Countering vulnerability to cyber-penetration is increasingly important as the extent and variety of threats grow. Penny Hitchin explores how adapting to the evolving cyber threat landscape means power businesses must adopt new risk management strategies

Cyber-attack is a modern threat posing a host of new risks to any organization using information technology – which effectively means all business. Power generation, along with other operators of critical national infrastructure, is right in the firing line.

Power generation and grid security can be threatened in an increasing variety of ways. The ongoing convergence of operational technology with information technology means that industrial components can be connected to centralized control centres, enabling remote management, monitoring and control of processes. This offers many advantages but, at the same time, it opens up new vulnerabilities.

The potential for cyber-attack on supervisory control and data acquisition (SCADA) systems has been recognized for years, but the growth of smart grid and distributed generation creates many more access points for penetration into grid computer systems. The communication flow will mirror electrical flows from every generation source to every customer.

These developments open the system to a new range of vulnerabilities quite different from those for large-scale generation in centralized facilities.

Introducing universal smart metering will involve deployment of mass-produced consumer-grade equipment with widely publicized vulnerabilities. The growth in home generation, notably solar photovoltaics (PV), and the onset of smart metering have the potential to attract economic crime as tech-savvy individuals look for ways of manipulating meters. This could involve consuming electricity without paying or, alternatively, over-reporting input to the grid in order to increase revenue.

There can be many causes for cyber incidents. Michael Stubbings, principal consultant at Frazer-Nash Consultancy, points out: “A potential security incident is not necessarily an attack: when you first see something that is an incident it might be somebody making a mistake or taking a short cut.” Surveys show that around a third of apparent attacks are from outside and the rest from inside, and that 80 per cent of cyber incidents are unintentional. However, sophisticated external attacks have the potential to be devastating.

The first major ‘cyber weapon’ identified was the Stuxnet virus, which was brought to public attention in 2010. This was a sophisticated and complex piece of malware that targeted operational processes within the uranium enrichment process of Iran’s nuclear fuel cycle.

Stuxnet is very clever software designed to hunt for predetermined network pathways and target specific systems. The precise configuration it sought was found only in Iran’s Natanz uranium enrichment facility, where it infiltrated specific Siemens programmable logic controllers (PLCs) controlling the centrifuges. Once it had infiltrated the PLCs, the virus reprogrammed them to speed up the centrifuges. The components’ displays continued to report a normal operating speed while the increase in speed led to destruction of the centrifuges.

The discovery of Stuxnet highlighted vulnerabilities in PLCs which had traditionally relied on the proprietary nature of control system protocols and devices to prevent attacks. The malware demonstrated that reliance on “security through obscurity” – a term used to mean hiding the details of a system – can leave control systems open to attack by skilled and motivated attackers.

Another significant cyber-attack on industrial operations came to light in 2014, when the German Federal Office for Information Technology published information about cyber infiltration of an unnamed German steel mill. The organization’s control systems and enterprise networks were interconnected, which allowed the attackers to penetrate the plant control system from the enterprise system, which was compromised by a spear-phishing email (a message which looks as though it was sent by someone known to the recipient). This compromised control components and all of the production machines underwent outages, which had a catastrophic effect on the blast furnace.

In May 2015, industry control systems expert Joe Weiss said that there have been more than 500 actual control system cyber incidents globally in multiple industries. The impacts ranged from trivial to significant: from environmental releases to significant equipment damage to major cyber-related outages to deaths. Most of the incidents were not malicious, and the vast majority were not identified as cyber.

Managing the risks

Cyber experts advise companies to adopt intelligence-driven risk management strategies. Intelligence means acquiring advance notice of opponents’ capabilities, intentions and likely method of attack. The threat environment is highly dynamic and fast-moving, and defences must match this agility in a cyclical and continuous process.

Cyber specialist Ollie Whitehouse, associate director of global information assurance specialist firm NCC Group, says: “The problem with cyber is that there is not generally a good public data set showing the prevalence of compromise, nor who the attackers are and their motivation.”

He explains: “We do not have a good set of referential data around the threat. Organizations managing risk often have an ‘it won’t happen to us’ attitude. But this is an old-school way of thinking. It could be an employee, it could be an accident, it could be a more sophisticated attack.

“There is a variety of worldwide scenarios which we know of anecdotally and from experience in the industry. These are driving the concept of cyber resilience and the ability to accept that events will happen, and to detect, respond and then remediate.”

The power industry revolves around computer hardware and software and control systems which, Whitehouse says, “are engineered to be safety-critical. But safety-critical systems do not consider malicious attacks. Those control systems are off-the-shelf hardware and CPUs with some custom control software. We have to recognize that cyber risk is present.”

Research on internal threats looks at how systems interact with the people using them

Credit: cybX

Safety and security are complementary in the task of risk identification and management. A complementary approach is needed, with an awareness that actions taken to close down one vulnerability may open up another. Building in safety and security starts with the architecture (which includes people and processes) and design of the system. In the last 10 years, specialized vulnerability and penetration testing services for industrial control systems have come to the market. Specialist companies carry out these tests in association with the operators.

Stubbings stresses the importance of design. “If there are areas where you need remote access, then design your system such that you separate out the safety-critical elements and make sure you have good monitored security barriers such as firewalls.”

Charlie Hall, senior consultant at Frazer-Nash, explains: “We use safety tools to assess a piece of hardware: the way it is manufactured, who manufactures it and the quality assurance processes that they put in place, and look at the way software is put together to ensure we are happy that it is capable of performing the safety function that we want. That mitigates against unexpected incidences in a safety-critical system. Then we can focus on the action around an external or internal operator.”

A lot of equipment has more functionality than is actually needed for the installation in question. A risk mitigation approach would imply knowing what the equipment is capable of, and ensuring that non-essential functions are inhibited or monitored.

Hall counsels caution in making changes to systems: “Once we have done what can be time-consuming and expensive substantiation, we prefer not to change equipment.

“We don’t want to change firmware versions without understanding the implications. A patch might be important to solve a particular issue, but it might mean revalidating all your safety assessments. We don’t want to start applying updates needlessly when there is no or little security benefit. We need to ensure changes are as safe as they can be to keep risks as low as reasonably practicable.”

The convenience of remote access must be balanced against security risks. Hall points out: “Process control hardware is often supplied with a set of default admin passwords, designed so that service engineers can access the equipment and maintain it. In many areas of industry that is desirable, but in safety-critical areas it is important to prevent unauthorized access.”

New vulnerabilities

One significant area of vulnerability is around industrial control equipment. Stubbings reflects: “In the past, the sort of hardware and software found in process control environments was very particular to that environment – it was not the sort of stuff you find on the shelves of [computer superstore] PC World. That is changing.

Power plants can be threatened in an increasing variety of ways

Credit: Ansaldo Energia

“More commercial off-the-shelf hardware and software is being used in industrial control systems, and they have well-publicized vulnerabilities. Partial or component upgrades to industrial control systems may bring in kit with these vulnerabilities. That kit may have greater capabilities than people necessarily want to use, and also greater system complexity, which means greater scope for operational and configuration error.”

The expanding connectivity of equipment on the power grid is increasing cybersecurity risks for critical infrastructure. The growth of smart grid will create many more access points for penetrating into the grid computer systems, and deploying smart grids at scale creates significant cyber security challenges.

Development of scalable and appropriate smart grid cybersecurity management frameworks is required. Smart grid project delivery requires new skills in IT and data networks from specification through design, build, test, install, commission and go-live. The supply chain must be involved in smart grid cybersecurity, distinguishing which elements can be addressed through equipment and services, and which elements are customers’ responsibility.

In the attacker’s mind

Cyber-attacks can originate from a range of actors including state, quasi-state, state-tolerated and non-state attackers. Motives may be malicious, criminal or intelligence gathering. Cyber criminals are interested in making money through fraud or from the sale of valuable information. Industrial competitors and foreign intelligence services seek to gain an economic advantage for their companies or countries.

Hackers relish the challenge of interfering with computer systems – because they can. Hacktivists want to attack companies for political or ideological motives while employees, or others who have legitimate access, may intrude either by accidental or deliberate misuse.

The world of cyber-penetration is surrounded in secrecy: attackers operate surreptitiously, and organizations which are penetrated are understandably very reluctant to publicize details of how they have been compromised.

In most western countries, governments have become active in promoting the resilience of Critical National Infrastructure (CNI) and national and international initiatives are underway. Increasingly, government agencies, intelligence services and closed sharing groups will pool information in order to improve resilience.

For example, the UK government’s Centre for the Protection of National Infrastructure (CPNI) facilitates ‘information exchanges’ which allow companies to learn from the experiences, mistakes and successes of others without fear of exposing company sensitivities. CPNI’s current information exchanges include Civil Nuclear Sector SCADA Information Exchange and SCADA and Control Systems Information Exchange.

Information exchanges rely on trust, and rules around membership are stringent: identity and employment verification checks are performed on all applicants as well as checks against official records. The groups are free to join, and their membership is determined by the existing members. There are strict handling instructions for recipients of information. Representatives at information exchanges are expected to attend all meetings, and generally only two named members from the same organization are allowed. Substitutes cannot attend.

The threat environment is highly dynamic and fast-moving. Countering potential cyber-attacks needs flexible, responsive intelligence giving advance notice of opponents’ capabilities, intent and likely attack methods.Such intelligence can come from a variety of external sources and service providers.

One source of insight is the honeypot, a computer system or environment which looks very similar to a specific environment and is designed to attract adversaries so that their methods and tools can be examined by researchers. A ‘honeynet’ is a high-interaction honeypot that provides entire networks of systems for attackers to interact with.

Whitehouse of NCC Group says: “We get some very good intelligence through systems on the internet designed to attract hackers. It enables us to monitor their activities and see what they are after. Responding to our clients’ cyber incidents means we gain valuable intelligence as to how breaches occur and what threat actors do once in.”

Specialist academic institutions such as Lancaster Security study the architecture of enterprise systems and industrial control systems. Research on internal threats looks at how systems interact with the people using them, and where security vulnerabilities lie when the people working with the systems click links or accidentally do something that could then damage a plant or control system. In the last decade a lot of work has been carried out in SCADA laboratories using infrastructure which replicates networks but is not live.

Groups of creative and highly skilled ethical hackers can provide valuable insights into the mind of the attacker and their modus operandi. Ethical hackers develop understanding of the type of threat agents and look at the type of threat element they commonly deploy. The threat intelligence approach starts from considering the type of facility to be protected and the motivation of attackers who might go after it.

The expanding connectivity of equipment on the grid is increasing risks

Credit: Bilfinger

 

The potential for attack on control systems has been recognized for years

Credit: Emerson Process Management

In order to defend, these ‘white hat’ hackers need to think like an attacker, which means getting into the mindset based on as much info as possible about the attackers. A security expert says: “It comes down to good intelligence sources and being as creative as the hackers, who are creative, intelligent people operating at the top end of these types of attacks.”

Setting standards

Historically, availability has been the key factor for energy providers. The growth in information technology and the evolution of the grid puts business systems at risk, and confidentiality and integrity have increased in significance in order to secure customers’ personal data and billing information.

Cybersecurity is a relatively new area of expertise and it is evolving very fast. Qualifications, certification and standards are being developed at national and international levels as the management framework for smart grid cybersecurity is addressed. For example, ISO 27001 is a global standard on Information Security Management adopted by many organizations worldwide. Increasingly, large organizations will require their supply chain to meet cyber standards.

Professional organzations such as the Institute of Engineering and Technology play a significant role in raising awareness and understanding of the rapid changes in cybersecurity. Cybersecurity features prominently in the IET’s series of events for Continuous Professional Development.

An important skills area for the industry is bridging the gap between electrical engineers and IT/cyber specialists. There is a growing demand for trained dual-skilled control and instrumentation engineers with cyber knowledge.

Stubbings of Frazer-Nash looks forward: “One key challenge is dealing with the speed at which technology refreshes – how we manage that and develop reliable monitoring, management and regulations.

“I would like to see more crossover between the safety and security worlds – people learning to adopt a common vocabulary of risk, a common understanding of risk, moving away from the silo approach. I don’t believe you can separate safety and security.”


Penny Hitchin is a freelance journalist specializing in the energy sector