Digital security experts Tim Callan and Jason Soroko speak to NS Energy about the cyber threats posed to energy grids, and what the industry can do to address them
Energy grid cyber security is an increasingly important issue facing the industry, as operations become ever-more digitally connected and the techniques used by cyber criminals get increasingly sophisticated. Here, NS Energy speaks to experts Tim Callan and Jason Soroko from US digital security specialist Sectigo about the threats posed to power grids and what companies can do to combat them.
It was late in the afternoon two days before Christmas 2015 when hundreds of thousands of Ukrainians found themselves without power to heat their homes or light their streets.
Hackers had infiltrated the IT networks of three power distribution centres in a “synchronised and co-ordinated” attack on the country’s critical energy infrastructure, hijacking control of the breaker switches and then covering their tracks on exit with malware known to cyber security experts as KillDisk.
The incident was the first confirmed case of a cyber-attack on a national energy grid, and while the culprit has never been formally identified, Ukrainian officials were quick to point the finger at their neighbours in Russia.
Tensions, after all, were running extremely high at the time, given it was only a year earlier that Moscow had mobilised to annex Crimea from its former Soviet ally.
Energy industry needs to get ‘savvy and paranoid’ about grid cyber security
Some have suggested the episode was a Kremlin intimidation tactic, designed to send a message to Ukraine’s leadership – and perhaps the rest of the world – about Russia’s capacity for industrial sabotage.
Whatever the truth, the blackout confirmed what the cyber security community had suspected for some time – that energy grids, and the companies that serve them, are vulnerable targets for hackers, regardless of motive or agenda.
And, given the potential consequences of a wider-scale blackout than the outlier incident in Ukraine for public safety and national security, it’s time for energy companies to “understand viscerally” they are attractive prizes for cyber criminals.
That is according to Tim Callan, a senior fellow at US digital security firm Sectigo, who says the same layers of protection being adopted by financial institutions to guard the global economic system need to be made commonplace throughout the energy industry.
“These companies need to get as savvy and as paranoid about their computer systems as any major bank is,” he urges.
“Energy firms need to really understand viscerally that they are an attractive cyber target. They may not have thought of themselves that way traditionally, and maybe once upon a time they were not – but today they are.
“Are our grids up to the same standards that other parts of our critical computerised networking infrastructure are? It’s honestly a mixed bag on that.”
Energy security threats are no longer just ‘physical’ concerns
For an industry that in many cases pre-dates computers, the scale and pace of change in how operational security needs to be considered in the modern era may appear a daunting prospect.
Where once the physical security of infrastructure like pipelines, transmission lines, valves and other equipment was of ultimate importance, the digitisation of energy systems and skyrocketing appetite for data now demands greater emphasis on things such as computer network security.
In other words, the industry needs to stop thinking about “threats” in just physical terms.
Callan says: “If you think about the energy grid, this is old, old infrastructure. You have some companies that in principle may go back to the 1800s.
“Of course, back then there was no computerisation – there were no computers.
“So what you have is an industry that thinks about security and safety in a very different way.
“If I’m PG&E out in California, my definition of security is ‘how do I not start a forest fire that burns down a city and kills 100 people?’ – that’s where their heads are at.
“But now all of a sudden, all of this is completely interwoven with our modern-day computer systems, to the point where you can’t keep the lights on without keeping the computers working correctly.
“So we have an industry that in a lot of ways needs an upgrade.
“It is now as computerised as any other, and the consequence is that all the same ways a bad guy can use techniques to attack the computers inside a large enterprise to steal credit card or customer data, or employee tax IDs, can be applied to a different end result – and that might be to make the power go out.”
Rise of automation poses new challenges to energy grid cyber security
As a former consultant to firms like Duke Energy, Chevron and ConocoPhillips, Sectigo’s internet of things CTO Jason Soroko knows his way around the energy industry, and has seen first-hand these issues in practice.
In his experience, the industry’s approach to computerisation has been to place the emphasis “absolutely on uptime and reliability” – and the result has been an “amazing” feat of keeping power systems running 24/7, 365 days a year for many decades.
The problem these days, he suggests, is the new breed of “automation systems”, which ask the computers to do “a lot of communication outside of traditional networks”.
“Firms are being asked to get more and more operational data out of those systems,” Soroko adds, “so you now have ‘hostile’ networking environments connected to these ‘critical’ ones. And demand for that is increasing.”
Hunger for data is driving digitalisation of energy systems
The clamour for real-time, granular data is growing exponentially across all industries, and energy is no exception.
Fast and accurate information can improve efficiencies, predict maintenance issues and ultimately add value to a product – whether it be in wind turbine performance or oil exploration.
“Think about a natural gas well in the middle of Alberta, Canada,” says Soroko.
“It is regulating enormous amounts of natural gas coming out of the ground, and is having to make decisions autonomously about which pipelines the gas particles are going to be pumped into, based on factors such as pressure or the amount of sulphuric acid within it.
“This is all computerised and automatic.”
And while that computerised system might be fairly geographically isolated in the vastness of Alberta, a maintenance worker in a hi-vis hard hat and jacket may still need to visit it and connect his laptop from time to time, just to check everything is running smoothly.
A besuited New York stock trader may require real-time information on the quality of the gas, or perhaps a weary analyst back at main office may need to monitor sulphur levels to plan out operational schedules or commodity pricing.
The myth of the ‘air gap’
All these interactions with the network add up, and before you know it you’ve got “at least half a dozen people interested in connecting to that operational data in real-time”.
“And that’s true for just about anything in the industry,” says Soroko.
“The big ‘but’ to all of this is that as soon as you make those connections, as soon as you’re distributing data in two directions, the physical ‘air gap’ is gone – the system is now connected to all kinds of networks and that brings all kinds of vulnerabilities.”
The “air gap” Callan explains, is a concept referred to in IT circles to mean a physical separation between networks performing a critical function and the public internet, in theory protecting it from intruders or malware.
“The problem,” he says, “is that it isn’t really real anymore, because somewhere along the line you’ve got computers running your network grid that have to be connected to the outside world because you’re using public cloud services, or software-as-a-service.”
Who is trying to ‘turn off the lights’?
So what are the risks faced by energy companies, and who exactly is trying to turn off the lights? As with most things, it’s not a simple question to answer.
Callan identifies three common sources of threat in these industrial-scale cyber-attacks: Profiteering criminals looking for a quick pay-day, state-sponsored actors as suspected in the Ukraine incident, and lastly “good old-fashioned vandalism”.
In either case, he says, the methods used often follow a similar formula – which is the good news for energy firms because it means the safeguards they can deploy are already well-established.
A cyber criminal looking to make a quick buck will use ransomware to demand money in return for not causing any further harm, for instance.
And the vandals just looking to sow the seeds of disruption – “the direction this will go, as it inevitably does” – will simply recycle the lines of code already used by their forerunners.
There is even a term for it. A “script kiddie”, meaning someone who uses existing computer scripts or codes to hack into computers, lacking the expertise to write their own.
Energy grid security the latest target in ‘evolution’ of cyber warfare
The question of state-sponsored cyber warfare is slightly more opaque and complex, but perhaps not that surprising given the political leverage control of a power grid could offer to a hostile actor.
Callan says: “If you wanted to cause a lot of heartache – a lot of economic harm, damage to morale and even physical problems, massive blackouts are a great way to do it.
“If I knew that I could turn out your lights whenever I wanted, I might be more aggressive in how I dealt with you in other ways, because I always know I have that in my back pocket.
“It’s an interesting evolution of cyber warfare, where this is something you can hold over somebody’s head.”
In the example of Ukraine, a post mortem investigation conducted by several US government agencies found the attacks occurred following “extensive reconnaissance of the victim networks” – meaning the hackers had already done their homework and were likely embedded in the networks long before the event took place.
These “advanced persistent threats” (APTs), as security specialists refer to them, do a lot of prep work before taking action, testing out their chances of success for infiltrating a specific computer system and placing “booby traps” and backdoors to improve future access.
Texas recently passed legislation to improve energy grid cyber security
The upshot of this is that some networks might already be compromised, and their hijackers are just biding their time for the right moment to reveal their presence.
In these cases, there may not be much a company can do, except to learn from the experience and put in place measures to prevent it from happening again.
Callan says: “Part of what utilities and governments must do is make sure they are hardened enough to these kinds of attacks once they are available to anybody, so it isn’t going to be causing them trouble day in and day out.
“It is only a matter of time before things reach the level where it is well-understood how to go after a utility.”
Of course, when it comes to matters of national security, the energy industry would be right to expect government help in protecting itself from such dangers.
Callan points to “unprecedented” legislation passed in Texas last year, which many in the cyber security industry believe to have been in direct response to “one or more known potential threats” targeting power grids.
Two bills were passed in the state: The first to promote information sharing and collaboration between utilities on matters of cyber resilience, and the other to establish a funding mechanism for the development of best-practice state-wide coordination on energy grid security measures.
“It was the first time a government felt it needed to dictate what energy companies have to do in order to maintain a minimum level of security,” he adds.
What can energy companies do to improve grid security?
Given the scope of the threat and sheer number of potential vulnerabilities as computer systems in the energy industry grow ever bigger and more intricate, businesses may be forgiven for feeling overwhelmed by the size of the security challenge ahead of them.
But there is good news here, according to Callan, because the tactics to halt these cyber-attacks in their tracks have been well developed and refined over recent decades.
He says: “Cultural change is an important first step that can lead to adopting new initiatives around cyber security, and making sure companies have the right personnel in place — such as a CSO or CISO.
“If they don’t have one of these, they probably should.
“As that is done, the good news is that the actual cyber-attack vectors are very similar to things that are very well understood, with well-developed playbooks, and great consultants, techniques and products that have existed for a long time.
“So the exact same ways that somebody is getting in that bank and sending a wire transfer, or stealing plans from inside a manufacturer are the same as the ones people are using to try to put Trojans in your energy grid so they can sabotage you.
“The defences against these threats are state-of-the-art and available to the energy companies that seek to embrace them.
“This industry has solved a certain set of problems very well, but what’s happened is the landscape of the world has transformed – and now is the time to become more aware of it and make the changes.”
After all, “outages are outages, and outages are bad”.