Energy infrastructure is no longer protected in the way it once was simply because it links more closely to the internet. The power sector must also understand that the only way to protect itself against the very real and very dangerous threat of cyberattacks is by keeping a proactive security posture, writes Paul Darby
Is the global power industry impervious to cyberattack?
Until recently the answer would have been yes, but in recent years this has changed. Back in June, The Guardian reported that the concerns over the threat to power stations and electricity grids were ‘off the scale’, claiming that no other country in the world has an energy industry so worried about cyberthreats.
Admittedly, this was in the wake of the WannaCry ransomware attack, which not only famously knocked out a vast swathe of National Health Service systems in the UK, but also went on to affect thousands of computers across the world, including in Spain at the gas company Gas Natural and at electric organisation Iberdrola.
But while it might seem alarmist to suggest that the UK energy industry is more concerned than anywhere else, the truth is that our entire industrial sector is now more vulnerable to cyberattack than ever before. Large power stations, and indeed all energy infrastructure, are no longer protected in the way they once were simply because they link more closely to the Internet.
The connectivity that facilitates our everyday lives has reached into power plants, utilities companies and engineering firms and with it has brought the risk of predatory malware. The smallest chink in the IP network armour is enough to let in danger, even to the most critical apps. Threats relating to web connected devices, even smart meters linking back to electricity utilities, are well documented. There was even a case recently in which a petrochemical factory suffered a ransomware attack through a classic back-door approach, using an IoT-enabled coffee machine which provided access inadvertently to the internal control room network.
The industrial energy sector is now just as likely to suffer a cyberattack as a bank or commercial operation and the impact has the potential to be huge. Power suppliers are a tempting target for hackers and not always for the obvious financial gains. Increasingly, they are politically motivated or have been state-sponsored to create mass disruption on a national scale.
A case in point is Ukraine. Over the past three years the country has suffered a sustained and highly damaging series of cyberattacks. The most notable took place just before Christmas in 2015, taking down three power control centres in the west of the country and all of the connected sub-stations, leaving over 230,000 residents without heat or lights.
In addition, the hackers also disabled backup power supplies to two of the three distribution centres, leaving operators trying desperately to restore power in the dark. The same type of event occurred a year later, both of these have been part of a campaign that has seen the hacking of media, finance, transport, military and political targets, eliminating data and destroying computers.
Ukraine’s President has openly accused Russia of deploying cyberattacks, and is an outspoken critic of Russia, claiming publicly in December last year that there had been 6,500 cyberattacks on 36 Ukrainian targets in the previous two months. He said that: ‘Ukraine’s investigations point to the “direct or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.”
Only this month, there were reports in the media that hackers, thought to be working for a nation-state, breached a well-known industrial safety system, Triconex, widely used in the energy industry at nuclear facilities and oil and gas plants.
The problem with fighting a cyber war is that, unlike traditional warfare, it’s not always possible to determine who the enemy is. One of the great advantages of cyber criminality is that it is easy to maintain anonymity, and state-sponsored hackers are able to use in-country assets to hide behind and guard their locations. They employ stealth in order to avoid being held accountable, and the massive changes being wrought by the digital revolution are facilitating this dangerous approach.
But the challenge of attributing attacks to individuals, or even to governments, should not distract us from the seriousness of the assaults or the financial and operational damage being caused to power companies, or any other affected organisation. Degrading the trust institutions and economies that are needed for civilisation to function simply adds fuel to the flames of the cyber war. And as nations are attaching more systems to the Internet, UK organisations are increasingly exposed to attacks targeting countries like Ukraine.
As nation states become more active in the cyber black market, the lines between ‘hackonomics’ – the buying and selling of hacked or stolen data for profit or political gain – and nation-sponsored cyber wars get fuzzier, in what is already a complex and blurred landscape.
Following the WannaCry ransomware attack, many security and intelligence organisations were asked to confirm where the attack originated from, and this is challenging for them. However, this has not stopped claims appearing that WannaCry was the work of a nation state. Recently, the Minister of State for Security (the Rt Hon Ben Wallace MP) also added weight to this claim by saying that the UK Government believes “quite strongly that the attack came from a foreign state”.
OT vs IT
One of the difficulties for the power engineering sector when considering the threat of cyberattacks is balancing the differing priorities between OT and IT systems. Traditionally, OT has been prioritised because availability comes before anything else. OT systems are designed to run constantly to avoid an interruption that could lead to serious production delays and have damaging financial implications. OT is traditionally open and robust, built for safety because engines, motors and processors present a physical risk to operators. IT, conversely, is less concerned about physical safety but places its priority on a secure network because any breach could eliminate essential data or allow hackers to gain access to sensitive control systems.
The time has come for a balance to be struck, and it is urgent. Ensuring uptime is essential, but unless security measures to combat the risk of a cyberattack are given equal weight, the connections that increasingly bring OT and IT systems together can be breached, with devastating consequences.
There are a variety of worrying incidents which prove the point. In July 2017, The Times ran a story detailing how senior engineers at the Electricity Supply Board, which serves both Northern Ireland and the Republic, were sent emails containing malicious software. The intention was to infiltrate control systems in order to take out part of the electricity grid.
In addition, reports last year highlighted how hackers broke into a water utility company’s control system and altered the levels of chemicals being used to treat tap water. This was enabled by ageing operational control systems and log-in details that were stored on the front-end web server. There is no indication that the attackers understood how the flow control system in the company worked – in fact the skills required to carry out an attack of this kind have become less, rather than more – but they didn’t let this stop them from modifying application settings.
Perhaps even more alarmingly, so many of these incidents take place where traditional IT endpoint and network perimeter security measures are in place, but just one phishing email needs to be clicked on, one vulnerable application go ‘un-patched’ or one set of log-in details become out-of-date and the entire network is wide open for cyber criminals to exploit. And with nation states actively sponsoring the development of advanced tools and techniques, traditional security infrastructures can be easily breached.
Keeping the lights on
Power engineering companies around the world are now addressing these issues and taking a proactive approach to protect their critical infrastructure against the rising threat of advanced cyberattack.
What many are recognising is that as their OT and IT systems converge, they need to close those chinks in the armour, ensuring that access to the IT networks, whether internally, or remotely, is totally secure and strictly controlled.
Vidder works with organisations to provide systems that deliver granular access controls to assets based on trust. That trust should be measured across all devices, software, users and systems at all times, because, as we saw from the WannaCry and subsequent attacks, a breach can happen at any time using the smallest system vulnerability. Connections should be permitted only on the basis of having a deep knowledge of where a connection initiates from and where it is going to, validation of relevant credentials and continuous monitoring to ensure access is restricted only to approved assets.
While power engineering companies take advantage of the benefits of connectivity, by necessity a larger number of devices will want to access complex, shared infrastructures. It is a feature of the digital age and supports the way that industry now works and operates. But this interconnectivity and the sharing of data means that the only way to protect those systems is by taking a zero-trust approach.
One example of this is a large UK-based gas distribution company that we are working with. They moved their infrastructure to the cloud, which meant that although their physical network became less important, they had to focus on identifying any user or asset looking to access their network data, regardless of where they were located.
They are using our PrecisionAccess solution, which delivers sophisticated security, granular control and segmentation across premises and into their new cloud infrastructure. They have established a zero-trust model which first identifies the user and their device and then ascertains their access level. This is important because it is all too easy for this, or any company’s field engineers to connect into the network without first updating their security checks. The Vidder system allows for this, carrying out trust assessment every time access is requested.
The power engineering sector has multiple priorities from guaranteeing uptime to maintaining share prices to facilitating productivity in the workforce. It also wants to maximise the opportunities that OT and IT convergence brings.
But the sector must also understand that the only way to protect itself against the very real and very dangerous threat of cyberattacks is by keeping a proactive security posture. Adopting a zero-trust approach will make it more difficult, not just for predatory malware to infiltrate, but credential theft threats and man-in-the-middle attacks. Now is the time to take action.
Paul Darby is Regional Manager EMEA at Vidder. www.vidder.com