A perfect storm of technical & human vulnerabilities
The global dependency and wide use of utility companies makes the system highly vulnerable to both natural and human-made disasters. This industry is an especially attractive target for state-sponsored and cybercrime gangs, who often launch attacks for political and extortion reasons.
Stuxnet is an infamous example — perhaps the granddaddy of critical infrastructure attacks — and is often seen as a primer for those to come. Stuxnet was a computer worm that infected the centrifuges within an Iranian nuclear plant. At the time, control units were not connected to any external system like the internet. Once installed, the worm wreaked havoc, destroyed the centrifuges and shut down operations.
Stuxnet attacked a contained system, allegedly using a USB middleman to implant the malware. But modern industrial systems are at least, in part, internet-enabled. New malware strains like Triton are designed to specifically target industrial control systems (ICS) to cause damage or shut them down. And with more open systems, the middleman role of malware infection just got a whole lot easier.
It is on this chilling note that we turn to the top security concerns facing energy and utility providers today.
Challenge 1: Securing critical infrastructure & the grid
Critical infrastructures are not only the way we keep the lights on: they also play an intrinsic role in our economy. Our energy and utility critical infrastructures are experiencing a profound shift towards the use of smarter technologies to counter the increase in resource requirements of a burgeoning global population.
Operational Technologies (OT), such as Industrial Control Systems (ICS) and SCADA, are being increasingly targeted as they become increasingly connected to wider networks. A Kaspersky report into challenges experienced when OT and IT merge found that a major problem was in a lack of “maturity” in cybersecurity approaches across the merger. The report points out that three-quarters of respondents said they expect to be a victim of a cybersecurity attack because of this merger between OT with IT.
A 2019 survey from Ponemon and Siemens on cyber-threats in the utilities sector shows that 56% of respondents reported at least one shutdown or operational data loss per year, and 25% were hit by a “mega attack usually initiated by nation-state actors.” The survey also pointed out that 54% expect an attack on critical infrastructure in the next 12 months.
In the UK, the government is attempting to fit 26 million homes with a smart meter by 2020. Similarly, the EU is pushing to have 80 percent of traditional meters replaced by smart meters by 2020. The use of smart grids is almost inevitable, as their use helps optimize energy requirements by understanding usage patterns more clearly.
However, the use of the smart meter comes with security concerns. Privacy issues are monitored by groups like Stop Smart Meters, who have published findings that smart meters are being used to research TV viewing habits and other marketing-related data.
And in terms of security, there have been a number of studies on the vulnerabilities of smart-grid supplied critical infrastructure. False data injection (FDI) has been proposed as one area of weakness. Using FDI, malicious actors could inject false data to cause harm to the grid, potentially causing a shutdown.
These types of critical infrastructure attacks are already here:
- European utility EDP was the victim of a Ragnar Locker ransomware attack. The malware demanded an $11 million ransom. Ransomware attacks on OT increased by 67% in Q4 2019 according to IBM X-Force.
- The Ukrainian electricity grid experienced mass outages after it was infected by CrashOverride malware. Experts suspect the CrashOverride attack was caused by a spearphishing campaign targeting IT administrators of electricity distributors across the grid. The email campaign allowed malware to infect machines of any user who clicked on the attachment, effectively opening a backdoor into the grid.
- Attack campaigns by cybercrime groups such as BlackEnergy are a major threat to critical infrastructures, including utilities. Like CrashOverride, the BlackEnergy campaign was based on a Trojan used to carry out DDoS attacks against utilities. Again, the source was a spearphishing email campaign, and again, Ukraine was a victim and possibly a testbed for other utility attacks.
In 2018, the National Institute of Standards and Technology (NIST) updated their framework for critical infrastructure security. The framework provides security best practices and risk management guidance for energy and utility companies. Consider applying these baseline rules to your own critical infrastructure security.
The security aspects of smart grids, such as injecting false energy data and disrupting the grid, must be addressed using smart security measures and developing countermeasures based on intelligent interpretation of data.
As for smart meters, privacy issues are a separate concern. Privacy is something that needs to be addressed to encourage adoption by the general public. Smart meters, after all, should be for the good of the country and help us all create a sustainable model of energy use.
Challenge 2: IoT & cyber-physical attacks
A Mission Support Center Analysis report on cyberthreats to the US electrical sector stated that in the coming years, “cyber threats to utilities are likely to grow in number and sophistication.”
One of the reasons for this is the increasing use of internet-enabled devices and wireless sensor networks by energy and utility providers. According to IBM X-Force, attacks on internet-enabled industrial control systems (ICS) and other OT assets increased by over 2,000 percent since 2018.
Modern industrial systems are based on use of the cyber-physical system. ICS units are increasingly becoming part of the wider Internet of Things (IoT), allowing them to control physical systems using digital methods.
As part of this movement, mobile apps are also being used as remote control points for ICS units. Connecting the ICS to a wider internet across multiple endpoints is creating an interwoven threat matrix offering new vectors of attack for utilities and energy. In doing so, we have created many new points of malicious entry, as well as failure — the perfect storm for cybercrime. In addition, sensitive, valuable data is often drawn into the system.
The types of attacks seen in the sector include espionage, data breaches, vandalism, physical damage and data tampering. A study into the use of mobile apps to control ICS discovered 147 vulnerabilities, of which 20 percent could be used as a vector for malicious control of the industrial process.
Cyber-physical systems in the industry are part of the evolving movement towards more automated processes and Industry 4.0. It is a movement that is bringing greater efficiencies and helping manage resource supply. We cannot turn back this clock, but we can put solid web security measures in place to protect systems from outside attack.
One such measure is at the government level, where a number of initiatives are happening. In the US, for example, there is a concerted effort to create national regulations and standards for securing industrial systems. The ICS-CERT Monthly Monitor also documents known ICS vulnerabilities, helping security professionals in the industry stay current with potential issues.
Challenge 3: Automation, AI & privacy
Industry 4.0 is using a multitude of new technologies to streamline processes. This includes the use of cloud computing and big data, robotics and artificial intelligence (AI). Upside Energy’s Virtual Energy Store, for example, uses intelligent energy as a smart storage solution. This utilizes machine learning to optimize energy consumption, both in consumer and business contexts.
Automation will bring new security and privacy concerns, as AI and machine learning capture personal and other sensitive information to build better and more optimized systems. Aggregation of these data may also draw new concerns, especially in terms of privacy.
Aggregation of data is a key issue in privacy. It means that even de-identification techniques can be overridden. However, the use of anonymization and de-identification can be made more effective by good data governance. Specialist frameworks like The Health Information Trust Alliance (HITRUST) can help inform use of de-identified data at your organization.
Challenge 4: Security skills shortage & maintaining a culture of security
Utility and energy companies are part of a well-established, traditional industry. Their core business is not security. However, placing security as an afterthought and not giving due attention to the cyberthreats within an increasingly complicated technology environment will leave the industry vulnerable.
Business models are also rapidly changing in the utility sector as they embrace digital transformation, requiring new skills and larger security teams. This is at a time when cybersecurity skills are much sought after: according to (ISC)2 the global IT security skills gap is now more than four million.
As we have seen, the cyberattack landscape is becoming more threatening and diverse. Sponsored state actors, as well as malicious insiders and outsiders, are a threat not only to the industry but also to consumers and the wider economy. Security is an integral part of the service provision of the industry and needs to be regarded as such by all stakeholders, including the board of directors.
Energy and utility companies must foster a culture of security to combat cyberthreats. This culture should encompass all areas of the extended business and the supply chain. Smaller utility providers, who struggle to find the right in-house skill sets to ensure this happens, should explore partnerships with consultants and managed security service companies for assistance.
Challenge 5: Securing the supply chain
Supply chains in our globalized community are complex, and the increasing use of hyper-connected services within the chain is adding to this complexity. Spearphishing is still an area of concern throughout the supply chain as the CrashOverride attack on the Ukraine energy supplier attests.
In a Dragos report, “The North American Electric Cyber Threat Perspective,” the vendor tracked seven groups focusing on electrical facilities in North America. Of the seven, three demonstrated the ability to “infiltrate or disrupt” electrical power networks. The report highlights the use of active supply chain compromises by hacking groups targeting “original equipment manufacturers, third-party vendors, and telecommunications providers.”
Players in the critical infrastructure industry must conduct thorough vendor risk assessment on all supply chain partners, especially those impacting the core business. Methodologies such as appropriate privileged access and robust authentication (including risk-based) should be used wherever possible.
The energy and utility sector is a prime candidate for cyberattacks. It is also going through a period of major business and technological transformation, introducing new security vulnerabilities along the way. This pressure to innovate will likely continue as our cities become smarter, and the pressure on resources and the energy grid increase.
To counterbalance these growing pains, the industry must make cybersecurity a priority and part of the core business strategy. Security weaknesses can have catastrophic impacts on the industry and consumers everywhere. Cybersecurity must be a primary consideration when developing the business model, bringing on new technologies and changing the way the industry operates with external associates. These challenges will determine the near future of the industry and will be crucial in maintaining the integrity and reliability of these vital services.
- Cyber challenges to the energy transition, World Energy Council
- Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?, Ponemon Institute and Siemens
- The State of Industrial Cybersecurity 2018, Kaspersky
- Ragnar Locker’s ransomware attack on Energias de Portugal (EDP), SC Magazine,
- Framework for Critical Infrastructure Security, National Institute of Standards and Technology (NIST)
- IBM-X-Force Threat Intelligence Index 2020, IBM
- (ISC)2 Press Release on Skills Gap, (ISC)2
- The North American Electric Cyber Threat Perspective, Dragos
- Improving SCADA System Security, Infosec
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure, FireEye
- About the Rollout, Smart Energy GB
- Energy Strategy and Energy Union, EU Commission
- Stop Smart Meters, Stop Smart Meters
- Efficient prevention technique for false data injection attack in smart grid, IEEE Xplore
- Drago, ICS Media Center
- BlackEnergy APT Attacks in Ukraine, Kaspersky
- Framework for Improving Critical Infrastructure Cybersecurity, NIST
- Mission Support Center Analysis Report, Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector, U.S. Department of Energy
- Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent, IBM
- Rising Attack Vector for Industrial IoT: Smartphone Apps, Bank Info Security
- ICS-CERT Monthly Monitor, ICS-CERT
- AI machine learning service to be launched for energy storage management, Digital Substation
- De-Identification Framework, HITRUST