Dive Brief:
- Two new and widespread cybersecurity vulnerabilities have been identified, but it is unclear thus far how they might impact the utility space, and patches to address the issue have been significantly impacting system performance.
- The Spectre and Meltdown vulnerabilities were identified last year, and the public was informed early this month. The two security flaws leverage processing techniques known as speculative execution and caching, in order to access data that should be off limits.
- According to Greentech Media, solar inverters are one piece of equipment which may leave electric utilities vulnerable.
Dive Insight:
The utility industry has stepped up its cybersecurity in recent years in response to frequent threats and sporadically successful attacks. But the newest tech weaknesses are essentially built into the hardware and exist in most processor chips produced in the last 20 years, according to recent reports.
Dima Tokar, cofounder and CTO of MachNation, told Greentech Media that "anyone operating mission-critical systems or infrastructure should assume they are vulnerable until they confirm otherwise.”
Google's Project Zero tech security team announced the vulnerability Jan. 3, but said individual chip vendors may be in the best position to help affected system owners.
"We have some ideas on possible mitigations and provided some of those ideas to the processor vendors; however, we believe that the processor vendors are in a much better position than we are to design and evaluate mitigations, and we expect them to be the source of authoritative guidance," Google's Project Zero team wrote.
One problem thus far, however, is that patches to address the vulnerability are significantly slowing down operating systems. The features Spectre and Meltdown attack were created to speed up computer processors, and plugging the leak has resulted in performance slowdowns of up to 30%, according to security website CSO.
Meltdown can affect desktop computers, laptops and cloud-based systems. Google explained that "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)."
For Spectre, "almost every system is affected," Google said. "All modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors."
The electric utility industry has made cybersecurity a major priority, particularly after a 2015 attack on Ukraine resulted in widespread power outages. Last summer, cybersecurity firm Dragos issued a report concluding the malware used in that attack could be modified by developers to target the United States.
