Electroenergetics of the XXI century – the evolution of threats
Until recently, physical and natural threats were the greatest, if not the only ones, to menace the proper functioning of energy systems. With the advent of smart grids and automated devices, power generation has become a sensitive target for cyber attacks that disrupt the proper functioning of power generation and distribution systems.
The year 2010 was particularly difficult for Polish power engineers, as the weather conditions caused icing of power lines, which fell one after the other. The first serious accident occurred in January this year in the Świętokrzyskie region when more than 25,000 households were deprived of electricity supplies. The aura made itself felt at the end of December of the same year, when – again because of the icing of the power lines – the failure affected almost the entire northern Poland. Especially susceptible to breakdowns turned out to be lightning conductors, which frequently were the first stone of an avalanche of events.
At that time, real-world threats were more dangerous than cyberattacks. Only a few months passed from the attack on centrifuges to the enrichment of uranium at Natanz, Iran, and the world was only awakening to the awareness of the economic effects of cyber-attacks.
Network reliability and its dependence on AI
The future for most industries is very similar: maximizing automation processes and event management, i.e. introducing algorithms and artificial intelligence to eliminate human errors. The algorithms created and implemented nowadays are not the only ones able to react to the problem, but also have knowledge of events that took place in the past and on this basis they can analyze current trends in behavior and levels of parameters of individual elements. This allows us to control processes in a way that prevents the development of dangers. Each new case is subject to ongoing analysis so that it can feed the algorithm database and thus improve it.
The same process is currently being carried out in the power industry, which means it also moves towards the integration of all system elements into one dynamic and, at the same time, harmonious organism.
Energetic cyber organism
Sensors and industrial automation components in transformer stations, critical points in transmission networks and power plants are becoming increasingly integrated and interdependent. Besides, there is a control of the reception points (smart meters) and algorithms optimizing the power flows in the network. Such a process requires skillful configuration of data network connecting all these elements and controllers (details in the article: Segmentation of network in the protection of industrial systems) and extraordinary care for the protection of the whole network against cyber attacks.
The weakest link of this ecosystem remains man, which is emphasized in almost all levels of network security and operating elements operating in it. The most popular are still phishing attacks consisting of sending out e-mails with dangerous attachments, which openly gives attackers access to the network, where the infected computer is located or causes various types of damage to the IT network. However, such an attack is risky and usually does not give attackers long-term access to the victim’s systems.
Attacks where access to power network management systems is gradual, for example starting with the company’s WiFi network or access by service technicians who maintain the transformer station or power plant components, may be more effective.
Hackers enter through the back door
Each gap in the seemingly uniform security structure may be the beginning of a series of problems leading to deprivation of electricity supply or degradation of the quality parameters of the power grid by shutting down or even permanently damaging the equipment. The longer the time of unauthorized access to IT networks and power network control systems, the more time the attackers have to prepare more sophisticated forms of action and the more surprised the attack may be.
The best example is the Stuxnet malware, created jointly by Israel and USA, to damage Iranian centrifuges for uranium enrichment. The malware caused the readings to remain at the correct level when the equipment was simultaneously driven to the extremes that caused the damage. It is not difficult to imagine an attack in which the administrator of a power grid management system receives correct indications of the operation of the devices, while at the same time there are such deviations in the network parameters that cause damage to the transformers. If the attack is properly prepared, some transformer station controllers will not react, because they will also receive correct indications of current, voltage, synchronization or temperature, although the reality will be completely different. It would be a complicated operation, but is it impossible?
One step ahead of the attackers
To ensure the security of energy systems, the following activities are so important:
The stage of planning, construction, and development of the system:
- purchase of appropriate elements of network infrastructure together with components of cybersecurity system,
- control of the hardware and software supply chain to prevent intentionally modified elements to gain unauthorized access to the infrastructure (Cybersecurity Bill of Materials),
- IT networks segmentation,
- minimizing the number of services, protocols, and ports to be run.
- development of competence and awareness of threats in your organization through regular training for employees in the field of cybersecurity (Security Awareness),
- training in information security, raising awareness of the consequences of publishing or transmitting potentially sensitive data, the use of which may support the process of cyber-attack against the company
Maintenance of networks and systems:
- use of Threat Intelligence service – current tracking of information on new forms of threats, planned attacks and prepared malware, regular updates of firewall rules and software upgrades,
- monitoring, control, and inventory of equipment, software, and tools introduced into the network,
- tests of IT network and its security through regular pentests and RedTeam operations,
- procedures for granting, receiving and modifying access to the network for own employees and customers, suppliers and external service providers,
- conducting a policy of changing passwords at all levels of access,
- Control of public company data (OSINT).
It is constant work, thanks to which cybersecurity systems and procedures will be at least one step ahead of the attacks.