by Anastasios Arampatzis
Security of electric grid is a national security issue
The electric grid delivers the electricity that is essential for modern life. The reliability of the grid and its ability to meet consumers’ demands at all times is of national interest. The grid’s reliability can be impaired by cyberattacks on the IT and OT systems that support its operations. Cyber-attacks could result in widespread loss of electrical services including long-duration, large-scale blackouts.
High-profile attacks prove not only the severe impact of cyber-attacks against the electric grid, but also that the grid is a lucrative target for adversaries.
-A group of hackers allegedly linked to Russia got into the system of a western Ukrainian power company in 2015, cutting power to 225,000 households. A US report into the blackout concluded that a virus was delivered via email through spear-phishing.
-The 2016 cyberattack on Ukraine was the second in less than a year. Hackers left customers in parts of Kyiv without electricity for an hour, after disabling an electricity substation. The attack was attributed to Russian hackers, with some experts suggesting that the attack aimed to physically damage the power grid.
-Saudi Aramco became the target of cyber-attacks in 2017 when hackers targeted the safety system in one of the company’s petrochemical plants. Experts believe that the attack aimed to not only to shut down the plant but to wipe out data and halt operations.
-In March 2019, the US grid regulator NERC reportedly warned that a hacking group with suspected Russian ties was conducting reconnaissance into the networks of American electrical utilities.
-The European Network of Transmission System Operators for Electricity (ENTSO-E) – which represents 42 European transmission system operators in 35 countries – said on 9 March 2020 it had recently “found evidence of a successful cyber intrusion into its office network”, and was introducing contingency plans to avoid further attacks.
Power and energy are the core of almost everything we do. Nothing in our modern society can function without access to power, and it’s the utility industry that provides that to everybody, which is why this is an urgent matter of national concern,
says former U.S. Homeland Security Secretary Michael Chertoff. The vulnerabilities of the energy sector are of particular concern to national security due to its enabling function across all critical infrastructure systems. According to Chertoff and many cybersecurity professionals, the security of the national electric grid is a “real national security issue.”
In the European Union, the electric grid entities have been identified as operators of essential services under the Network and Information Systems Directive (NIS Directive). According to the requirements of the NIS Directive, electric gird companies are to have in place measures to prevent risks, ensure security of their network and handle and report incidents. In addition, the Electricity Risk Preparedness Regulation envisages the development of common methods to assess risks to the security of electricity supply, including risks of cyber-attacks; common rules for managing crisis situations and a common framework for better evaluation and monitoring of electricity supply security.
Electric grid modernization efforts have increasingly bridged the gap between the physical, operational technology and information technology systems used to operate the grid. Previously, operational technology was largely isolated from information technology. But this separation has narrowed as grid operators incorporate new grid management systems and utilities install millions of smart meters and other internet-enabled devices on the grid. While these advanced technologies offer significant improvements in grid operations and real-time system awareness, they also increase the number of points on the grid that malicious actors can target to gain access and compromise larger systems.
A recent report by the U.S. Government Accountability Office (GAO) notes that the electric grid faces “significant cybersecurity risks” because “threat actors are becoming increasingly capable of carrying out attacks on the grid.” At the same time, “the grid is becoming more vulnerable to cyberattacks” via:
- Industrial Control Systems. The integration of cheaper and more widely available devices that use traditional networking protocols into industrial control systems has led to a larger cyberattack surface for the grid’s systems.
- Consumer Internet of Things (IoT) devices connected to the grid’s distribution network. Malicious threat actors could compromise many high-wattage IoT devices (such as air conditioners and heaters) and turn them into a botnet. The malicious actors could then use the botnet to launch a coordinated attack aimed at manipulating the demand across distribution grids.
- The Global Positioning System (GPS) The grid is dependent on GPS timing to monitor and control generation, transmission, and distribution functions.
Although there is a comprehensive overall legal framework for cybersecurity, the energy sector presents certain particularities that require particular attention:
- Real-time requirements Some systems need to react so fast that standard security measures such as authentication of a command or verification of a digital signature can simply not be introduced due to the delay these measures impose.
- Cascading effects Electricity grids are strongly interconnected across many countries. An outage in one country might trigger blackouts or shortages of supply in other areas and countries.
- Combined legacy systems with new technologies Many elements of the energy system were designed and built well before cybersecurity considerations came into play. This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances, and IoT devices without being exposed to cyber-threats.
In addition to the above considerations, the European Parliament has identified trends that highlight the importance for strong cyber-physical security measures and policies in the electricity sector, including:
- Digitalization and automation The move towards a smart grid with more and more networked grid components, from electricity generators to transmission and distribution networks to smart meters in the home affects the security of the gird. All these devices present potential opportunities for attacks or inadvertent disruption.
- Sustainable energy With the objective of achieving a climate-neutral energy system, the electricity system will be increasingly decentralized (distributed wind, solar and hydropower installations) and interconnected. In addition, electric vehicles, smart appliances, and flexible industrial demand lead to a dramatic increase of potentially vulnerable networked devices on the electricity grid.
- Market reform Reforms of the electricity market allow new actors to participate. This includes energy companies, aggregators, and individual citizens. Many of these do not have adequate cybersecurity skills and need to rely on certified equipment, software and service providers.
- Capabilities of adversaries Cyber criminals’ skills are constantly evolving and becoming more sophisticated. Automated attack tools have the potential to spread in the network and cause damage beyond the intended target. Artificial intelligence has the potential to boost the capabilities of attackers, as well as the defenders, and can prove to be a critical advantage.
- Skills gap With the increasing need for cybersecurity skills, the current shortage of skilled personnel is likely to persist. Information and knowledge sharing will be vital in making the best use of the available skills base.
How to address the cybersecurity risks
The diverse nature of electric grid entities, the impact of potential cyber-attacks against the grid and the many challenges dictate the need for a holistic, smart approach to measures to prevent and protect from adversaries.
In the European Union, the Smart Grids Task Force has released in June 2019 their final report for the “Implementation of Sector-Specific Rules for Cybersecurity.” The report recommends the compliance of responsible entities with two international standards:
- ISO/IEC 27001:2013
- ISA/IEC 62433 series
Electric grid responsible entities in Europe should also have a look at the NERC CIP standards. The North American Electric Reliability Consortium (NERC) Critical Infrastructure Protection (CIP) framework has been recognized by the European Parliament as “the most detailed and comprehensive cybersecurity standards in the world” which is flexible enough to evolve when necessary, adjusting effectively to the fluctuating cybersecurity environment. A 2018 report from the EU Center of Energy states that: “The United States has favored a strategy of ‘security in depth’ with strict and detailed regulations in specific sectors, which are implemented by institutions possessing coercive powers. The American system can serve as a model to improve certain weaknesses in the European approach.”
Both frameworks have the same overarching principles: a risk-based approach, having deep understanding of the threat environment and the assets to be protected. Having visibility into your business environment is the foundation on which all cybersecurity measures can be built. Based on the classification of risks and assets, electric grid entities can then select the appropriate controls – network segmentation, access controls, physical security – to mitigate the imminent threats and minimize the impact of potential adversarial actions.
How ADACOM can help
The electricity sector has a specific threat profile, that is a mix of threats and risks related to the business needs of the sector, as well as the relation to safety issues, and the entanglement of ICT & Operational Technology.
Electric grid entities, no matter their size, should follow a holistic approach towards the protection of their assets and critical infrastructure. To do so, ADACOM propose the adoption of the following:
- Holistic approach to Security Risk Management (addressing all applicable digital, physical, hybrid risks)
- Risk mitigation based of processes and technology tailored to the Oil and Gas sector
- Adoption of a continuous risk and effective assessment process
- Usage of cryptographic keys on smart grids for authentication and encryption
- Development and enforcement of an Information Security Management Systems, based on the concepts of information resilience & SA/IEC 62433 series
- Awareness tailored to the needs of the sector
ADACOM can help electricity and energy organizations to safeguard their grid and all of their critical assets and be resilient against cyber incidents, through a comprehensive risk management program, in order to effectively adopt cyber security technology (inclunding IOT Certificates) and processes .
You may learn more by contacting our experts.