The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Equipping the energy sector to deal with cyber threats

image credit: © Guruxox | Dreamstime.com

This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more

One of the best-known cyber-attack on critical infrastructure took place in Ukraine in 2015, when hackers successfully infiltrated the electric utility’s supervisory control and data acquisition (SCADA) system. Key circuit breakers were tripped, and the SCADA system was turned into a “brick”, causing a system-wide power blackout. It left nearly a quarter of a million people without electricity, in the middle of winter, for up to six hours.

Critical infrastructure around the world continues to be at risk as a new generation of malware specifically targets the industrial automation and control systems (IACS) used in critical infrastructure. These systems include the SCADA and human machine interfaces (HMI) technologies that are at the very heart of the assets that keep modern society safe and functioning, affecting everything from food and water to manufacturing plants and power installations.

Last October, reports from India eventually confirmed, following several denials, that hackers had infiltrated the country’s biggest nuclear power station, at Kudankulam in the southern state of Tamil Nadu. According to the virus scanning website VirusTotal, the hackers had managed to infect at least one computer with the so-called DTrack spyware before the breach was detected. Criminals in India had previously planted the DTrack spyware in ATM machines to steal card numbers and other personally identifiable information (PII). It is feared that this time the perpetrators may have obtained a large amount of data from the nuclear plant, which could be sold to terrorists for nefarious purposes, such as sabotage or stealing radioactive material.

Meanwhile, according to reports, at least one oil installation in the Middle East is among the victims of a new kind of ransomware. As you might expect, the Ekans malware works by encrypting data and leaving a ransom note. The Duuzer malware used against South Korean manufacturing plants in 2015 worked in a similar way. What is new and more dangerous about Ekans is that it specifically targets industrial control systems. It blocks software processes that are specific to IACS, which could prevent operators from monitoring or controlling operations. The consequences could be devastating for human lives and for the environment.

IT vs. OT

Many power stations and industrial plants are not equipped to deal with these threats. A key issue, according to a recent IEC Technology Report, is that cybersecurity is too often understood only in terms of IT (information technology). Those responsible for security often overlook the operational constraints in sectors such as energy, manufacturing, healthcare or transport. The growth of connected devices has accelerated the convergence of the once separate domains of IT and operational technology (OT). From a cybersecurity perspective, the challenge is that unlike business systems, IACS are actually designed to facilitate ease of access from different networks.

That is because industrial environments have to cope with different kinds of risk. Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — in the world of OT, availability is of foremost importance. Priorities for OT environments focus on health and safety and protecting the environment. In the event of an emergency in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.

Protecting SCADA systems

SCADA systems, which are used to oversee electric grids as well as plant and machinery in industrial installations, often rely on “security by obscurity”, reflecting the ingrained mindset that since no one knows or cares about their communications systems or their data, they don’t need to protect it. However, SCADA systems can now have widespread communication networks increasingly reaching directly or indirectly into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment. The retrofitting of appropriate and effective security measures has therefore become quite difficult for these SCADA systems. In the world of IT, for example, intrusion detection and prevention systems (IDPSs), are on the frontline of defence against malware. IDPSs are usually software applications that eavesdrop on network traffic. Depending on how they are configured, IDPSs can do everything from reporting intrusions to taking actions aimed at preventing or mitigating the impact of breaches. The challenge with SCADA systems is how to distinguish between normal data and potentially intrusive data that could cause harm.

“If the intruder uses well-formed protocol messages, the IDPS may not recognize it as an intrusion,” explains smart grid cybersecurity expert Frances Cleveland, who is the convenor of IEC Technical Committee 57 Working Group 15 that develops IEC 62351 standards for power system operations.

“The best solution is for SCADA systems to use security with their communication protocols,” she says. “Security does not necessarily mean encrypting messages, but at least adding authentication and authorization as well data integrity checking, while still allowing packet-inspection of the messages themselves which can help IDPSs determine if invalid data is being passed.”

International standards and conformity assessment

International standards provide solutions to many of these challenges based on global best practices. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.

The industrial cybersecurity programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cybersecurity in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.

In an ideal world, power stations and other critical infrastructure would be secure-by-design. In addition to security standards for key communication protocols, IEC 62351 provides guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented. The thinking is that trying to patch on security after the fact can at best be only a quick fix and at worst comes too late to prevent the damage being done.

A holistic approach

A recently published IEC report on cybersecurity recommends prioritizing resilience over other more traditional cyber-defence approaches. The report says that achieving resilience is largely about understanding and mitigating risks, as well as being able to detect and cope with security events when they happen. There is no way to prevent them completely. Even secure-by-design systems, although safer, require continuous and pervasive monitoring. IEC Standards for cybersecurity emphasize the importance of applying the right protection at the appropriate points in the system, while paying attention to safety, security and the reliability of processes.

It is vital that this process is closely aligned with organizational goals because decisions about what steps to take to mitigate the impact of an attack can have operational implications. “Resilience is not just a technical issue,” warns the IEC report, “but must involve an overall business approach that combines cybersecurity techniques with system engineering and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions”.

Michael A. Mullane's picture

Thank Michael A. for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Apr 28, 2020 4:12 pm GMT

The report says that achieving resilience is largely about understanding and mitigating risks, as well as being able to detect and cope with security events when they happen. There is no way to prevent them completely.

Such an important core tenet to internalize for those working in and with cybersecurity. And this is where I imagine it's critical for the non-cyber professional to be trained up and aware, right? Once you're in the system, is there a specific need and role for common employees to keep an eye out for-- similar to how phishing commonly targets these less cyber focused employees, are there ways for everyday utility professionals to keep aware and alert about threats that have penetrated security systems?

Michael A. Mullane's picture
Michael A. Mullane on Apr 29, 2020 11:49 am GMT

You're absolutely right. All employees need awareness training and it's the job of all managers to implement the relevant policies and principles in their departments. Sadly, a great many breaches are down to the negligence and mistakes of employees.  ISO/IEC 27014 is part of the same family of standards as ISO/IEC 27001 and provides guidance on establishing organization-wide information security.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »