Narong Jongsirikul - Fotolia
Cyber threats to Europe’s grid: Utilities rethink strategy
The separation of operational and information technology at utilities across Europe is opening doors for cyber criminals
On 26 August this year, Montenegro’s state infrastructure was hit by an “unprecedented” cyber attack, and national government officials expressed alarm.
“Certain services were switched off temporarily for security reasons, but the security of accounts belonging to citizens and companies and their data have not been jeopardised,” public administration minister Maras Dukaj announced on Twitter.
This is only the most recent of a series of large-scale assaults on European grids, systems, subsystems, equipment, software and services. In an article for a leading electricity industry magazine, Bernard Montel, Europe, Middle East and Africa (EMEA) security strategist and technical director at Tenable Corp, outlined the growing threat of cyber attacks on utilities by both state actors and criminals.
Montel expressed particular alarm because the amount of digitisation currently under way throughout the industry “brings together previously separate systems and allows attackers to exploit weak points in one before moving across to another”. Tenable counts many EU-based utilities among its key clients.
Hackers constantly seek out ways to use any vulnerabilities in a system to their maximum advantage. This is as much a problem for consumers as it is for commercial enterprises. Concerns about weak control systems are now adding to the stresses created by hacker attacks on systems, such as physical destruction, electronic jamming or creating a denial of service.
Existing supervisory control and data acquisition (Scada) hardware is primitive. PlugInAmerica.org director Ron Freund said: “It doesn’t handle the simple faults gracefully, and is not reliable, much less scalable. But it also is not yet on the internet, so is inaccessible, for the most part. In fact, it’s scary how primitive some of these systems still are.”
For the past several years, hackers have been aiming their attacks at vulnerabilities in electrical systems. In the case of charging stations, some of these soft spots are located inside the station itself, others are located inside the equipment that controls connections between the grid and the station, and others still are inside assets that sit on the grid side of the system, and these are mostly owned by utilities.
To understand the threat, consider the variety of attacks that have targeted European-based wind power companies Deutsche Windtechnik, Enercon and Nordex. In three separate incidents, the hackers’ focus was different – malicious actors stopped the flow of electricity; identity theft was perpetrated; and payments for electricity were stolen.
In most cases, such attacks can result in service disruptions affecting customers, and loss of revenue for electricity providers and/or asset owners.
Read more about operational technologies’ cyber security risk
- Ethical hackers in the Netherlands say operational technology and IT networks need to be integrated to prevent cyber attacks penetrating their operations.
- OT and IT have long lumbered on independently, but technical developments – particularly IoT – are compelling the convergence of these two disparate disciplines.
- FireEye researchers say exposed and poorly guarded industrial systems are being increasingly compromised by low-skill hackers using entry-level exploit techniques.
In response to the evolving threats to critical infrastructure, the European Union (EU) has called for the utility sector to bolster its cyber security hygiene and posture. The European Commission is backing up this call to action with €100m of funding, which utilities can use to support and improve their cyber security hygiene and strengthen their defences. The funds can also be used to help utility companies recover from cyber attacks and build resilience into their core systems.
It might be useful to compare this approach to what the US is doing. The federal government there is providing $335m for utilities to support, develop and implement cyber security plans, train personnel and buy equipment. This investment is intended to help modernise the nation’s critical infrastructure while protecting it from cyber threats, helping to reduce the likelihood of disruptions to essential services.
Carey Smith, president and CEO of Parsons Corporation, a technology-focused defence, intelligence, security and infrastructure engineering firm, said: “Utilities are taking steps to harden their systems against cyber threats by investing in security measures and in operations. These changes come as utilities face an evolving threat in the landscape.
“In recent years, there have been several high-profile cyber attacks against critical infrastructure, each reminding us that utilities must prepare to defend themselves against sophisticated and well-resourced threats. This is a vital investment in security and will help protect critical infrastructure from the ever-increasing threat from nation states, terrorists and criminal actors.”
Utilities rely on operational technology (OT) to administer their facilities and systems, provide services to customers, collect billing information from meters, control demand response devices, and coordinate their operations with other utilities. The companies that generate, transmit or deliver electricity are in a rapidly changing environment. They face the ever-increasing demands on a grid that transmits rising quantities of intermittent power sources – solar, wind, and other renewable resources.
Utilities are trying to optimise their operations and get more performance out of existing equipment to deal with the demands of renewable resources.
Smith added: “Utilities are starting to rethink their approach to cyber security. Traditionally, they have focused on protecting their OT from external threats. However, as the grid becomes more complex and interconnected, utilities recognise the need to take a more holistic approach to cyber security.”
All this additional optimisation, performance improvement and coordination requires utilities to do a much better job at monitoring and controlling ever-increasing numbers of connected devices across their growing OT systems.
As part of this, they must modernise and upgrade their OT networks, which includes integrating OT with information technology (IT) networks to create a more unified and efficient operation. However, while the benefits of converging a utility’s IT and OT networks under a single operational umbrella brings efficiencies, rising security threats and evolving security and privacy requirements come into play.
As such, a growing network of experts say it is critical for utilities to consider security at every stage of an OT or IT network integration project – from design and implementation to ongoing management and monitoring.
Parsons Corporation’s critical infrastructure cyber team applies a converged approach to the security and resilience of OT and IT technology networks. Its approach includes these key elements:
- Establish a clear security strategy and governance framework up front: Define roles and responsibilities for security across the organisation and be sure to consider security in all decision-making steps related to the OT and IT network integration project.
- Conduct a comprehensive risk assessment: Identify and assess risks associated with integrating the OT and IT networks and develop mitigation plans accordingly.
- Design security into the new architecture: Build security into the system design from the start, rather than trying to bolt it on later.
- Implement strong authentication and authorisation mechanisms: Ensure that only authorised users have access to specific parts of the system and that all user activities are logged and monitored properly.
- Adopt a defence-in-depth approach: Implement multiple layers of security controls to protect against various threats.
- Incorporate security testing and validation: Test the system’s security regularly to ensure it is functioning properly and that all vulnerabilities are addressed.
- Provide and require cyber security training and awareness for personnel: Personnel who question odd or unusual items are the first line of cyber defence.
- Adopt controls for, and protection of, the supply chain: It is a good idea to vet suppliers’ personnel (including subcontractors) and any computers or other devices used or bought through the suppliers.
- Build a redundant and resilient converged OT and IT system: To ensure high availability, it is important to build OT systems to a fault tolerance standard.