Turning the Lights on an Energy Sector Under Cyber Attack

Cyber attacks on the energy sector can be life or death, literally. Kate O’Flaherty puts energy security under the spotlight

In 2010, a malicious computer worm that later became known as Stuxnet wreaked havoc on centrifuges used to enrich uranium gas in an Iranian facility, ultimately derailing the country’s nuclear programme. Thought to have been perpetrated by the US and Israel in a joint effort, the attack was the first time a cyber weapon had affected physical equipment, but it wouldn’t be the last.

A couple of years later, another game-changing malware called TRISIS was discovered at a petrochemical plant in Saudi Arabia. With the ability to disable the safety systems that prevent plant shutdowns, the malware could damage equipment and even lead to loss of life, according to cybersecurity firm Dragos.

It’s been widely hypothesised that energy sector cyber attacks could play a part in hybrid warfare scenarios. This, for example, could see a hostile nation use cyber to cut a country’s power, followed by a physical assault to take advantage of the confusion.

And then, in 2015, Ukraine’s power grid was hacked by Russia, leading to outages for almost a quatre of a million (230,000) people. Last year, Russia allegedly tried this tactic again in Ukraine, but its attacks on the power grid were largely unsuccessful.

Today, the global energy sector remains a major target for nation-state adversaries such as Russia, with organisations including the UK’s National Cyber Security Centre (NCSC) warning companies operating in the industry to stay alert.

SCADA wasn’t built for the internet

The energy sector has an added weakness that differentiates it from other industries—the supervisory control and data acquisition (SCADA) systems it uses. Without getting too technical, SCADA is a type of operational technology, meaning it interfaces with the physical world.

Stuxnet was the first time a cyber-weapon had affected physical equipment, but it wouldn’t be the last

SCADA was not designed with security in mind because it wasn’t built to be connected to the internet. “These systems are often upgraded to enable internet access or their interfaces are now exposed via the web,” says Matt Watson, red team expert at CovertSwarm.

Operational technology is also becoming more interconnected with corporate IT systems, increasing the risk. “Our perception of cybersecurity has changed significantly in the last 30 years, but SCADA-based systems remain the same,” says Kennet Harpsoe, senior cyber analyst at Logpoint. He says the combination of “old devices, old communication protocols, no encryption and minimal authentication” is “a dangerous cocktail”.

Additionally, the sector is undergoing a huge transformation seeing millions of connected devices, including smart meter and smart grid devices. Each new device connected to a smart grid presents an opportunity for would-be attackers, says Phil Beecher, CEO and president of Wi-SUN Alliance.

An increase in the number of distributed energy resources, such as wind turbines, fuel cells and electric vehicles further increases the risk and presents new challenges, Beecher says.

Like all industries, the energy industry is also at risk from cyber attacks caused by human error. “The energy sector employs thousands of workers who have access to sensitive systems and information,” says Aare Reintam, COO of cyber range company CybExer. “These workers can inadvertently introduce vulnerabilities through email phishing attacks, weak passwords and other security lapses.”

Three categories of hackers targeting energy

Three classes of adversary target energy companies, according to experts. First, there are hacktivists who wish to gain visibility to highlight a particular message. For example, hacktivists may direct attacks against the energy sector to publicly display their opposition to the industries’ activities for environmental or ideological reasons, says Watson.

The energy sector employs thousands of workers who have access to sensitive systems and informationAare Reintam

Secondly, there are the cyber crime gangs that typically try to extort money, using ransomware to lock staff out of systems that manage energy production or distribution.

The third type of attacker, nation state adversaries, are particularly interested in the energy sector for economic and geopolitical reasons, says Watson. For example, a hostile nation state may target the energy grid of a rival country to cause a blackout, which could be used to weaken the adversary’s economy or its military capabilities.

 Attempts to infiltrate the energy sector often come via phishing emails to entice employees to click on a malicious link or download a malware-laden attachment, says Ian Thornton-Trump, CISO at Cyjax.

Attackers also target company systems that have been “forgotten about, are not part of the vulnerability management programme or are not decommissioned”, he says. “The aim [of attackers] is primarily financial, with a small component of espionage.”

Preventative cybersecurity is not enough

Energy is a sector under attack—and because it is recognised as critical national infrastructure, it’s also highly-regulated by legislation such as the UK’s NIS Directive.

While best practices have been outlined by regulators, experts say more needs to be done to boost security in the energy sector. First and foremost, the risk posed by SCADA-based systems makes it important to segment networks, says Harpsoe. Network segmentation means dividing an IT network into smaller segments to enhance security and manage network traffic more efficiently.

It’s also a good idea to control who can access systems. For example, Harpsoe advises using multi-factor authentication and other security measures to ensure the wrong people can’t gain access to the network.

At the same time, it is worth focusing on how you can avoid or blunt the damage from a cyber attack if one does occur, says Jo De Vliegher, client partner at ISTARI.  “This can range from segmenting systems through to data backups,” he advises.

Meanwhile, ensure you keep in mind that preventive cybersecurity is not enough. De Vliegher advises building in cyber resilience and implementing a comprehensive incident response plan. “This will ensure you are fully equipped to withstand, limit the damage and speed recovery across your operations.”

Rather than learning post-attack, make sure your plan is written and not just filed away. “Make time to test it thoroughly and war game how you would respond and recover,” De Vliegher says. “These efforts should be company-wide and test everyone to smarten up their cyber hygiene.”