There is no doubt that cyber-attacks on energy companies and infrastructure have increased in scope and severity over the past decade. Ben Hargreaves provides an overview of this important subject area and looks at what can be done to keep energy networks secure.
The deployment of Stuxnet is just one example of a cyber-attack. A malicious computer worm allegedly developed by the US and Israel, Stuxnet caused substantial damage to Iran's nuclear programme in 2010, leading to the decommissioning of up to 1,000 centrifuges, around a fifth of the centrifuges at Iran's Natanz nuclear plant.
Stuxnet hasn't been the only major cyber-attack to hit organisations in the Middle East. In 2012, natural gas and petroleum company Saudi Aramco was struck by the Shamoon computer virus, which compromised thousands of computers at the firm. The virus wiped out spreadsheets, emails and files on corporate PCs, replacing them with the image of a burning US flag. RasGas, a liquified natural gas producer in Qatar, was also attacked by Shamoon that summer.
The energy sector in Europe has also been targeted. In December 2015, what is thought to be the first successful disruption to electricity supply due to a cyber-attack took place in the Ukraine, where hackers were able to successfully compromise information systems at three energy distribution companies, temporarily disrupting energy supplies to consumers.
A year-and-a-half later, the power of hackers to disrupt public sector systems was demonstrated in May 2017 by the WannaCry cyber-attack, which cost the NHS £92 million. Ransomware that targeted computers running Microsoft Windows by encrypting data and demanding payments in the Bitcoin currency, WannaCry crippled computers in hospitals and GP surgeries across Britain. The vulnerability of western organisations to ransomware attacks was further illustrated by the subsequent Petya attack, which afflicted a number of large companies in various sectors of the economy in Europe and the US, including WPP, legal company DLA Piper and shipping firm Maersk in June 2017.
The vulnerability of networks
In this context, Britain's energy sector remains a target for hackers, whether they are state-sponsored or operating as part of organised criminal groups. "Heightened geopolitical tensions have resulted in more countries looking to demonstrate their offensive cyber capabilities," explains Ollie Whitehouse, global chief technical officer at cyber security and risk mitigation expert NCC Group. "The UK's energy infrastructure is a prime target for these groups because of its ubiquity in every area of our lives." Disrupting these systems is "a way of exerting power far beyond any military capability," he adds.
India Redrup, policy executive, generation, at trade body Energy UK, confirms that a major cyber-attack against critical national infrastructure in Britain is a "top-tier threat to national security". She adds: "Suffering the most severe form of cyber-attack leading to sustained loss of essential services, severe economic or social consequences, or a loss of life, is considered a matter of ‘when', not ‘if'."
Are DNOs and DSOs at risk? The reality is that any system relying on software technology to help distribute energy is a potential target. Redrup explains that the move by hackers in recent years to expand their focus beyond traditional IT networks to encompass operational technology targets such as machines, systems and networks directly used to generate and disseminate power means that all energy infrastructure is potentially vulnerable. "Operational technology cyber-attacks go beyond stealing data to potentially shutting down power grids and causing significant harm," she adds.
Whitehouse believes that energy networks may be vulnerable because of the age of some of their technologies. "They [rely] on a number of ageing technologies with relatively low levels of cyber resilience," he says. These include supervisory control and data acquisition (SCADA) systems and industrial distributed control systems. Whitehouse adds: "These systems are exposed to significantly more vulnerabilities than others due to their extended lifespans, lack of relative maturity, low levels of security engineering and critical remote code execution issues."
As one example, Stuxnet was able to wreak havoc by targeting Iranian SCADA systems and programmable logic controllers to disrupt Iran's nuclear programme. The UK National Cyber Security Centre (NCSC), the part of GCHQ set up to help protect critical services from cyber-attacks and manage major incidents, provides another. The NCSC says that since 2011 a cyber-espionage group has allegedly been targeting industrial control system software at energy companies. In its latest campaign, the group, which has a history of targeting companies through their supply chains, successfully ‘trojanised' legitimate industrial control system (ICS) software, the NCSC says. To do so, the group compromised the websites of ICS software suppliers and replaced legitimate files in their repositories with their own malware-infected versions. "Subsequently, when the ICS software was downloaded from the suppliers' websites it would install malware alongside legitimate ICS software," the NCSC explains. "The malware included additional remote access functionalities that could be used to take control of the systems on which it was installed."
The organisation adds that "compromised software is very difficult to detect if it has been altered at the source, since there is no reason for the target company to suspect it was not legitimate. This places great reliance on the supplier, as it's not feasible to inspect every piece of hardware or software in the depth required to discover this type of attack."
As a matter of priority, SCADA and other industrial control systems at power and gas networks should be assessed to determine how secure they are, says Whitehouse. "A general reluctance to actively assess the security of these systems also means that the full extent of exposure for organisations using them is often not properly understood at a senior management level," he cautions.
It's not just a matter of safeguarding current operational technologies, the experts say. As the smart grid develops in scope and sophistication, so does the potential level of vulnerability caused by so many devices being connected to the Internet. "An increasingly digital and connected world creates both greater opportunity as well as heightened cyber exposure for critical infrastructure," Redrup says.
The smart grid of the future will require greater levels of protection as it becomes increasingly connected. That will entail a more rigorous approach to cyber security when implementing future technologies. "Smart grids should mandate a far greater degree of rigour and transparency around cyber security from their designers, suppliers, implementers and operators than they do today," says Whitehouse.
"We need to ensure that security is considered from the outside, is continually evolving and that updates are rolled out in the operational technology world similarly to how they are used in the IT world," he concludes.
Utility Week's Cyber Security & Resilience Conference is taking place at 99 City Road Conference Centre, London on Tuesday 12 March. For further information click here.
Staying secure: measures to protect power and gas networks from cyber-attacks
1. Keep abreast of the threat. The UK National Cyber Security Centre's (NCSC) quarterly critical national infrastructure threat bulletin provides an extremely valuable resource to companies in the energy sector, especially when combined with those of existing sector-wide channels such as the Energy Emergencies Executive Cyber Security Group, the Energy Systems Information Exchange, and Energy UK's own Cyber Security Working Group.
2. Embrace the NIS Directive and ISO27001 accreditation. The EU security of Networks and Information Systems directive (NIS Directive) became law in the UK in May 2018. It requires operators of essential services such as power and gas to undertake "appropriate and proportionate security measures to manage risks to their network and information systems" and notify serious incidents to the relevant national authority. The participation of industry is crucial in the implementation of the directive, says the UK NCSC. ISO 27001, meanwhile, is a specification for an information security management system (ISMS). The ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
3. Ensure staff are alert to phishing - the practice of sending emails purporting to be from reputable companies to get individuals to reveal information. The most common type of cyber-attack is phishing scams, Energy UK says. "Phishing and spear-phishing emails remain the most common [cyber] attack vectors. Many members had a number of surges last year where significant numbers of staff received similarly structured emails. In each case, any common URLs were blocked, as were any common source email addresses."
4. Quickly fix known vulnerabilities, usually via patching, and improve network security. Failure to fix vulnerabilities is likely to result in increased risk of compromise of systems and information, the NCSC says. The connections from companies' networks to the Internet and other partner networks also expose systems and technologies to attack. An organisation's networks can span many sites, the use of mobile or remote working, and cloud services, making defining a fixed network boundary difficult. Think about where data is stored and processed, and where an attacker would have the opportunity to interfere with it, the NCSC says.
5. Manage user privileges. If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that user's account will be more severe than it need be, the NCSC says.
6. Educate users. All the users at an infrastructure company have a critical role to play in keeping the organisation secure. Systematic delivery of awareness programmes and training can increase security expertise as well as helping to establish a security-conscious culture, the NCSC points out.