWER August 2015 - 43
POWER August 2015 - 44
POWER August 2015 - 45
POWER August 2015 - 46
POWER August 2015 - 47
POWER August 2015 - 48
POWER August 2015 - 49
POWER August 2015 - 50
POWER August 2015 - 51
POWER August 2015 - 52
POWER August 2015 - 53
POWER August 2015 - 54
POWER August 2015 - 55
POWER August 2015 - 56
POWER August 2015 - 57
POWER August 2015 - 58
POWER August 2015 - 59
POWER August 2015 - 60
POWER August 2015 - 61
POWER August 2015 - 62
POWER August 2015 - 63
POWER August 2015 - 64
POWER August 2015 - 65
POWER August 2015 - 66
POWER August 2015 - 67
POWER August 2015 - 68
POWER August 2015 - Cover3
POWER August 2015 - Cover4
https://www.nxtbook.com/accessintelligence/POWER/pwr_may-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_april-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_march-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_february-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_january-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_december-2023
https://www.nxtbook.com/accessintelligence/POWER/pwr_november-2023
https://www.nxtbook.com/accessintelligence/POWER/power-october-2023
https://www.nxtbook.com/accessintelligence/POWER/re-tech-supp-to-power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-august-2023
https://www.nxtbook.com/accessintelligence/POWER/power-july-2023
https://www.nxtbook.com/accessintelligence/POWER/power-june-2023
https://www.nxtbook.com/accessintelligence/POWER/power-may-2023
https://www.nxtbook.com/accessintelligence/POWER/power-april-2023
https://www.nxtbook.com/accessintelligence/POWER/power-march-2023
https://www.nxtbook.com/accessintelligence/POWER/power-february-2023
https://www.nxtbook.com/accessintelligence/POWER/power-january-2023
https://www.nxtbook.com/accessintelligence/POWER/power-december-2022
https://www.nxtbook.com/accessintelligence/POWER/power-november-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-140th-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-and-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-august-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-July-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-july-2022
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-april-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-April-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-march-2022
https://www.nxtbook.com/accessintelligence/POWER/power-february-2022
https://www.nxtbook.com/accessintelligence/POWER/power-january-2022
https://www.nxtbook.com/accessintelligence/POWER/power-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-top-plants-supp-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-november-2021
https://www.nxtbook.com/accessintelligence/POWER/power-october-2021
https://www.nxtbook.com/accessintelligence/POWER/power-september-2021
https://www.nxtbook.com/accessintelligence/POWER/power-august-2021
https://www.nxtbook.com/accessintelligence/POWER/power-july-2021
https://www.nxtbook.com/accessintelligence/POWER/power-june-2021
https://www.nxtbook.com/accessintelligence/POWER/power-may-2021
https://www.nxtbook.com/accessintelligence/POWER/power-april-2021
https://www.nxtbook.com/accessintelligence/POWER/power-march-2021
https://www.nxtbook.com/accessintelligence/POWER/power-february-2021
https://www.nxtbook.com/accessintelligence/POWER/power-january-2021
https://www.nxtbook.com/accessintelligence/POWER/power-december-2020
https://www.nxtbook.com/accessintelligence/POWER/power-november-2020
https://www.nxtbook.com/accessintelligence/POWER/power-october-2020
https://www.nxtbook.com/accessintelligence/POWER/power-september-2020
https://www.nxtbook.com/accessintelligence/POWER/power-august-2020
https://www.nxtbook.com/accessintelligence/POWER/power-july-2020
https://www.nxtbook.com/accessintelligence/POWER/power-june-2020
https://www.nxtbook.com/accessintelligence/POWER/power-may-2020
https://www.nxtbook.com/accessintelligence/POWER/power-april-2020
https://www.nxtbook.com/accessintelligence/POWER/power-march-2020
https://www.nxtbook.com/accessintelligence/POWER/power-february-2020
https://www.nxtbook.com/accessintelligence/POWER/power-january-2020
https://www.nxtbook.com/accessintelligence/POWER/power-december-2019
https://www.nxtbook.com/accessintelligence/POWER/power-november-2019
https://www.nxtbook.com/accessintelligence/POWER/power-october-2019
https://www.nxtbook.com/accessintelligence/POWER/power-september-2019
https://www.nxtbook.com/accessintelligence/POWER/power-august-2019
https://www.nxtbook.com/accessintelligence/POWER/power-july-2019
https://www.nxtbook.com/accessintelligence/POWER/power-june-2019
https://www.nxtbook.com/accessintelligence/POWER/power-may-2019
https://www.nxtbook.com/accessintelligence/POWER/power-april-2019
https://www.nxtbook.com/accessintelligence/POWER/power-march-2019
https://www.nxtbook.com/accessintelligence/POWER/power-february-2019
https://www.nxtbook.com/accessintelligence/POWER/power-january-2019
https://www.nxtbook.com/accessintelligence/POWER/power-december-2018
https://www.nxtbook.com/accessintelligence/POWER/power-november-2018
https://www.nxtbook.com/accessintelligence/POWER/power-october-2018
https://www.nxtbook.com/accessintelligence/POWER/power-september-2018
https://www.nxtbook.com/accessintelligence/POWER/power-august-2018
https://www.nxtbook.com/accessintelligence/POWER/power-july-2018
https://www.nxtbook.com/accessintelligence/POWER/power-june-2018
https://www.nxtbook.com/accessintelligence/POWER/power-may-2018
https://www.nxtbook.com/accessintelligence/POWER/power-april-2018
https://www.nxtbook.com/accessintelligence/POWER/power-march-2018
https://www.nxtbook.com/accessintelligence/POWER/power-february-2018
https://www.nxtbook.com/accessintelligence/POWER/power-january-2018
https://www.nxtbook.com/accessintelligence/POWER/power-december-2017
https://www.nxtbook.com/accessintelligence/POWER/power-november-2017
https://www.nxtbook.com/accessintelligence/POWER/power-october-2017
https://www.nxtbook.com/accessintelligence/POWER/power-september-2017
https://www.nxtbook.com/accessintelligence/POWER/power-august-2017
https://www.nxtbook.com/accessintelligence/POWER/power-july-2017
https://www.nxtbook.com/accessintelligence/POWER/power-june-2017
https://www.nxtbook.com/accessintelligence/POWER/power-may-2017
https://www.nxtbook.com/accessintelligence/POWER/power-april-2017
https://www.nxtbook.com/accessintelligence/POWER/power-march-2017
https://www.nxtbook.com/accessintelligence/POWER/power-february-2017
https://www.nxtbook.com/accessintelligence/POWER/power-january-2017
https://www.nxtbook.com/accessintelligence/POWER/power-december-2016
https://www.nxtbook.com/accessintelligence/POWER/power-november-2016
https://www.nxtbook.com/accessintelligence/POWER/power-october-2016
https://www.nxtbook.com/accessintelligence/POWER/power-september-2016
https://www.nxtbook.com/accessintelligence/POWER/power-august-2016
https://www.nxtbook.com/accessintelligence/POWER/power-july-2016
https://www.nxtbook.com/accessintelligence/POWER/power-june-2016
https://www.nxtbook.com/accessintelligence/POWER/power-may-2016
https://www.nxtbook.com/accessintelligence/POWER/power-april-2016
https://www.nxtbook.com/accessintelligence/POWER/power-march-2016
https://www.nxtbook.com/accessintelligence/POWER/power-february-2016
https://www.nxtbook.com/accessintelligence/POWER/power-january-2016
https://www.nxtbook.com/accessintelligence/POWER/power-december-2015
https://www.nxtbook.com/accessintelligence/POWER/power-november-2015
https://www.nxtbook.com/accessintelligence/POWER/power-october-2015
https://www.nxtbook.com/accessintelligence/POWER/power-september-2015
https://www.nxtbook.com/accessintelligence/POWER/power-august-2015
https://www.nxtbook.com/accessintelligence/POWER/power-july-2015
https://www.nxtbook.com/accessintelligence/POWER/power-june-2015
https://www.nxtbook.com/accessintelligence/POWER/power-may-2015
https://www.nxtbook.com/accessintelligence/POWER/power-april-2015
https://www.nxtbook.com/accessintelligence/POWER/power-march-2015
https://www.nxtbook.com/accessintelligence/POWER/power-february-2015
https://www.nxtbook.com/accessintelligence/POWER/power-january-2015
https://www.nxtbook.com/accessintelligence/POWER/power-december-2014
https://www.nxtbook.com/accessintelligence/POWER/power-november-2014
https://www.nxtbook.com/accessintelligence/POWER/power-october-2014
https://www.nxtbook.com/accessintelligence/POWER/power-september-2014
https://www.nxtbook.com/accessintelligence/POWER/power-august-2014
https://www.nxtbook.com/accessintelligence/POWER/power-july-2014
https://www.nxtbook.com/accessintelligence/POWER/power-june-2014
https://www.nxtbook.com/accessintelligence/POWER/power-may-2014
https://www.nxtbook.com/accessintelligence/POWER/power-april-2014
https://www.nxtbook.com/accessintelligence/POWER/power-march-2014
https://www.nxtbook.com/accessintelligence/POWER/power-february-2014
https://www.nxtbook.com/accessintelligence/POWER/power-january-2014
https://www.nxtbook.com/accessintelligence/POWER/power-december-2013
https://www.nxtbook.com/accessintelligence/POWER/power-november-2013
https://www.nxtbook.com/accessintelligence/POWER/power-october-2013
https://www.nxtbook.com/accessintelligence/POWER/power-september-2013
https://www.nxtbook.com/accessintelligence/POWER/power-august-2013
https://www.nxtbook.com/accessintelligence/POWER/power-july-2013
https://www.nxtbook.com/accessintelligence/POWER/power-june-2013
https://www.nxtbook.com/accessintelligence/POWER/power-may-2013
https://www.nxtbook.com/accessintelligence/POWER/power-april-2013
https://www.nxtbook.com/accessintelligence/POWER/power-march-2013
https://www.nxtbook.com/accessintelligence/POWER/power-february-2013
https://www.nxtbook.com/accessintelligence/POWER/power-january-2013
https://www.nxtbook.com/accessintelligence/POWER/power-december-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2012
https://www.nxtbook.com/accessintelligence/POWER/power-october-2012
https://www.nxtbook.com/accessintelligence/POWER/power-september-2012
https://www.nxtbook.com/accessintelligence/POWER/power-august-2012
https://www.nxtbook.com/accessintelligence/POWER/power-july-2012
https://www.nxtbook.com/accessintelligence/POWER/power-june-2012
https://www.nxtbook.com/accessintelligence/POWER/power-may-2012
https://www.nxtbook.com/accessintelligence/POWER/power-april-2012
https://www.nxtbook.com/accessintelligence/POWER/power-march-2012
https://www.nxtbook.com/accessintelligence/POWER/power-february-2012
https://www.nxtbook.com/accessintelligence/POWER/power-january-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2011
https://www.nxtbook.com/accessintelligence/POWER/power-october-2011
https://www.nxtbook.com/accessintelligence/POWER/power-september-2011
https://www.nxtbook.com/accessintelligence/POWER/power-august-2011
https://www.nxtbook.com/accessintelligence/POWER/power-july-2011
https://www.nxtbook.com/accessintelligence/POWER/power-june-2011
https://www.nxtbook.com/accessintelligence/POWER/power-may-2011
https://www.nxtbook.com/accessintelligence/POWER/power-april-2011
https://www.nxtbook.com/accessintelligence/POWER/power-march-2011
https://www.nxtbook.com/accessintelligence/POWER/power-february-2011
https://www.nxtbook.com/accessintelligence/POWER/power-january-2011
https://www.nxtbook.com/accessintelligence/POWER/power-december-2010
https://www.nxtbook.com/accessintelligence/POWER/power-november-2010
https://www.nxtbook.com/accessintelligence/POWER/power-october-2010
https://www.nxtbook.com/accessintelligence/POWER/power-september-2010
https://www.nxtbook.com/accessintelligence/POWER/power-august-2010
https://www.nxtbook.com/accessintelligence/POWER/power-july-2010
https://www.nxtbook.com/accessintelligence/POWER/power-june-2010
https://www.nxtbook.com/accessintelligence/POWER/power-may-2010
https://www.nxtbookmedia.com