The global energy sector has been amongst the top focus area for targeted cyber-attacks in recent times. As cybercrimes turn more complex and destructive in nature, utility companies need to become more alert, intelligent and nimble-footed for combat. Find out why.
Recently, the world woke up to its largest cyber-attack ever, the WannaCry Ransomware attack which impacted public institutions, healthcare services, private corporations, governments and even universities across 150 countries. This attack has put the spotlight on the increasing need for cyber security in critical sectors such as transportation, communication, utilities and energy.
The vulnerability of the energy sector to cyber-attacks could affect the integrity of operation systems, disrupt supply, plant and machinery breakdowns, breach information systems, manipulate controls, corrupt data, lead to theft of intellectual property, financial and private data, etc. It is a serious problem because a cyber-attack on the energy sector also poses a huge risk to national security.
But what does an attacker gain by hacking the energy sector? Typically, valuable information like maps of new gas fields, power plant designs, and consumer information. Many attacks do not generate direct profits for the attacker but are aimed at large-scale sabotage leading to heavy financial losses. State sponsored agents, competitors, internal attackers or hacktivists are the most likely authors of such sabotage attacks.
“Power plants and power grids are becoming attractive targets for hackers, for the sheer number of people that can be affected and the degree of damage to be inflicted. Large centralized energy infrastructures are particularly at risk due to the domino effect that an attack on a nuclear, coal, or oil plant might have,” says Didier Sire, Head of Sectoral Programmes, World Energy Council.
For instance, in 2015, hackers entered the computer and SCADA systems of the Ukrainian electricity distribution company Kyivoblenergo and disconnected seven 110 kV and twenty-three 35 kV substations, causing a three-hour outage for around 80,000 customers. The systems of the company were manipulated by the attacker to show wrong values which lead to faulty operations. This was the first publicly acknowledged cyber-event impacting an entire country's power supply.
Similarly, in 2012 a virus called ‘Shamoon’ attacked Saudi Aramco (a state-owned group that runs all of Saudi Arabia’s oil production). The virus damaged approximately 30,000 computers through malware infestation and destroyed 85% of the hardware on the company’s devices. It is believed to have not just targeted Saudi Aramco as an entity, but the country's entire economy.
A multi-country study by the Ponemon Institute LLC has pegged the average cybercrime cost in the utilities and energy sector at USD 12.8 million. According to news reports, by 2018, oil and gas companies globally could face costs of up to USD 1.87bn in cybersecurity spending in an effort to protect themselves against cyber risks. In Europe alone, consulting and testing services associated with cyber security at utilities were expected to be USD 564 million a year, by 2016.
Unplugging cyber crimes
But why is the energy sector vulnerable to such attacks? According to a report by the World Energy Council, ‘the increasing inter-connection and digitisation of the energy sector (including smart grids, smart devices and the growing internet of things) and its critical role in the functioning of a modern economy make the energy sector vulnerable to cyber-attacks aimed at disrupting operations. Although digitisation increases efficiency in the industry, growing inter-connection also raises the complexity of cyber-risk management.’
Jonas Blomqvist, General Manager, Cyber Security ES, Cyber Operations, Wärtsilä explains, “The biggest threat for the energy systems is the integration of IoT (Internet of Things) to the energy system assets, since a major part of actual equipment is outdated and designed for standalone operations with no consideration for integration to Customer Relationship Management, Operational Planning Systems, Enterprise Resource Planning, financial or cloud based eco-systems.”
As power companies automate their Industrial Control systems (ICS), they are becoming more vulnerable to such attacks. According to a report by leading Cyber Security company Symantec, ‘energy utilities are becoming ever more reliant upon the flexibility and responsiveness that smart energy systems provide and therefore face mounting increases in the scale and range of threats.’
According to the world energy council, in 2015 alone 80% of oil and gas companies saw an increase in the number of successful cyber-attacks. Experts say the energy sector can insulate itself from this high-risk environment by viewing cyber security not just as a technology related threat but as a core, organization-wide risk. That’s the approach that large global players like Wärtsilä are also taking.
Wärtsilä is building capabilities and knowledge in and around cyber security by aligning personnel training, development of products and solutions around international approved standards and frameworks, such as IEC-62443, NERC CIP and NIST. It is also controlling lifecycle management within several areas of ICS like system patching, system hardening, malware protection, Security Development Lifecycle reporting and ICS network zoning and segmentation.
“Wärtsilä has developed different levels of corporate-wide in-house cyber security training programmes across all functions. These trainings are about building cyber aware personnel and enabling them to identify and report any abnormal or suspicious cyber threats in a fast and controlled manner independent of their working environment, location or position,” says Blomqvist.
People are the most valuable asset in defeating Cyber Security threats. That’s because ‘human error’ has been identified as a key factor in the success of cyber-attacks these past few years. As the number of connected systems, networks and distributed management technologies grow the risks of cyber-attacks are expected to increase further. That means that the energy sector needs to protect and secure itself even more in the days ahead.