Legacy smart electrical power grids are a prime target for cyber attack and security needs to be built into these critical systems, a study has found.
The most prevalent cyber threat reported by the global energy sector is extortion, according to a report detailing the views of industry leaders on energy security compiled by security firm McAfee.
Typically, criminals gain access to a utility’s computer systems, demonstrate they are capable of doing damage and demand a ransom.
Additional threats include espionage and sabotage with the goal of financial gain, data theft and shutting down facilities, the report said.
The concern is that a cyber criminal could debilitate a major city by a single targeted attack on the energy grid and compromise anything from the lights and appliances in homes, to heart monitors in hospitals, to air defence systems.
The McAfee report blames the vulnerability on "well-intentioned efforts" to modernise energy distribution and make it safer, cleaner, more efficient, less costly, and open to more alternative forms of production.
This has resulted in high levels of automation and a proliferation of increasingly interconnected software and devices directing the flow of energy.
Automating systems in an electronic internet-connected environment gave energy grid operators real-time info and allowed administrators to telecommute and field workers to re-programme systems from remote locations, but it also opened all their systems to the outside world.
The trend of building systems using off-the-shelf software rather than proprietary code is making them increasingly generic and consequently more vulnerable, the report said, making them prime targets for attackers seeking to gain control of, or disrupt the delivery of energy.
Another common problem in the energy sector is outdated systems. According to the report, an estimated 70% of the existing energy grid is more than 30 years old, but in the effort to update it and integrate it with more modern installations, aging systems have been connected to the internet without the benefit of encryption.
Security has largely been an afterthought, said the report.
“Security needs to be built into grid components at the planning and design phase,” said Tom Moore, vice-president of Embedded Security at McAfee.
“Because the grid relies heavily on embedded systems it makes them ripe targets for intruders. Thus it is imperative to integrate security solutions natively in these devices," he said.
Moore said McAfee is working with partners in industry and government to make progress on the technical front to mitigate the threats to critical systems.