The overhaul of the energy sector, globally, comes with new risks, threats and breaches that may be bigger than ever before. The industry is becoming a prime target for cyberattacks with power outage increasingly being a common denominator. If you are wondering how the two are interlinked and why.
For a two-year period starting March 2016, power plants, electric systems and other critical infrastructure in the United Stated of America have been targeted by a campaign of cyberattacks.
The US department of Homeland Security says the campaign comprises two distinct categories of victims: staging and intended targets. Its statement notes that the initial victims are peripheral organisations such as trusted third-party suppliers with less secure networks, referred to as staging targets. “The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims,” says the statement.
The United States is not alone in battling the increased risk of cyberattacks on its energy sector in the past few years. According to reports, Europe, Japan and Australia too have identified that their energy sectors are a prime target for cyberattacks. The question is, who would want to attack power systems and why?
“What has clearly been stated in all threat intelligence reports, based on last year’s cybersecurity incidents in the energy sector, is that nations, hacktivists, terrorists and organised crime groups are the main actors. It is evident that the energy sector is targeted because getting an energy grid down has tremendous impact on our safety, health, way of living and on society at large,” explains Jonas Blomqvist, General Manager, Cyber Security, Wärtsilä.
An increase in the number of actors or cyber criminals in the past few years has taken a severe toll on the quality of attacks too. Risks have grown manifold and the potential impact of a breach has amplified. Cyber attackers are now targeting Industrial Control Systems (ICS) like DCS and SCADA systems that are an important part of Operating Technology (OT) in the utilities sector.
According to Deloitte, “Previously, attackers primarily targeted utilities’ information technology (IT) systems to steal data or launch ransomware for financial gain. The threat is now becoming even more insidious, with reports of hackers tied to nation-states and organised crime trying to burrow their way into utility ICS, seeking to learn how systems operate, and positioning themselves to control critical physical assets, such as power plants, substations, transmission, and distribution networks, and to potentially disrupt or even destroy them. This targeting of ICS, which has developed over the last year only, is blurring the lines between cyber- and physical attacks, prompting national security concerns in many countries.”
“The biggest reason for this is ‘hyper connectivity’. This we need to understand from a broader perspective and not just understand it as connectivity from the external world via the internet to an asset, but also the more important connectivity established inside corporations these days. When companies connect their IT infrastructure with OT infrastructure, that by tradition has been isolated, it is introducing an extremely efficient attack vector to leverage from IT- to OT-infrastructure,” says Blomqvist.
As cyber attackers seek to control power systems, the chances of more blackouts are increasing. That can be any country’s worst nightmare coming true since blackouts have a significant and direct impact on the safety, health and economy of a country.
Eaton’s 2017 Blackout Tracker reportedly estimates that 37 million people in the US were affected in more than 3,000 outage events in in the country. Similarly, the World Economic Forum estimates that just a six-hour winter blackout in mainland France could result in damages to households, businesses and vital institutions totalling over EUR 1.5 billion. A more recent incident was the blackout in South America, which hit tens of millions in Argentina, Uruguay and Paraguay on 16 June 2019.
So, how can the risk of a power blackout be managed efficiently? Experts say security begins with every individual. Companies need to make their personnel aware of cyber security, define their tolerable cyber security risk level, decide upon a standard framework to adapt to, and set a security level to be achieved, use external auditing consultants to get independent viewpoints on the environment and setup.
“It is important to separate safety systems from operations networks, always control and monitor devices connected to your digital network and know the attributes of you firewalls, SCADA and DCS system,” notes Blomqvist.
“You must know and monitor your grid - instead of just having your generators, substations and transmission lines identified - and understanding your grids load and demand curves – you must know to where and to what devices your generators and substations are interconnected and how and whoare controlling your assets.” he elaborates.
It is important for utility companies to continuously be prepared to counter new risks because the threat landscape is ever expanding with digitisation, IoT (Internet of Things) and AI (Artificial Intelligence). For instance, researchers at the Princeton University have found that hackers can attack a grid through high wattage smart appliances like air conditioners and heaters by manipulating demand thereby causing a lockdown. This scenario, as many others have not been imagined before, has not materialised in the real world as yet. In the advent of such a scenario unfolding, it is better to have taken precautions in advance. In short, it is smarter to be safe than sorry.