Electricity industry on alert for ‘cyber sabotage’

The spear-phishing email attack on US electricity companies in September, allegedly by North Korea, was yet another in a growing barrage of cyber incidents faced by the power generating, transmission and supply industry around the world.

“We saw intrusion attempts against US electricity providers from actors that we believe are affiliated with the North Korean government,” says John Hultquist, director of intelligence analysis at US cyber security company FireEye, which stopped the emails.

Mr Hultquist believes the fake emails, targeted at senior management, could have been a first step to infiltrate the companies’ information technology networks, and from there gain access to their industrial control systems.

Industrial control systems were hacked in the Ukrainian power grid in December 2016, resulting in power cuts in Kiev lasting more than an hour. Malware called Industroyer was used to control electricity substation switches and circuit breakers, according to Slovakian IT security company ESET. “We believe it was used in the attack on Ukraine’s power grid,” says Robert Lipovsky, a senior malware researcher at ESET.

“It’s impossible to say who created it, but it was not the work of a typical cyber criminal, but a group of well-funded and well-motivated people, so state-funded is one possible explanation.”

The FBI and Department of Homeland Security issued a warning to US infrastructure companies in October following attacks on the electrical power sector and other industries. “The energy sector, being a critical lifeline sector, is targeted by a variety of adversaries,” says Mark Bristow, a deputy director at the National Cybersecurity and Communications Integration Centre of the DHS. “We can dispatch an on-site response team once an incident has been reported. We can also hunt for intrusions the energy company might not have detected.”

Cyber sabotage, or even cyber warfare, is becoming more and more the weapon of choice for state- or terrorist-sponsored groups

Hacking the power grid is more complex than simply infiltrating a computer network. “The grid is designed to be resilient against all sorts of threats and can withstand attacks that are man-made or a result of natural events,” says Marcus Sachs, chief security officer of the North American Electric Reliability Corporation, which sets the security standards for the region’s power grids. “In fact, there have been no outages or disruptions to the bulk power system in North America due to a cyber attack.”

Rosa Kariger, chief information security officer for Iberdrola, the Spanish electricity company, agrees: “Unlike information technology, where daily attacks can be counted in the hundreds, attacks on the operational technology infrastructure are not easy to execute with success — connectivity is less exposed, system architecture is built upon several layers and electric grids and power plants are designed with sufficient redundancy to withstand a sudden component failure.”

However, she adds that attackers continue to target critical infrastructure. “These kinds of threats are increasing as cyber sabotage, or even cyber warfare, is becoming more and more the weapon of choice for state- or terrorist-sponsored groups,” she says.

Leo Simonovich, a cyber strategy expert at Siemens, the German company which provides security solutions to energy companies, agrees: “We see operational technology cyber risk as the new risk frontier.”

The growing number of web-connected devices in homes, such as domestic heating systems and “smart meters”, are also vulnerable to attack, says Dexter Casey, chief information security officer for Centrica, the British electricity and gas supply company.

“It’s highly unlikely you could launch a successful attack against a generating or grid company via the internet of things, but there’s still a risk to the industry’s reputation,” he says. Consequently, “we spend millions hacking into smart meters to test them,” says Mr Casey.

A shortage of skilled security staff is a concern for the industry. “I would like to see more apprenticeships, on-the-job-training and university courses structured to get people into the energy industry,” says Lawrence Slade, chief executive of Energy UK, the trade association.

Some observers fear that the trend away from large, centralised, power stations and towards decentralised power — such as small, flexible gas power plants and solar panels on homes — could increase cyber risk as small power producers would have less sophisticated cyber defences. Mr Slade believes the opposite. “In some respects, moving into a more decentralised world gives you more flexibility and it could be seen as more resilient,” he says.

Nevertheless, the European Commission has grown concerned about attacks on the energy sector. Its new cyber security package, announced in September, which covers all areas of the EU economy and society, includes proposals for more scrutiny of the software and other components used to monitor industrial control systems.

“As we increasingly rely on online technologies,” says Sir Julian King, EU commissioner in charge of security issues, “our critical infrastructure such as energy grids, satellite communications and healthcare systems become evermore vulnerable.”