Why is the energy sector so vulnerable to hacking?
Highly-targeted energy companies often struggle to attract the right cyber security skills and rely on dated systems
Cyber attacks by financially motivated criminal gangs on national and multinational energy companies have been much in the news. Indeed, over the past decade hacking of power generators, utilities, grid and pipeline operators by criminal gangs based in Russia, Ukraine, China, Iran, and North Korea have been reported. Targets have included Npower in Europe, the Texas Power Grid and most notably, in May, Colonial pipeline, which reportedly paid a $5 million ransom to Darkside, a Russian based cyber gang, to quickly restore fuel supplies to the US East Coast. Before that, in January, a cyber security incident caused a mysterious drop in frequency in the synchronised European high-voltage power grid, resulting in a series of blackouts in Balkan states.
The energy sector has been the leading target for cyber criminals, accounting for at least 16% of officially known attacks, according to cyber security firm Hornetsecurity. Experts at the American energy lobby group Edison Electric Institute, meanwhile, report “an uptick in attempted attacks” in part related to the COVID-19 pandemic and remote working.
Attraction of energy companies to cyber criminals and state actors
Plainly put, “energy is seen as a rather unethical industry to younger generations (most cyber hackers are young) and cynically, they know they have money and are likely to pay out to continue operations,” claims George Patterson, director of Oxford-based cyber security recruitment specialist Arrowforth. On a similar note, Kristin Bryan, senior associate at law firm Squire Patton Boggs (UK) observes, “given the reliance of individuals on these critical sectors and the interrelatedness of global supply chains, a cyber attack against companies in this area is a high-impact event, incentivising impacted companies to quickly pay a ransom”. Nor does it help that it can be cheaper and quicker to pay the cost of the ransom through the company’s cyber security insurance policy than take expensive measures to recover the data themselves.
Beyond the financial attraction of targeting the energy sector, is the fact that energy companies are late adopters of digitisation, cloud computing and functional software such as operational and business billing software. They therefore often lack a corporate culture of cyber security as well as the necessary skilled and experienced technical staff. In addition, Bryan observes that “several firms within the energy sector rely on dated control systems that cannot be updated easily and have significant vulnerabilities to the sophisticated nature of many cyber attacks today”.
The expansion of the power networks and increasing digitisation, caused in part by the mass deployment of distributed infrastructure. With wind and solar on the supply side and electric vehicles (EVs) on the demand side, plus the power lines and smart meters that connect them, the attack surface of the energy system is greatly increased.
IT Pro 20/20: Using technology to create a better future
Issue 21 of IT Pro 20/20 looks at the newest innovations and projects shaping our interactions with the world around us
The new technologies lie well outside the core competencies of energy companies, leaving their HR departments to search for staff in an unfamiliar and highly competitive pool of cyber security skills. Until these positions are filled, these organisations are extremely vulnerable to attack. Indeed, a 2020 Department for Digital, Culture, Media and Sport (DCMS) study found there is a significant cyber security skills shortage, with about 653,000 businesses (48%) having a basic skills gap. Around 408,000 businesses (30%), meanwhile, have more advanced skills gaps in areas such as penetration testing, forensic analysis and security architecture.
The lack of sufficient cyber security measures in power grid command and control systems, billing software, distribution and monitoring systems caused by introducing 5G as well as the adoption and installation of industrial Internet of Things (IoT) systems is not helping matters.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Typical causes and potential impact of cyber incidents
In the past five years, the energy sector has been subject to numerous hacking attempts. These include attacks on Saudi Aramco’s refineries in August 2017, the Russian power grid in August 2019 and the 2021 attack on the Colonial Pipeline fuel supply network. All these incidents caused disruption to energy supplies.
As for the future, a 2020 report from the IEEE warned that a targeted attack on personal EVs and fast chargers, using publicly available data, could cause disruptions to local power supplies. An earlier study from Princeton researchers, published in 2018, demonstrated the potential for high-wattage IoT devices, including air conditioners and heaters, to launch region-wide coordinated attacks on the power grid. This would result in local load shedding – more commonly known as power supply failures – and even large-scale blackouts. These impacts make security of operational and control systems paramount.
Protective measures
Power generators, grid, transmission and distribution networks, pipelines and utility companies are the lifeblood of the modern economy, and it is therefore incumbent upon them to operate 24/7. This means they must take responsibility to protect themselves against hacks, but at the same time, they can expect the support of both law enforcement agencies and other government departments to resolve ransomware attacks and other cyber incidents.
For example, protective regulatory measures such as standards and certification to protect IoT technology and power grids have been introduced in North America by the National Institute of Standards and Technology (NIST) and the EU has formulated a cyber security strategy. Texas and California have devised their own standards and protective measures, whilst the UK has dedicated Critical National Infrastructure (CNI) offices within government.
There’s a need for the energy sector to share knowledge and information of such attacks better. “Part of the difficulty in this area is that aside from the well-publicised cyber attacks, companies usually do not publicise information about the type of cyber threats they experience,” says Bryan. “ This makes the decision-making process difficult in terms of what to prioritise, due to the incomplete data available to stakeholders. Collaboration would help address this challenge.”
Even so, some resolute cyber security teams have fostered collaboration and information sharing, devised pro forma reactive steps for an incident and set cyber protection measures in operational technology networks for the grid. Additionally, German regional power grid operator TenneT, European utility E.ON Group and British grid operator National Grid, are introducing public key infrastructure, an identity-based security tool that cannot be compromised and has become increasingly purpose-built and easy to use over time.
IT Pro 20/20: Using technology to create a better future
Issue 21 of IT Pro 20/20 looks at the newest innovations and projects shaping our interactions with the world around us
Securing networked operations with highly trained and experienced cyber security staff and compliance with standards, as well as winning certification of operational and connected systems, all help to reduce the industry’s vulnerability to cyber attacks.
The rising occurrence of cyber attacks, the increased sums demanded in ransoms and the pivotal place of energy have encouraged both government regulators and energy companies to introduce measures and standards to protect against cyber gang attacks.