by Andrew Joyner, Cyber Security, Thales Australia
The threat of cyber-attacks on power infrastructure is a cause for global concern. Unsurprisingly, Australia’s critical infrastructure is an obvious significant target for malicious actors and foreign powers that seek to cause major disruption to the economy and everyday life.
The ability to attack a power grid no longer exists within the realm of theory. A recent example of a powerful cyber-attack on a grid took place in the Ukraine in mid-2017 utilising Petya malware. Additional breaches relating to Petya were also detected in France, Germany, the US and Australia.
Incursions and breaches into power grids using sophisticated malware have caused grave concern amongst providers and governments alike. Recent extensive reviews into the defence capability of countries such as the US have stated that only low-scale, short-term attacks on the electrical grid can be properly handled currently¹. The report goes further and warns that the US would not be able to thwart a catastrophic power outage of a magnitude beyond modern experience, that exceeded prior events in severity, scale, duration and consequence.²
Irrespective of motive or source, a successful attack in Australia would see large populations across the country suffering major outages. Any sustained attack would not only pose an economic threat but also, would probably have deep and widespread societal impacts, particularly when understanding that previous attacks have constantly demonstrated collateral damage with unintended targets often being caught in the netting. Indeed, some scenarios have envisioned attacks being able to impact the delivery of water and food, deterioration of sanitation, breaking down of security and, in the extreme, having the capacity to lead to a societal collapse.
Evolution to smart grid technology
In Australia the energy landscape has also started to change. Energy providers are now increasingly experimenting with ‘smart grid’ trials in the hope that it will provide consumers with the capacity to utilise energy more efficiently and circumvent the circumstances that have previously led to blackouts, as witnessed in South Australia in 2017³. Despite the benefits offered by the smart grid, the evolution to the smart grid technology that connects IT, energy management systems and consumers is starting to blur traditional boundaries between those spheres and has started creating new security vulnerabilities.
Microgrids are also increasingly being investigated by Australian energy providers. Heralded for their flexibility, resilience and integration with renewable power, they can essentially provide the ability to self-island from a distribution network and make use of distributed, self-healing architectures to maintain energy delivery. If a cyber-attack were to occur that caused outages then the microgrid would have the capability of shedding non-essential loads and continuing to energise critical loads. However, they themselves are vulnerable as a result of their increased penetration of monitoring and control capabilities, which thus open up the possibility of security breaches.
The five key considerations for a comprehensive security umbrella
As we globally transition to a far more connected, digitised world, the far reaching extensiveness of that very connectivity, especially within the context of smart grids and microgrids, provide a greater attack surface. It’s the sum of these different points that broadens the scope of intrusion and provides opportunities for cyber criminals to launch crippling attacks.
Preventing any sort of attack will inevitably require improving security of the power grid as well as creating a deterrence posture that would dissuade adversaries from attacking it again. The goal of any strategy should be to secure the power grid to make it defensible, to detect attempts to compromise the security of the grid and to provide certainty to adversaries that any intrusions/attacks will prompt appropriate responses.
Aging energy infrastructure, based primarily on 1960’s and 1970’s technologies, features control systems that work on old, and entirely vulnerable, operating systems with significant security inadequacies. These inadequacies can range from the lack of encryption or authorisation on security channels to the lack of power to run effective virus scans.
There is now no question, with the significant vulnerabilities of the sector and the propensity of attackers to cripple not just a market, but economies and nations, that cyber security needs to become a core capability for energy providers. Cyber security needs to be able to protect the value chain and the extended ecosystem from end to end. The nature of the threat is so real and potentially catastrophic that cyber capabilities need to be imbued into the fabric of the electricity landscape. The convergence of both physical and cyber threats demands this is so.
From an end-to-end cyber security perspective operators should now be obligated to both invest in cyber resilience measures and establish effective response and recovery capabilities. The following concepts are those that need to be addressed for the formulation of a comprehensive security umbrella:
- Investigate a platform approach to cybersecurity capabilities
Deregulation in the market has restructured it in such a way that there now exists a number of small and medium sized distribution businesses that fall short of the necessary resources to be able to develop significant cybersecurity capacity.
Coupled with greater demand from consumers both in a physical and technological sense and general provider competition in the market, the prioritisation of security projects, or lack thereof, are consistently delaying the implementation of security requirements and hastening the breadth and depth of vulnerabilities.
It could be productive to pool resources in the market and look to platform-based models and technological solutions that could assist in resolving common security challenges without the need of providers have to re-prioritise their own individual operational and technological needs.
- Integrate resilience into asset and process design
Cyber security needs to be interwoven into the fabric of all designs, build and process. Security requirements can’t be the afterthought or add-on that has generally dictated their plight until now.
As most utilities still operate systems and assets that were designed before the advent of computers, and before the emergence of cyber-attacks, any re-build or upgrade needs to be included within the design to improve resilience. Additionally, integrating natural hazard hardening as well as security in the future design of grids will instil security as a mandatory element.
- Share threat information
In April 2016, the Australian Government set out its philosophy and program for meeting the dual challenges of the digital age, that being, to advance and protect our interest online. Its release Australia’s Cyber Security Strategy, establishes five themes of cyber security over the next five years.⁴ One of the five themes stipulates a need for there to be a national cyber partnership between government, researchers and business.
What this highlights is that businesses are facing common threats, and indeed the electricity industry is facing a common threat. The sharing of intelligence and information between businesses is a critical activity that could assist in creating situational awareness of the latest threat landscape and allow providers to be better prepared for potential attacks.
- Develop security and emergency management governance models
A cyber security governance model should reflect the prevailing corporate culture. For example, a top-down centralised business model should reflect that in its cybersecurity governance. Similarly, businesses that operate in a decentralised fashion should be able to convey the concepts of cybersecurity within their governance structure.
Each model will be unique in accordance to the business structure, taking into account its organisational distribution, structure and operations. Much like the point mentioned on asset and process design, cybersecurity should be interwoven into the fabric of those models, and by extension, should focus specifically on the culture, property and information of the business so as to formulate a resilient corporate and operational environment.
- Develop relationships with regional security officials and with cyber response experts Whether national security and intelligence officials or private sector cyber response and legal
experts, expertise could help to contain, investigate and manage the consequences of the response. Understanding the interactions, connections and abilities in times of attack will allow for successful management of responses. Modelling positions and abilities gives an understanding to both dependencies and interdependencies, providing for successful and efficient responses to cyber-attacks.
Grid operators need to be agile
The outlook that needs to be adopted by the electricity industry has to be all encompassing. Awareness and manoeuvrability in a quickly shifting environment are critical for both understanding vulnerabilities and having the capacity to react to, and recover from, attacks.
In terms of Australian grid operators, the spread of their position on the cyber protection maturity curve is varied. Some are working squarely towards complying with security standards, while others are working towards developing cyber security as a core business capability. The risk of not embracing cyber security and only working towards meeting functions, is that the progression of technology and the capabilities of attackers outstrips both the knowledge and levels of security dictated by only the adoption of compliance standards. To combat cyber risk the onus must be on grid operators to be agile in their methodology.
A capability that leverages situational awareness, one that engages the wider energy ecosystem and works in tandem with government, businesses and industry forums to formulate an extensive network of knowledge and ability is necessary. This necessity is not just for the sake of providers, or in fact, for the market to be able to react and intervene promptly during a cyber-attack event, but more importantly, to allow for the development of a comprehensive defence system that works to minimise the disparity in levels of maturity on an individual basis. The reasoning stems from the nature of the ecosystem itself and the fact that the strength of a cyber defence only really stands upon the level of vulnerability of the most vulnerable provider. Interconnectedness means that vulnerabilities are now shared, the ownership of security needs to be less about individual provider awareness and more of a community commitment.
Additionally, to meet the security imperative from within, either a smart or microgrid must move to integrate and consolidate end-to-end IT and physical security into its design. Breaches or irregularities should be reacted to uniformly, no matter if they come from an IT (Information Technology), OT (Operational Technology) or physical perspective. Convergence of these spheres is imperative from a design, process and governance perspective in order to unify strategy, security thinking and general practices.
Creating a holistic end-to-end approach
End-to-end cybersecurity is more than an ‘add-on’, and it is more than just about meeting standards of compliance. The landscape in the cyber world has changed dramatically with technological progress. It is imperative for all organisations to be situationally aware, understand the capability of their adversaries, the consequences of the threats, and the fact that attacks have, and will, occur in the future with unprecedented magnitudes of disruption.
Preparedness, sharing information, integrating resilience into design, formulating agile responses, anticipating disaster and how to recover from it, are all critical in a holistic end-to-end approach that needs to be integrated from a cultural perspective in order to secure the corporate and operational environment of the electricity grid.
¹‘US Couldn’t handle catastrophic cyberattack on power grid, government warns’, https://securityboulevard.com/2018/12/us-couldnt-handle-catastrophic-cyberattack-on-power-grid-government-warns/
³ ‘Threat of Cyber Attacks on power infrastructure’, https://www.accenture.com/au-en/insight-utilities-outsmart-grid-cybersecurity-threats
⁴‘Cyber Security & Energy Networks’
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.