The march towards an intelligent grid and decentralised energy model is occurring at a time when the threats to security have arguably never been greater nor the stakes higher.
The convergence of information and operational technology (IT, OT) systems that this demands and which is currently trending in the industry to enable access to real-time data and to interconnect facilities, is creating both new attack vectors and broader attack horizons. Terrorism, the ability to launch attacks from anywhere in the world and the growing presence of nation states as attackers is bringing a new level of sophistication to the global threat outlook.
These developments are bringing a whole new set of challenges to security in the sector, which we investigate in the live podcast ‘Substation for sale - is the grid up for auction?’
Grid under threat
An example of the impact of IT/OT convergence is that substation systems that were previously closed in many respects are now linked and exposed to all of the risks that have existed in the IT space for years. And as demonstrated in a recent ‘honeypot’, individuals or groups looking to exploit these new-found vulnerabilities are ready to take advantage of this exposure.
In that exercise, the honeypot was set up to masquerade as a transmission substation of a major electricity provider. Within two days of going live, it had been discovered by attackers, the asset prepared for sale and sold on to another criminal entity also interested in industrial control system environments.
In this case, the attackers were not considered ‘upper echelon’ due to aspects of their approach. Nevertheless, within two days “[they] got into the environment and conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” said Israel Barak, CISO of the US-based security company Cybereason, which set the honeypot.
The impacts could be even more widespread. According to a recent report in Spiegel, an apparently so far confidential study by Germany’s Cyber Defense Centre for the government that was made available to the news organisation has suggested that a series of targeted attacks against power providers could cascade into a Europe-wide blackout across the inter-connected system.
IT and OT convergence is of itself not the problem, but due to profoundly different priorities between them a discontinuity has arisen in the security space.
The priority of IT is to protect data and the IT evolution has seen tools, practices and procedures put in place to shield IT systems from cyber attacks.
In the OT space the main priority is to protect the asset base and its associated operations. However, this has translated to minimal effort or changes being undertaken in the OT cybersecurity space, as production almost certainly would have to be taken offline to accomplish this goal.
This production loss, and the associated loss of revenue combined with the cost of designing and implementing the necessary solutions has resulted in OT systems significantly lagging behind IT systems in addressing cybersecurity threats.
OT security requirements
In designing cybersecurity solutions, the energy sector OT environment presents some specific challenges that are less likely to be encountered in IT and need to be taken into account. One is the presence of legacy assets that were designed or installed at a time when cybersecurity was of lesser significance. Another is that OT assets are expected to be deployed for periods of years and need to be future-proofed for security.
“Patching is an example of the challenge in this domain and for an OT system the process is complicated and even dangerous as pinging it could lead to collapse,” Anjos Nijk, Managing Director of the European Network for Cybersecurity (ENCS), commented to Engerati in an interview in which he highlighted ‘future-proof architectures’ as one of the organisation’s current top priorities.
Other priorities pertaining to OT Nijk mentioned are supply chain security and risk quantification for OT systems and critical infrastructures, with the current methods and data insufficient to make well founded decisions on investments.
Some other issues that solutions need to address – and which will also be discussed in the Engerati Meet on Cybersecurity – include finding weak points before they are exploited and tracking assets and managing configuration control. Just as real-time visibility on assets is becoming key to the intelligent grid, so too that real-time operational awareness is key to securing those assets.
In the live podcast, we critically assess the industry’s journey to cybersecurity and if the grid is evolving quickly enough to protect itself from severely damaging attacks, and who carries the cost burden to secure this critical infrastructure.