As utilities digitalise more and more, their cybersecurity defences become ever more important.
While nothing on the scale of the successive attacks on the power grid in Ukraine has been reported in the sector over the past year, the threat is ever present.
Last September, Symantec attributed the upsurge in activities targeting the power sectors in Europe and North America to a group named Dragonfly, which appeared to have been dormant
According to researchers from the Slovakian security company ESET, the malware used in the December 2016 attack in Ukraine, which has been named both ‘Industroyer’ and ‘Crashoverride’, is “the biggest threat to industrial control systems since Stuxnet” – the malicious worm identified in 2010 that more than any other, drew attention to the vulnerabilities in the power sector.
And with implications for an Internet of Things, according to Kaspersky Lab incidents involving non computing devices “are among the top-3 incidents with the most severe financial impact” for businesses.
Cybersecurity – a leadership issue
Obviously, cybersecurity is a technical issue, involving firewalls, malware and virus detection and other software solutions.
But it is also a leadership issue, says Rene Marchal, on secondment from the Dutch transmission system operator TenneT as the national expert on cybersecurity to the country’s administration.
“With an interconnected system such as in a utility, cybersecurity must be an integral part of it and thus the solutions are found not within the IT department but in leadership,” he says.
“Cybersecurity should be an integral part of risk assessments and investment plans and thus not only at the heart of the technical solutions but also at the heart of doing business.”
Nevertheless, Marchal cites one key challenge as the sharing of security intelligence within the TSO community in Europe, which is restricted by national legislations across the region.
“In a sense we are working on two stools. As the system operator we are working on connecting the system but we are also bound by the national legislation and that doesn’t work. If we are all working to connect the dots to one system, we need to connect the vulnerabilities and threats and the responsibilities.”
On threats, Marchal says there needs to be deeper cooperation with national intelligence services as these pertain to national security.
On vulnerabilities, Marchal points to an initiative TenneT developed working with the hacking community, which has resulted in the development of an expertise centre for “ethical hacking”.
“We need these resources and by giving them an ethical framework to work within, we can profit from it.”
He also highlights the need for training, particularly for management, such as is offered by the European Network for Cybersecurity.
“Training on how to attack and defend a SCADA system really gives a good understanding of the risk of threats and how to mitigate them.”
In conclusion, Marchal asks if players are “going to wait for a big security incident to occur or to take signals such as the Ukraine incidents seriously?” or as he puts it, “act on smoke or wait for the fire?”
He says he believe that the signals are there but with the utilities a regulated business and the investment requirements for cybersecurity huge, “there needs to be more awareness in the regulatory frameworks and the national agencies.”