Credit: Thailand Smart Grid
Credit: Thailand Smart Grid

 

The growing risk of cyberattacks on energy sector facilities is a threat that power infrastructure operators cannot ignore. Tildy Bayar speaks with some of them to find out what can be done to protect your facility

 

New risks in the operation of power infrastructure are appearing all the time, including some that wouldn’t have been dreamed of even a decade ago. The latest of these to hit the headlines is the risk of cyberattack, brought to the world’s attention by the recent ‘Energetic Bear’ malware attacks. And this risk is growing: a 2013 survey by computer security firm Kaspersky Lab found that 91 per cent of organizations had experienced cyberattacks in that year.

Cybersecurity experts have noted that the shadowy group behind Energetic Bear, dubbed ‘Dragonfly’, has increased its targeting of energy companies in recent months. Security software maker Symantec identified a shift in the group’s focus from around March of this year, with 50 per cent of its targets in the energy sector and 30 per cent in energy control systems.

In a July report, Symantec outlined Dragonfly’s widespread campaign of cyberattacks on energy firms in the US, Spain, France, Italy, Germany, Turkey and Poland. Among the targets were grid operators, major power generation companies, petroleum pipeline operators and equipment providers. While the hackers used their illicit access for spying, Symantec said, if they had decided to use it for sabotage they could have damaged or disrupted energy supplies in many countries.

So where exactly are the vulnerabilities in power infrastructure, and how can you protect your facility from the risks associated with cyberhacking?

It’s all about the SCADA

In a new kind of hacking exploit, Dragonfly’s attacks compromised the targeted plants’ industrial control systems. In conversations with cybersecurity experts, it quickly emerges that what is vulnerable in a power station is the control system known as SCADA (Supervisory Control and Data Acquisition). Most SCADA systems utilize human-machine interface (HMI) software that allows users to interact with and control machines and devices. If a hacker can gain access to that control software, it’s literally lights out.

SCADA systems underpin virtually all of today’s industry, including the energy sector. And there is a simple reason why they are vulnerable to attack: the SCADA architecture was designed before cybersecurity was an issue.

“Big power plants and big energy producers are under heavy and severe threat because 10, 20, 30 years ago we implemented SCADA systems into our networks,” says Daniel Jammer, founder and CEO of Israeli cybersecurity firm Nation-E. “The SCADA monitoring tool helps to integrate the network seamlessly, and to make it basically as optimized as possible. In the last 15 to 20 years a lot of network infrastructure was implemented to optimize this kind of SCADA. Nobody was thinking energy sources will be attacked, systems will be attacked – it was a totally different world than today.”

Training programmes such as the UK's CybX centre take staff through mock cyberattacks
Training programmes such as the UK’s CybX centre take staff through mock cyberattacks
Credit: Serco

Enter Microsoft

“In the past, ICS [information control systems]was completely isolated from the world,” says Shaker Hashlan, ICS Security Engineer at the Saudi Electric Company’s Najran power plant. “It wasn’t even using TCP/IP technology as networking architecture and didn’t even use Microsoft Windows as its underlying operating system (OS). So there was no issue there – most systems were electrical or nomadic, with no microcontrollers in the middle.

“Then the chasm between the two technologies started to shrink,” he said, as customers requested more user-friendly workstations and HMIs with which to configure their equipment. “So the need was there, and vendors had to go with the need.”

The shift from proprietary systems to the Windows OS was gradual, from around 1995-1999 until 2000-2001 when Windows XP came on the scene. With the early XP machines “there was no need [for security] – Windows Firewall wasn’t even enabled by default,” Hashlan explained. By 2002 the OS “was sophisticated enough to be used in control systems – and then every vendor started using it everywhere.”

In 2010, he continued, the ICS industry “was shaken to the core” by the appearance of the Stuxnet worm – the virus which infected over 50 per cent of Iran’s computers and reportedly brought down one-fifth of the nation’s nuclear installations. “Then everybody saw the potential and the fame of attacking industrial control systems,” Hashlan said, “and how vulnerable they can be to the most basic attacks.”

According to Jammer, “cyberattacks like Energetic Bear are hurting systems because … [the hackers] are in control of power plant infrastructure. They can turn it on, off, do whatever they want. For the first time we’re really in a big problem because there is a third, fourth, fifth party in supercritical infrastructure. Our energy supply is, for the first time, insecure.”

How do the hackers get in?

With the growing complexity of modern energy infrastructure and the increasingly centralized control of ICS systems comes correspondingly increased risk. According to Symantec, many SCADA and ICS systems sit outside traditional security walls and are vulnerable if a hacker knows where to look. And your system is far from difficult to find – in fact, it’s just a click away.

“There is a website called shodanhq.com, which is like Google for vulnerable systems on the internet,” Hashlan says. “You can go there and, say you’re looking for SCADA gateways, it will show you all of the vulnerable ones in the world and give you the username and password. I found a site with an Apache [web] server and figured out that I’m looking at the summary page of a power plant in South Korea. I can tell how many MW output, even see the amount of fuel from the flow meters. Cyberattacks aren’t that hard.”

Also ubiquitous is Metasploit, a tool that can be used “to hack anything from a small webcam to a turbine control system or a tank management system – it can do anything if implemented correctly,” Hashlan says. “An exploit [hack], once developed to a vulnerability, is uploaded to the set repositories, which can be download to Metasploit with a simple command and deployed. Any script-kiddy [novice hacker] can do this.”

With the growing use of smart grid technology, more new energy systems are increasingly connected to the so-called Internet of Things, which opens up new security vulnerabilities due to the sheer number of connected systems and the low or nonexistent security often placed around simple devices. (A 2013 Forbes article about Shodan, titled “The Terrifying Search Engine That Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors and Power Plants”, detailed how a power station’s internet-connected security, lights, and heating and cooling systems can be vulnerable to attack.)

And there is, as always, the human factor. In addition to writing and deploying malicious software, hackers use more traditional spying methods. “Dragonfly are using something similar to Stuxnet, but how are they launching attacks?”, asks Hashlan. “Their main tool is phishing emails! Put a small type of malware in an email, and an employee’s curiosity will do the rest. He will follow by using a USB stick at some point on his machine, then using it on his HMI or his workstation. Once that happens, the malware will start sending data collected from the system to the [hacker] group, and they can upgrade their attack via their command and control software.”

As a certified ethical or ‘white hat’ hacker, Hashlan says he has to think like a ‘black hat’. “If I were to want to hack a power company,” he says, “I wouldn’t be directly attacking the firewall, especially if I don’t know more details about it – or any other machine on the network, for that matter. A hacker will try to physically compromise the system, find a disguise and walk into the power plant, or try dumpster diving. I’d try ‘social engineering’: talk to someone I know who has the information there. The idea is that it’s not just about cybersecurity; it’s the whole package. And once I have physical access, it’s mine.”

Protecting critical infrastructure

“The moral of any story involving cybersecurity is ‘protection, protection, protection’,” says Hashlan, and cybersecurity firms indeed advocate multiple protective layers around critical systems. For Hashlan, protection should be not only multi-layered but also multivalent, involving security around software systems, physical infrastructure and human awareness.

First, he says, plant managers need to make sure their software is fully up to date with the latest upgrades and patches, which fix known vulnerabilities, and conforms to international standards. (The first such standard, the SDLA certification, was released in July by the US-based ISA Security Compliance Institute. It certifies that a supplier has designed cybersecurity into its products’ development and support lifecycle processes, and follows them consistently. Other standards are in process.)

Will Rockall, a director in KPMG’s security practice, has written that Energetic Bear “brings to light the need for companies to pay attention to cybersecurity across all hardware and software that make up their ICS. This includes making sure they are performing sufficient due diligence on their software suppliers’ security controls.”

Next, says Hashlan, plant managers must thoroughly document any changes made to the plant, creating a change management system to track modifications – a complete history that will enable forensic cybersecurity analysts to find what might have caused a vulnerability and provide a lessons-learned case to be fixed at other facilities.

For protection, he recommends the ‘Demilitarized Zone’ (DMZ) approach, which is modelled on a US military technique and which he compares to an egg. “You have the strong outer shell (the outer permitter), a strong firewall, then you start going into the white part: another firewall, but with less aggressive protection to allow the HMIs to work smoothly without noticeable delay, then another firewall or a router with a simple access control list, then a really nice runny yolk: your embedded systems that are so sensitive that sometimes, just by pinging them, you could shut them down,” he says. “But you need to really harden the shell.”

The DMZ approach to network security
The DMZ approach to network security
Credit: Synergist

The DMZ approach is recommended by standards bodies including the Industrial Automation and Control Systems committee (ISA99) and the International Electrotechnical Commission (IEC) because it “will give the bad guys more work to do to penetrate the system, if they can,” Hashlan says.

And what are the bad guys after? Matt Middleton-Leal, UK and Ireland regional director at software security firm CyberArk, says, “Today, attackers looking to infiltrate any organization’s networks almost always look to take control of the most powerful accounts and access points – privileged user accounts. In the case of critical infrastructure … flaws in [SCADA and ICS] systems, such as unmanaged, poorly secured or shared privileges and other administrative accounts, further compound the security risks.

“With this in mind,” he continues, “energy and utility companies must ensure that they are safeguarding their critical assets and mitigating the risk of attack by taking a layered approach to data security. This means securing traditional IT systems, SCADA, ICS and their process controllers with a centralized system capable of controlling, managing, monitoring and reporting on all remote and privileged account access.”

Last but not least, Hashlan says, plant managers need to institute awareness campaigns among employees in order to avoid human-factor incidents. You need to “treat cybersecurity as an on-the-job health and safety concern,” he says. “You need to educate your employees, tell them about phishing emails or, if an email is from someone you don’t know, don’t open that link. We need to raise awareness, especially at management level because [managers] don’t usually have a good idea about this.”

Nation-E’s Jammer gives the impression that the firm’s approach is designed as much to ensure fast recovery after an attack as to keep attacks from happening. Of course it does include serious protection: it goes beyond software-based defences to building an actual physical protection layer, a backup network which is connected to existing systems but is not integrated into the SCADA system, so does not offer hackers an open protocol. When the software recognizes that a certain line of communication (a TCP/IP line, GSM or satellite communication) is being attacked, it automatically abandons that line while other communication protocols, dormant until this stage, are prioritized and utilized as the main line of communication.

On the recovery side, the firm builds a mirror of the customer’s existing infrastructure, making it possible to define which services will stay online in different emergency scenarios. And due to its bidirectional communication structure, Nation‐E says its solution can prioritize energy assets and optimize energy supply. For example, it can jump-start a storage system until a generator reaches maximum capacity and is ready to take on some of the load.

While the company works with software security firms like Symantec, Jammer does not believe firewalls alone can offer full security. With a backup network, “even if all systems are contaminated, you can still continue business and disaster recovery,” he says.

A power plant SCADA system
A power plant SCADA system
Credit: Automatrix

Look to the supply chain

Companies don’t just need to worry about protection within their own organizations. Richard Ryan, Executive Director in insurance broker Willis’s Financial and Executive Risks practice (FINEX), notes that according to a 2013 survey by insurer Allianz, cyber-risk is a new addition to the top 10 risks on UK company risk registers, coming in at number seven. The number one listed risk is business interruption due to supply chain risk – which, Ryan adds, can include the effects of cyberhacking. He points to the recent attack on US retailer Target, which was hacked through someone in the store’s supply chain – a heating, ventilation and cooling (HVAC) engineer. “It is important that a company’s resilience measures seek to make sure their supply chain is adopting equivalent or better cyber-risk mitigation [than their own],” he says. “As infrastructure companies grow and become more complex, they become a harder target to breach because they become more adept in investing in protection – so a hacker is going to look down the supply chain.”

Make sure you’re covered

According to Jammer, there is no certain way to avoid being hacked, no matter how much you spend on protecting your systems. “If you are a utility working with SCADA,” he says, “every year you’re investing more and more money in order to close the attack loophole. Ten years ago you spent $5 million, nine years ago $15 million, eight years ago $20 million – the price continually goes up. The possibility that one piece of malware will infect our systems is always there.”

So, with all there is at stake, power producers need insurance to cover them if and when something does happen – and the range of available coverage is growing. According to Ryan, “cyber risk products [will cover] things like cyber-extortion, which could be a growing concern for infrastructure companies; business interruption; network degradation or failure; loss of income; loss or damage to digital assets (updating or replacing software); reputational harm – obviously a big one; and data breach. Expenses in the wake of a cyberattack can also be covered, such as forensic engineers (to identify where the hack came from, where there’s been a data breach, and what information they may have got) and lawyers (where there are legal disputes).”

But before applying for insurance, companies need to make sure they have taken the necessary steps to protect themselves – in the same way that your homeowners’ insurance may be invalidated if you go on vacation leaving your windows open and doors unlocked. In order to qualify for cyber-risk insurance, says Ryan, a company must fill out a comprehensive proposal form, then an insurance broker will go to the market and find out which insurers are likely to underwrite that risk. Then, with the broker, the client and the insurance companies engage an independent IT specialist.

“The IT specialist then provides a report to make sure the insurer is satisfied that the company is suitably resilient to cyber-risks,” Ryan explains. “The specialist looks for a number of things: firewalls, antivirus protection, USB port management, email filtering and control, web filtering and control, corporate network border firewalls around SCADA, network access controls, and Windows file and permissions management.”

Lloyd’s of London has said that poor ‘test scores’ from security risk assessors have forced it and other insurers to turn down potential high-value contracts. According to Middleton-Leal, energy companies receive these poor scores because they have not yet “appropriately addressed” the risk of cyberattacks.

Finally, insurance is not defence, Middleton-Leal warns. “While cyber insurance is undoubtedly a good idea given the catastrophic financial implications of an attack, the worry is that it will become another fall-back position, allowing companies to remain dangerously complacent regarding the threat to their business.” And, says Ryan, companies need to be aware that some insurance companies seek to exclude cyberattacks on, for example, property policies. “Companies need to review their risk profile and ask whether it’s covered under their policy,” he warns.

Preparing for a dangerous future

In a mark of growing realization of the changing risk environment, Aegis London active underwriter David Croom-Johnson has called for the formation of a centralized body to oversee cybersecurity for the energy sector. He has suggested that the body could be modelled on the Institute of Nuclear Power Operations, which promotes safety in nuclear power facilities.

“We need a unified industry response to risk management, security, incident response, threat intelligence and loss control,” he says. “Critical infrastructure companies would like unified guidance; no-one wants a repeat of the situation which occurred after US retailer Target was attacked, with regulators and shareholders becoming increasingly aggressive and militant.”

However, Croom-Johnson says, governments must understand that insurance cannot be the total solution to cyber risk. “Governments tend to think there is unlimited capacity within the insurance market,” he said. “This is far from the case. Insurers have only a finite capacity to respond, and indeed some will not wish to respond at all. Governments need to work with us with the objective of increasing cyber risk management and risk modelling capabilities, and of improving security.”

Jammer agrees. “Governments and institutions need to work more together to protect the most vulnerable assets,” he says – and there are encouraging signs that they are beginning to do so. For example, the US government recently released a Cybersecurity Framework for power plants, water treatment companies and other infrastructure firms, and is reportedly considering arranging for cybersecurity insurance for these facilities.

Then there’s the front-line defence approach. Cybx is a new cybersecurity training programme in the UK, set up by the Cabinet Office’s Emergency Planning College. Cybx is a simulator where technical staff are trained in mock cyberattacks — a sort of boot camp for those in the front line of cybersecurity. The programme simulates attacks by the latest malware and attack vectors and offers certification for staff. (Cybx is operated by outsourcing firm Serco, which was hacked in 2012 resulting in the loss of data on employees enrolled in the UK government’s pension plan.)

Nation-E's newly-opened Energy Cyber Security Center in Israel offers staff training in a micrgrid environment
Nation-E’s newly-opened Energy Cyber Security Center in Israel offers staff training in a micrgrid environment
Credit: Nation-E

Serious business

The consequences of cyberattacks can be especially grave for energy companies. “A lot of problems happen when companies update very old SCADA systems,” says Ryan. “During that time it’s all quite unstable. For example, say the network on an oil rig is being updated, and a guy comes on and plugs in a laptop, and malicious software goes in. Some days later, when he’s off the rig, it creates an explosion and a major environmental disaster.” In terms of insurance, he adds, “at the moment this is uninsurable – there isn’t enough insurance capacity in the market to underwrite that risk.”

“I want people to understand how important this is,” says Hashlan. “Last year alone, looking at the actual impact of cyberattacks made on industrial control systems in the world, 5 per cent of the attacks resulted in loss of life.”

While if your computer is hacked in the IT sector “the worst that can happen is you lose your email access,” he adds, “here we’re talking about the lives of those who work to provide energy that we desperately need these days. If a hacker can plant fake historical data and send it to the alarm system, it will affect the way engineers do troubleshooting; they will do something wrong and, in a worst case scenario, cause a horrific incident.”

“We need to wake up to threats beyond sci-fi that are now reality,” says Jammer. “We need to wake everybody up to mitigate this kind of problem. It’s not too late – we’re seeing only the first signals telling us that we need to wake up. The world is changing and we need to change too.”

More Power Engineering International Issue Articles
Power Engineering International Archives
View Power Generation Articles on PennEnergy.com