In the last decade, researchers have developed processes for a “cyber kill chain” in order to detect and respond to cyber-attacks. This work was used as a foundation for development of an Industrial Control System (ICS) Kill Chain that can result in a cyber-physical attack on the power grid and other critical infrastructure systems.[i] Today, that work should be taken a step further by DOE and its private sector partners to develop a kill chain for compromised equipment that presently is, or in the future may be installed on the U.S. electric grid.

A military kill chain, in its simplest sense, is a series of detailed steps designed to identify, find, engage, and destroy a target. The ICS cyber kill chain is a series of steps that start with planning and preparation and progressing to an ICS attack.[ii] An industry-government partnership aimed at developing a kill chain for compromised equipment can help government agencies and electric utilities understand and combat a variety of supply chain threats, including security breaches, and advanced persistent attacks, as well as develop effective countermeasures.

One key link that may help reveal compromised equipment if the need for that equipment to engage in communications designed to give the attacker “hands on the keyboard,” to control the compromised equipment from inside the target.[iii]

According to Stockton’s report, one of the most direct means for adversaries to mount an attack involves the sensors and communications systems already embedded in grid components.[iv] For example, modern transformers have multiple digital devices and sensors, such as oil temperature sensors and transformer cooling system controls that could be used to disable or mis-operate those transformers on parts of the power system such as where Defense Critical Electric Infrastructure (DCEI) is located.

Fortunately, the utility industry is well aware of this particular risk and have been taking measures to reduce them, such as sending equipment experts to transformer manufacturing plants to monitor production to ensure their integrity before they leave the factory and then test equipment during installation. Another key defensive opportunity lies in closely monitoring installed equipment for unusual behavior – known as anomaly detection.  However, increased digitization of the grid is creating new targets for adversaries and greatly increasing the complexity of countering attacks.[v]

Another concern involves insider threats — placing personnel inside a bulk power system entity to insert or trigger an attack using compromised equipment. Utilities have processes, such as background investigations, to counter this threat, which is key to countering both supply chain-based attacks and intentional mis-operation of grid equipment, but on-going vigilance remains necessary.[vi]

The Stockton report also notes an increasingly urgent concern around adversaries leapfrogging steps in a kill chain by exploiting “latent vulnerabilities” in bulk power system networks and other equipment, rather than compromises they insert. For example, the Department of Defense, as well as utilities, rely on commercial off-the-shelf software and other components that may have known vulnerabilities, providing a shortcut to disrupt controls and systems. This means that more nuanced, equipment-specific versions of kill chains will be necessary to address not only new equipment entering and moving through the supply chain, but for existing equipment as well to account for latent vulnerability risks.[vii]

Finally, with regard to meeting the mandate of the Administration’s Executive Order, Stockton suggests several specifics:

• Effective implementation will require both identification of the steps in a kill chain and a careful analysis of the costs and benefits, noting that “technologically exquisite but expensive countermeasures may offer fewer benefits than more straightforward approaches – including measures to prevent the insertion of compromised equipment by scrutinizing equipment producers and their subcontractors for foreign influence.”[viii]
• The U.S should look at prioritizing efforts that deprive adversaries of their highest-impact targets and drive them down the chain to pursue more difficult and less cost-effective options.[ix]
• Opportunities for feints and deception should be evaluated to keep adversaries guessing as to whether their equipment comprises would actually work, and not publicizing U.S. defensive efforts and accomplishments, could raise doubts as to whether intended goals could be achieved.[x]
• Anticipate a successful grid attack and plan ahead to rapidly limit its effects by determining how existing emergency plans and capabilities might be used to defeat supply chain-based attacks, prioritizing a system for restoration of power to critical facilities, and enhancing industry spare equipment programs by expanding the scope of spare equipment inventories and distribution plans, and recognizing “the (very likely) possibility that adversaries will seek to compromise both stored spares and in-place equipment.”[xi]

Next week: Defense in Depth Against the Insertion of Compromised Equipment