Author: – Fernando Guerrero B., OT Security Expert, Airbus Protect GmbH –
Electricity is an essential element of our society, being the primary enabler of most businesses and the foundation of a nation’s progress. All stakeholders along the electricity supply chain are considered part of the Critical Infrastructure of every nation; which means that any negative impact to it can severely hit the national economy and public safety.
With the increasing presence of Smart Grids and IoT devices, risks are no longer solely affecting large organizations responsible for components of the energy value chain, but are now also a problem for consumers. In order to find a consistent way to counter those risks, several cybersecurity standards and technical requirements have been established for critical infrastructure and essential services. Nowadays electricity companies are more aware of the need to understand cyber risks and start taking action to protect their infrastructure and avoid service.
One of the biggest challenges in securing power and energy systems is their vast size and complexity. Electrical power and energy systems (EPES) span across large geographic regions and are comprised of numerous interconnected components, such as generators, transmission lines, substations, and control centers. Each of these components presents a potential vulnerability that can be exploited by cyber attackers.
Moreover, EPES rely heavily on information technology (IT) and operational technology (OT) systems to manage, monitor, and control various processes involved in the generation, transmission, and distribution of electricity. Therefore, any vulnerability in the IT or OT systems can potentially be exploited by cybercriminals to cause significant damage.
One of the most significant cybersecurity risks for electrical power and energy systems is the possibility of an attacker accessing the supervisory control and data acquisition (SCADA) systems. SCADA systems are responsible for controlling the various components of the electrical power and energy systems, and a successful cyber-attack on these systems can result in the disruption of power supply, loss of critical data, financial losses, damage to electrical equipment, and even physical harm to personnel.
Additionally, the increasing use of the internet of things (IoT) devices in the electrical power and energy systems has also resulted in an increased risk of cyber-attacks. These devices are often connected to the internet and are vulnerable to exploitation by cybercriminals, making them a potential entry point for a cyber-attack.
Common threats
There are many threat actors which impose a risk on EPES. Some of the most prominent, who have been exploited in the past, are:
- Malware and Ransomware Attacks: include all malicious software, such as viruses, worms, and ransomware. These attacks can disrupt critical operations, compromise data integrity, and demand ransoms for the restoration of systems.
- Insider Threats: can arise from employees, contractors, or individuals with authorised access to the system who misuse their privileges, intentionally or unintentionally. This can lead to data manipulation or sabotage.
- Supply Chain Attacks: by compromising a trusted supplier or contractor, attackers can introduce malicious code, implant backdoors, or tamper with components during manufacturing or distribution.
- Phishing and Social Engineering: leverage deceptive tactics, such as fraudulent emails or messages, to trick users into revealing sensitive information or granting unauthorized access. Exploiting humans and making them vulnerable to manipulation into divulging confidential data or performing malicious actions.
- Zero-Day Exploits: are vulnerabilities in software or systems that are unknown to the vendor or developers.
- Nation-State Attacks: Power and energy systems are enticing targets for nation-state actors seeking to exert influence or gain a strategic advantage.
- Remote Access Vulnerabilities: The increasing need for remote access to EPES for monitoring, maintenance, and troubleshooting introduces its own set of cybersecurity risks. Unauthorized access, weak authentication mechanisms, insecure remote desktop protocols, and insufficient encryption can all lead to unauthorized entry, manipulation of control systems, or data breaches.
Real-Life Examples
Operation Aurora (2009): Operation Aurora was a series of cyber attacks targeting various industries, including the electric power sector. The attacks involved highly sophisticated and coordinated efforts to infiltrate the systems of several major companies. While specific details regarding the impact on the power sector are not widely disclosed, the incident demonstrated the capabilities of advanced persistent threats and their potential to infiltrate critical infrastructure.
SFG (San Francisco) Substation Attack (2013): In April 2013, unknown individuals launched a physical attack on a substation in San Francisco, causing significant damage. The attackers cut fiber optic cables and used high-powered rifles to disable critical substation equipment. While the motive remains unclear, the incident underscored the physical vulnerabilities of power infrastructure and the potential for targeted attacks to disrupt electricity supply.
Ukraine Power Grid Attacks (2015 and 2016): As mentioned earlier, Ukraine experienced two significant cyber attacks on its power grid. In December 2015 and 2016, hackers successfully compromised multiple power distribution companies, causing widespread power outages. These attacks disrupted critical systems, leaving hundreds of thousands of people without electricity. The incidents highlighted the potential vulnerabilities of power systems and their susceptibility to cyber attacks.
Energetic Bear/Dragonfly Campaigns: The Energetic Bear and Dragonfly campaigns were sophisticated cyber espionage campaigns targeting various sectors, including the energy industry. These campaigns involved infiltrating energy companies’ networks to gather sensitive information and potentially gain control over critical systems. While the specific impact on electric power systems is not fully disclosed, the incidents highlighted the ongoing threats faced by the power sector and the need for robust cybersecurity measures.
Mitigating Cybersecurity Risks
To mitigate cybersecurity risks for electrical power and energy systems, it is crucial to implement robust cybersecurity measures that cover all aspects of the system, from IT to OT systems, and take into account physical security, network security, and information security. These measures can include:
- Apply cyber security controls recommended by well-known standards
- Regular cybersecurity audits and risk assessments to identify vulnerabilities and potential cyber-attacks.
- Ensuring that all IT and OT systems are adequately protected with firewalls, antivirus software, and other security measures. Like implementing strong access controls to prevent unauthorized access to critical systems and data, surveillance cameras, access control systems, firewalls, data diods, network segmentation, encryption, secure coding practices, among others, to prevent unauthorized access and damage to critical infrastructure.
- Regularly checking the possibility to update and patching software and hardware systems to ensure that they are protected against the latest cybersecurity threats, after coordinating with vendors and integrators.
- Providing regular cybersecurity training to personnel to ensure that they are aware of the potential risks and can take the necessary precautions to mitigate them.
- Implementing a comprehensive incident response plan to ensure that any cyber-attacks can be quickly identified and contained. This plan should outline a clear and structured approach to responding to cybersecurity incidents, including how to identify, contain, and recover from an attack. It should also establish lines of communication with relevant stakeholders, such as government agencies and emergency services, to facilitate a coordinated response.
Cybersecurity Standards applicable to EPES
Several cybersecurity standards and initiatives have been established to address the specific needs of the electricity sector. These standards aim to ensure the resilience, security, and trustworthiness of critical infrastructure across the world. Some of them are:
- EN 50129 and EN 50159: These standards, developed by the European Committee for Electrotechnical Standardization (CENELEC), specifically address the safety and security of railway applications, including power systems for rail transportation. EN 50129 focuses on safety requirements, while EN 50159 covers communication and signaling systems’ security aspects within the railway domain.
- ISO/IEC 27019: provides guidelines for the secure implementation and management of information security in the energy sector, including electricity generation, transmission, and distribution. It aligns with the ISO 27001 framework but provides additional sector-specific controls and best practices to address the unique challenges of the energy industry.
- European Network Codes (ENC): define rules and standards for the operation, management, and development of the European electricity grid. The codes address various aspects of the electricity sector, including cybersecurity requirements. They were developed by the European Network of Transmission System Operators for Electricity (ENTSO-E), aiming to ensure the reliable and secure operation of the European electricity infrastructure.
- EU Directive on Security of Network and Information Systems (NIS Directive): establishes security and reporting requirements for operators of essential services, including those in the electricity sector. It mandates that organizations implement appropriate cybersecurity measures and report significant cybersecurity incidents to the relevant authorities. The directive aims to enhance the overall resilience and security of critical infrastructure across the EU.
- NIST Cybersecurity Framework (CSF): provides a risk-based approach to managing cybersecurity risks. It offers a set of guidelines, best practices, and controls that organizations can customize to their specific needs. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover, which help organizations effectively manage cybersecurity risks throughout their operations.
- ISA/IEC 62443: The ISA/IEC 62443 series of standards focus on the security of industrial automation and control systems. These standards provide guidance for securing the entire lifecycle of ICS, from design and development to deployment and maintenance. They cover topics such as network segmentation, secure remote access, system hardening, and security assessments.
- ISO 27001: ISO 27001 is an international standard that provides a systematic approach to managing information security risks. It offers guidance on risk assessment, asset management, access controls, incident response, and ongoing security monitoring and improvement.
- NERC CIP: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are specific to the electricity industry in North America. These standards aim to ensure the reliability and security of the bulk electric system. They address various cybersecurity aspects, including cyber risk management, access controls, incident response, personnel training, and security monitoring.
Conclusion
In conclusion, cybersecurity is a critical aspect of EPES. The increasing reliance on IT and OT systems and the growing threat of cyber-attacks make it essential to implement robust cybersecurity measures to protect these systems. By regularly assessing cybersecurity risks, implementing strong security measures, and providing regular training to personnel, the electrical power and energy systems can ensure that they are adequately protected against potential cyber-attacks.
The examples of cyber attacks on EPES highlight the urgent need for robust cybersecurity measures. The evolving landscape of industrial control systems (ICS) brings forth a range of common threats, such as malware attacks, insider threats, supply chain vulnerabilities, and remote access risks.
To protect EPES, organizations must prioritize cybersecurity and implement comprehensive defense mechanisms. This includes implementing secure remote access protocols, multi-factor authentication, robust access controls, regular patching and updates, employee awareness training, and proactive monitoring.
Public-private partnerships and information sharing within the power sector are crucial for staying ahead of emerging threats. Governments and regulatory bodies should provide guidance, establish standards, and promote cybersecurity frameworks specific to electrical power and energy systems. Enhanced collaboration and information exchange between power companies, security vendors, and intelligence agencies can help identify and mitigate threats effectively.
Adopting cybersecurity standards and initiatives enables electricity sector organizations to align their cybersecurity practices with regional requirements and best practices. It helps enhance the security posture, strengthen resilience against cyber threats, and ensure the uninterrupted delivery of reliable electricity throughout the globe.
Securing the critical infrastructure of power and energy systems is essential for maintaining the reliability, safety, and availability of electricity. It not only safeguards the daily operations of countless businesses and individuals but also ensures the uninterrupted functioning of vital services like hospitals, emergency response systems, and communication networks.
As we move forward into an increasingly interconnected world, the power and energy sectors must remain vigilant, adapting and strengthening their cybersecurity measures to protect against the ever-evolving threat landscape.
By investing in cybersecurity, adopting best practices, and fostering a culture of awareness and resilience, we can safeguard our critical infrastructure and mitigate the potential risks posed by cyber-attacks.