This article has been written by Devagni Vatsaraj, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
We, as laymen, generally understand the cyber risk to be related to the Information Technology sector and often restrict our thinking to revolve around this one sector. Whereas, there are many industries that face cyber threats, such as utilities, aviation, maritime, oil and gas, manufacturing and electrical generation and distribution industry, etc. The energy system faces unprecedented threats at different levels; from a discontented employee, hackers, foreign actors, or organised crimes, etc.
To attend to the electrical sector, it can be easily believed that it is one of the most critical infrastructures of a nation since there is a whole chain or network that connects power plants to residences as well as commerce.
Therefore, one can only imagine how frequently this sector faces cyber threats and if the security is jeopardised, the harm caused is too grave and irreparable. It can result in loss of power across the nation, damage to the machines and equipment, destruction of devices throughout the grid, national economic security and public safety.
We do not generally think of this, but consider this thought- all the sectors such as communications, water, sewer, transportation, finance, production, packaging, etc. are dependent on power and if power is out, all the sectors come to a standstill and become vulnerable.
Risks in the sector
The electric-power industries’ interdependence on cyber and physical infrastructure makes the industry more vulnerable to exploitation, including commanding the operational technology to deny services, billing frauds to even sabotaging the assets. Digitally speaking, the machinery and assets were isolated in the past as compared to today, where everything is linked to one central system. Consider the Internet of Things in electrical vehicles or Industrial Internet of Things such as sensors, instruments, robots, etc. are all connected to a server and if that server is compromised, it can cause great harm.
In such circumstances, attention is to be given to possible attack scenarios with the existing security measures and improve on the inefficiencies. Further, the focus should be on the communication between the operator and stations to determine if there was any compromise of security. The sector has been aware of these crimes and this is one of the first industries to implement and execute proper standards to have cyber-security measures in place.
How the attacks have changed over time
Previously, the attackers would target the IT network to launch ransomware or steal data; however, with evolving circumstances, they are no longer focused on monetary gain. These attackers have now shifted their focus to industrial control systems, through which they can lay out some groundwork to damage the grid; learning to operate the system and control power plants, distribution networks and sub-stations. Some major incidents brought into the limelight are the cyber attack on a Ukrainian utility in 2015 is considered as the first successfully executed attack on a power grid; the attack deactivated operators accounts and deleted server information, resulting in turning off of power to 2,25,000 Ukrainian residents.
However, the Stuxnet attack in 2010 caused irreparable damage to centrifuge equipment at Iranian nuclear facilities. Similarly, the 2017 Triton attack triggered an explosion at a petrochemical plant in Saudi Arabia. Along with the frequency, the sophistication of these crimes has increased.
One of the most common attacks on the power and electrical sector is that of phishing and injecting malware into the system. Other attacks are credential theft, remote access trojans, denial of service (which has become a new favourite amongst the attackers) and a watering hole attack.
Instances of cyber mischief in the sector
- In the SolarWinds scandal last year, cyber attacks against numerous U.S. governmental departments, public and private sector undertakings were hit around the globe. The attackers had compromised the software of SolarWinds Orion network monitoring software and distributed malware. The attack was allegedly perpetrated by Russia and was extremely complicated.
- In February this year, the operator of a water treatment plant in Oldsmar, Florida uncovered a potentially dangerous intrusion that had occurred on the water plant’s computer system. The attacker had increased the level of sodium hydroxide, to increase its level by a hundred times than the normal level. Thankfully, the situation got under control with the timely presence of the operator resulting in safety of the public.
- As mentioned earlier, the Ukrainian attack of December 17, 2015 on its capital, Kiev, resulted in a blackout for over an hour and amounted to a loss of one-fifth power consumption at night. A similar attack took place exactly a year before that on a regional electricity distribution company. In December of 2016, the president, Petro Poroshenko, said that the attackers/hackers had targeted the state institutions approximately around 6,500 times in the last two months that year.
- The Stuxnet worm was believed to have infiltrated via a worker’s USB drive. The Inspectors from the International Atomic Energy Agency observed that numerous Uranium enriching configurations were breaking and as it turns out, over fifteen Iranian facilities were attacked.
- At a petrochemical plant in Saudi Arabia, hackers had deployed dangerous malware that could take over the plant’s safety system and could cause life-threatening situations. However the attacker was not vigilant enough to predict that such traffic would trigger an alarm, and thankfully the authorities could prevent the disaster.
Managing and mitigating such cyber risks
Evaluate vulnerabilities and strengthen the assets
The electric power companies should first chart out their infrastructure resources and map out their priority. They should then research the vulnerabilities and figure out which resources are more likely and easily a target and work on them to mitigate such changes. Once basic work on the assets is done, enough so to temporarily prevent an attack, the company can then go on to make a foolproof framework for the security of its resources, technology and systems.
Engage with the government and peers
Having successfully accomplished the first step of securing its own resources, a company should not put a halt in their process; it’s where one’s thought process ends, is that of the attacker starts. Therefore, it is for the betterment at large that the companies together come forward, reach out to their peers, both at the private as well as government sector, discuss and establish standard protocols and certification processes to secure and keep the electrical sector away from cyber risks.
Exchange threat intelligence
Not only should the companies come together to establish security protocols, but the companies should also share within their sector, such threats and incidents that have occurred or may have occurred, causing physical harm and vulnerability to the grid. This way the whole sector benefits and stays vigilant towards the security of their services/products and their people and resources.
Secure their supply chain risk
The cyberattack is generally caused either to Information Technology or Operational Technology. Now, these companies in the electrical sector collaborate with other third-party companies for their IT services such as software, hardware, design, coding, information etc. and these transactions with third party companies can be across the globe. There are many possibilities of loopholes throughout this supply chain and a good example of this is the 2017 Saudi Arabia petrochemical instance.
Now the problem in dealing with this obstacle is that there is no clear accountability and ownership; there are various departments apart from IT and OT, such as legal, corporate security, cloud security, etc involved. Another concern is that the third party companies may pressurise its management into moving the operations out of the cloud before it can be determined whether the provider was secure.
To reduce cyber risk across the sector, the companies should initially follow the first step mentioned herein above in the first bullet and then move on to employ more manpower that can compete with the overwhelming number of suppliers to be assessed. The industry must have an established, secure cyber-security model. Another approach towards mitigating the risk is staying vigilant; the companies should understand the supplier company’s security model.
Check whether they follow the standard security practices, security design, and timely adherence to safeguards, threat intelligence and vulnerability management. The companies in the power electrical sector should establish a criterion to determine safety, to select a supplier from amongst the lot, have a clear dialogue with the service provider and prioritize product/service safety, clarify accountability and ownership beforehand, and enhance procurement practices.
Employing strategic intelligence
The power electric sector must take a proactive, rather than a reactive approach to mitigate the cyber risks. The companies should employ teams that can analyze and have a holistic view from an organisation and peoples’ standpoint and can monitor threats/risks across the industry, including legal, political geographical and financial perspectives. Along with this, the bright security-minded people address the known and potential (unknown) threats that may continue to find their way into the sector.
Use of cutting-edge technology
The security equipment should be aligned to ensure that not just the safety and security personnel but also the aware, proactive and problem-solving minds are just as much aware to report potential risks and to take measures to mitigate them. Initiatives across the sector should focus on redesigning processes and equipment. Implementing track-and-trace programs, scanning, automation, auditing, careful processing of data, using blockchain and artificial intelligence are some of the primary measures. We saw in brief what potential challenges come through in the supply chain and blockchain can help track such components.
Blockchain, as we know, is a database, a collection of information that is stored electronically in a computer system, in blocks. This technology can be used to trace transactions or follow through the life –cycle, encrypting it in codes that provide unalterable digital records of its access. Digitising operations and storing them in blockchains is by far the safest option. It further creates decentralised nodes that contain the copies of transactions in its ecosystem making cloud computing more secure. Its encryption protocol allows data to be re-encrypted, making circumventing cyber risks possible. Since one record is stored at multiple locations, compromising it becomes a very difficult task.
A methodology called Process Security Analytics has been developed by Siemens Energy, which translates data from IT and OT into one uniform data stream. Once that is established with the help of Artificial Intelligence (AI), they can identify the threats beforehand. Such data can be stored in the digital twins, which enables the sector to compare the target of the attacker and accordingly take measures in operation to prevent the actual happening of such risk.
The AI can also potentially deny unexpected activity/delivery in the power electric industry and enables to change the dynamics, secure exchange of critical data via cryptic keys. Further, it can collect real-time relevant data, customise and put it in a proper framework to mitigate cyber risks. A sensible solution to mitigating the risk is having a tie-up with a company that provides AI-based cybersecurity solutions, that detects threats at an early stage and protects its resources.
“We are certain,” says Simonovich, “that companies that continue learning and adapting their defence strategies based on AI technology and strategic partnerships will significantly reduce their risks. It’s a big job, but one, we can accomplish.” Without digitisation, the power electric sector is not able to meet a dynamic market and for this reason, their infrastructure, along with critical assets is connected with the internet. Therefore, it is of utmost importance that the sector keeps its eyes and ears open all the time for any possible risk and keeps under surveillance/radar their partners, customers, suppliers, products, assets. Further, adaptation to security protocols/standards along with the technology is essential.
The landscape of the power electric sector is expanding, giving more opportunities to cyber risks, malware threats and exploitation of vulnerabilities. This is one of the most attacked sectors across the globe since it can cause great harm and such destruction that can go on to affect the lives of the people and damage the environment. As discussed, due to lack of ownership and accountability, summoning a suspect becomes extremely difficult but taking the measures in the right direction is a good enough start towards the prevention of cyber stacks. With measures listed hereinabove, the companies dealing in the manufacturing and distribution of power electrical services can help manage the cyber risks for themselves, for the whole sector and for the society as a whole.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: