The modernisation and digitisation of utility infrastructure is happening at full speed.
However, this means not only that utilities now have access to new opportunities such as cloud-based systems and automation, but also that the level of cyber threats to the grid ecosystem has increased exponentially. As utilities operate a vital section of critical infrastructure, they are naturally more liable to cyber attacks not only from isolated individuals but also parties such as industrial espionage hackers, terrorist organisations and hostile states.
“Cyber attackers have become more organised. Cyber threats don't come only from individual hackers, but there is a broader criminal ecosystem. We have insiders, such as unhappy employees, partners or subcontractors, and there is also an increase in terrorists and hostile state agents getting involved in the cyber war. With this criminal ecosystem and these new agents, the attacks are becoming far more advanced and based on deeper technical skills.”
The evolution of cyber attacks
According to Ahrlich, since more parties have joined the criminal ecosystem in the cyberspace, the nature of threats has also evolved significantly to include attacks such as advanced persistent threats (APT), distributed denial of service (DDoS), malwares and ransomwares.
Ahrlich exemplifies the potential damage of APTs with a recent case with one of Nokia’s customers in Asia. “An uncautious employee was a target of a spear-phishing attack. It was an employee with certain credentials, and with these credentials, the attacker could collect data, change network configurations and eventually mop the network. Once they planted this malware bomb on the critical systems, which they then took offline to prove their control of the network, they demanded a ransom. This is a type of attack we see more and more with critical network providers.”
However, the landscape of OT and IT cybersecurity in electric utilities has also changed radically in recent years. Whilst the status can vary greatly according to the utility and to the region where it is located, there is still something of a common denominator. “The challenge now is that critical infrastructure is going through a lot of transformation, and this must be coordinated with evolving cybersecurity standards,” says Ahrlich.
“With the modernisation and digitisation of meters and the grid to improve connectivity, modernising cybersecurity safeguards must also be factored in. Not only the technology but also the processes need to be adjusted and the personnel must be trained to comply with the standards, for example.
“Utility cybersecurity teams are tasked with assessment, maintenance of the network, expanding connectivity, and introducing new software; and what we see is that this is still done manually, which is quite resource-intensive. The cybersecurity team gets additional equipment on top of the daily work, but they don't get the tools to achieve what they should achieve."
A defence-in-depth security framework
To Hansen Chan, Marketing Manager at Nokia, a defence-in-depth approach to cybersecurity is necessary to provide the level of security to mitigate real risks.
"The aim is to build cyber defences aligned with the network's operational objectives. To do that, there are multiple dimensions - technology, processes and employees," Chan describes.
"The technology is a layered security measure across the network infrastructure, application and data, and the access to those assets. The process dimension is required to be able to detect and stop event-specific threats. These processes would allow the utility to assess operations and management procedures in place.
"Then there is the human dimension to create awareness and instil a culture of security. This applies to all employees, from engineers to clerical staff."
In the technology dimension, there is a three-layer framework, with an application layer, service layer and infrastructure layer. “The application layer is where we have the endpoint devices, such as CCTV, SCADA and teleprotection, powering the applications on the critical infrastructure or the electric grid," explains Chan.
"These devices require communications, which is in the services layer, and it uses different kinds of circuits, or VPNs to connect the remote devices to the data centre or the operations centre. Lastly there is the network infrastructure layer comprised of IP/MPLS routers, optical or microwave transport, and others."
The type of security operated in each layer also varies, Chan says. "Endpoint security is the focus of the application layer, while for the network security the focus is more on data confidentiality, data integrity and service/infrastructure availability."
As such, cybersecurity safeguards for the network will be optimal if the network’s complexities are taken into consideration, as opposed to understanding it as a unidimensional system. According to Chan, "to protect the network, we need to be able to visualise it with three planes - the control plane, where you have the signalling and routing between different network elements; the data plane, where the application traffic and the management traffic traverse; and the management plane, where all the management of the network takes place."
These cybersecurity measures are based on two technology pillars, the network communications pillar and the network governance pillar. "To defend this network, you have the network communications pillar, which basically safeguards the data in the network, whether this is control plane data or traffic information on the data plane. Then, in the network governance pillar, you have the network user profile, network assets and resource access, and configuration. Those also need to be watched."
The human factor
Ahrlich and Chan consider the human factor to be of utmost importance when implementing cybersecurity safeguards on a network. Enforcing the human side of cybersecurity means, for example, intensive training and limiting staff clearance. According to Ahrlich, “An essential way to protect the network and ensure there is a strong control over it is to give the staff only the necessary control they need to fulfil their responsibilities and for what they were trained to do. It is necessary to control the users, administrators, engineers and subcontractors of the network control."
As such, in case there is a security breach and the hacker’s entry point is through an employee, as was the case with the aforementioned Nokia utility customer in Asia, the hacker’s actions would be limited to parts of the network that employee can control.
"We cannot overemphasize the human defence,” adds Chan. “Network security is becoming more and more intelligent, but humans still play an active role. It is important that employees are always alert to unusual behaviours or patterns."
"For example, when the credentials were stolen in the above example of the Asian utility, the identity access management helped retain access to other systems. The intelligent security management system was able to spot some anomalies of the login hours and durations. Then, as the hacker tried to move across the network, the cybersecurity measures such as the IP/MPLS VPN, network segmentation and encryption would frustrate the hacker.
“We then have malware detection, and at the end the security playbook would facilitate an automatic or semi-automatic response."
Ahrlich comments that in addition to the technological safeguards, intensive staff training to raise awareness to cyber threats is equally important. "At Nokia, every employee must do a security awareness training once a year,” he explains.
“For example, over the last three months, we've had an internal spam campaign, where our own IT department sent spam messages to measure how many employees clicked on it, and it was shocking how unaware we still are. It starts with awareness. The people operating the systems must be aware of how quickly something can go wrong. Even the technical experts such as engineers and administrators, who are not security experts, need to have specific training. The better they are trained, the more experience they have and the fewer human errors will happen.
“Awareness training, expertise training and investment in security technology will greatly eliminate these flaws."