The energy sector is at the centre of an arms race. Largely hidden from public view, and sometimes under-regarded by those with the most to lose, a great deal hinges on the race’s outcome.
On one side are energy companies large and small, including utilities, grid operators and oil & gas producers. They are joined by firms like Dragos, McAfee, Eset and Darktrace – cybersecurity specialists defending against a persistent enemy.
On the opposing side are a hidden set of adversaries. Some are civilian hackers or organised criminals, motivated by profit. Others are state actors or terrorists. The threat posed by the latter is less frequently felt, but potentially far more severe.
This arms race takes place in a context that is constantly evolving. The weapons cyber adversaries can bring to bear against the energy sector are becoming more sophisticated, and more targeted towards critical energy infrastructure. The Stuxnet virus, uncovered in Iranian nuclear facilities in 2010, was the first of a new breed of malware developed with an understanding of the vulnerabilities of Industrial Control Systems (ICSs).
These malware, including CrashOverride, Havex and BlackEnergy, pose a much more direct threat to energy security than attacks aimed at a company’s IT systems. Where a criminal attack might consist of ransomware designed to restrict access to valuable data, ICS-tailored malware are intended specifically for use on physical targets like substations, petrochemical facilities or power plants.
They are much more likely to cause widescale disruption or damage, such as blackouts, pipeline failures, explosions, or worse. They are also much more likely to be tools of a foreign state than a civilian actor.
Want more articles like this? Sign up to the KNect365 Energy newsletter>>
There is another sense in which the threat landscape is evolving. The power grid itself is changing. The old model – of a static, top-down system in which power flows outwards from a relatively small number of large generation facilities – is gradually being replaced.
The growth of renewable energy, distributed energy resources and demand response is creating a power grid that is more decentralised, more efficient, and more integrated with the internet. New digital technologies, including AI, drones and automation, are reducing the grid’s dependency on human operators. Increasing electrification is extending the grid’s reach into new sectors, such as transport, heating and industry.
From a security standpoint, these developments are neither purely troubling nor purely beneficial. But the energy industry needs to remain informed about the level of risk posed by cyber adversaries for the capital invested into combating them to reflect the level of potential exposure.
With that in mind, two recent analyses give grounds for concern. According to a report by the insurance company Marsh & McLennan, 54% of energy executives were unaware of what their company’s worst possible loss exposure could be in the case of a successful cyber attack.
A separate analysis, conducted by the consultancies Precision Analytics LLC and the CAP Group, found that energy companies spend on average 0.2% of their revenues on cybersecurity. That’s less than a third of the amount spent by banks and financial services companies.
A look at the recent history of cyberattacks against the energy sector indicates that this amount may be insufficient to counter what appears to be a growing threat.
The power grid
What is to date the most significant cyberattack against energy infrastructure took place in Ukraine on December 23rd, 2018. The attack brought down around 30 substations, cutting off electricity access for 230,000 people.
Although the blackout lasted only a matter of hours, it was the first instance of a cyberattack ever having taken down a power grid. More concerning, some experts think that it may only have been a test run.
The malware used in the December 23rd attack – known as BlackEnergy 3 – was one of the new breed of ICS-tailored malware in the mould of Stuxnet. It is believed that the hackers responsible for the attack would have spent months in preparation, studying the various systems used to regulate the Ukrainian power network.
In 2016, a second cyberattack was launched against the Ukranian power grid, this one using a malware known as CrashOverride or Industroyer. This attack took a fifth of Kiev’s power grid offline for approximately an hour. Once again, security experts believe that the incident may only have been a test run.
For power grid operators outside of Ukraine, the most concerning aspect of the attack was that CrashOverride shows evidence of having been designed for use against other countries’ electrical grids.
The malware would already be effective in much of Europe and the Middle East. According to a report by the cybersecurity firm Dragos, minor edits such as the inclusion of a DNP3 protocol stack would also make it effective against the US power grid.
These features, as well as the lack of financial motive behind the attacks, point to a nation state flexing its muscles. “Attribution is difficult,” says Raj Samani, Chief Scientist and Fellow at cybersecurity firm McAfee. “However the recent attacks on the power grid in the Ukraine seem to point to a state actor.”
The remote nature of cyberattacks means that it is often hard to pinpoint the culprit. Probable motive and the level of sophistication shown by the attacker are sometimes the best indication authorities and security companies can gain about the identity of the hackers.
Given the strained political relationship between Russia and Ukraine, and the former’s track record of cyber-aggression, most experts believe that the 2015 and 2016 attacks were organised directly or indirectly by the Russian state.
Oil & gas companies
The Ukraine attacks are probably the most significant examples of hackers disrupting grid infrastructure. But the power grid isn’t the only part of the energy sector potentially vulnerable to cyber adversaries. Oil & gas companies are also key targets.
In August 2017, serendipity was all that prevented a cyberattack launched against a petrochemical facility in Saudi Arabia from resulting in physical destruction and possible loss of life. The attack targeted industrial controllers manufactured by the French company Schneider Electric. The New York Times reports that these controllers are installed in 18,000 industrial facilities around the world.
Investigators believe that the attack was intended to disable the fail-safes in place and trigger an explosion in the facility. Fortunately, a coding error in the virus forced a production shut down instead, averting any long term damage or loss of life. It was a lucky near miss.
Oil & gas production in the Middle East, where an estimated $1 billion of revenue was lost in 2017 due to cyberattack related disruption, is particularly vulnerable to sophisticated, state-directed cyberattacks.
The geopolitical dimension to oil & gas production in the region, and the potential effects of sustained production outages on global prices, mean that cyberattacks to oil & gas infrastructure will remain a tool of political manipulation so long as tensions between the key actors endure.
Digitalisation and automation
The increasing capability demonstrated by cyber adversaries is half of the reason that energy companies ought to be concerned about their level of risk exposure. The other half is that the spread of digital technology, particularly IIoT, automation and AI, creates new sources of potential vulnerability for attackers to exploit.
According to a case study conducted by the cybersecurity firm Darktrace on the UK utility Drax, “the threat to the energy sector is both more serious and more difficult to defend against as a result of the increasing integration of IT with operational technology (OT).” Operational technology includes the Industrial Control Systems of the kind targeted in the Ukraine and Saudi Arabia attacks.
Digitalisation and automation lead to greater efficiencies because they allow for monitoring and comparison of a greater number of processes in real time, and also because they can perform tasks that would otherwise have to accomplished by humans. But removing humans from the equation creates new risks for utilities and energy companies
For the past two years, for instance, National Grid has been trialing the use of autonomous drones to inspect grid infrastructure. The footage is analysed by AI software to reduce the amount of time invested by human operators.
But if the proper security precautions are not taken, drones can provide a backdoor to attackers interested in compromising the wider system. “Many drones are manufactured in a way that makes them relatively easy for criminals to compromise,” says McAfee’s Raj Samani. “For example the use of unencrypted video feeds have allowed malicious actors to view video from military drones in the past.”
Samani believes that any such new technology applied to the energy sector – be it drones, AI or something else – must be “fully tested in environments that demand 100% up time… all technologies within Critical National Infrastructure environments must undergo due diligence to ensure they do not introduce an unnecessary level of risk.”
So far, the worst has yet to happen. Although billions are lost as a result of energy sector security breaches every year, events like the 2015 Ukraine attack are still extremely rare. But if energy companies do not remain vigilant and informed, it will only be a matter of time.
“Some degree of threat intelligence/security consulting is imperative,” says Samani. “What we can say is that there are greater threats against this sector over recent years than previously, and finding the right partner to guide organizations will be crucial.”
