Your browser is not supported. Please update it.

14 November 2019

Utilities must stop cutting corners as cyberthreats rise

Utilities will need to act imminently to combat the rising threat from hackers in the energy sector, with a raft of new reports exposing companies as vastly underprepared. The most recent, titled “Caught in the Crosshairs?” highlighted that only 42% of industry professionals rate their ‘cyber readiness’ as high, while 54% expected an attack on critical infrastructure in their organization within the next year.

This report was authored by Siemens alongside cybersecurity experts Ponemon, who blamed vulnerability on a ‘critical human capital gap’, which has been created through the rapid digitization of the energy sector.

Before March this year, there had been no serious attacks on the renewables sector, and utilities have cut corners as they have rapidly adapted to increase the scale and diversity of their operations. But with a low headcount of cybersecurity professionals in utility companies, smart devices have increased the attack surface, and left systems under-protected, which hackers can exploit.

The greater part of the exposure is in what Ponemon calls operational technology (OT), rather than information technologies (IT), effectively the direct controls which used to be manual, but which are now digital, for turning systems on and off.

This means the safety and security of the renewable energy supply may be compromised, such as seen in 2015 in Ukraine, when electricity supplies were cut off for hours at a time through what was suspected as Russian cyber activity.

Risking access to control systems within wind power and hydro technology may be devastating to the technologies’ ability to withstand load as well as the surrounding environment. “A devastating attack would not only harm the economy, but it could also slow down the rate of electrification.” said Randy Bell, Director of the Atlantic Council Global Energy Center, highlighting that cybersecurity is also essential to reaching climate goals through grid development and renewable technology.

The first cyberattack on the renewables sector came in March on Utah-based sPower, as firewalls crashed, and communications were lost for nearly 10 hours. Analysis from the North American Electric Reliability Corporation (NERC) indicated that an external entity had exploited a known vulnerability in the firewall, allowing an attacker to cause unexpected reboots of devices, causing them to become invisible to the utility.

Following this, NERC has recommended that utilities follow a list of recommendations to reduce the risk of firewall exposure, including reducing the number of internet-facing devices in their systems.

This will almost certainly not be the solution adopted by utilities through the rapid digitization of the sector, and instances of cyber attacks will inevitably become more frequent.

CyberX reported in October that outdated methods have been used for security, despite an increased reliance on the Internet of Things, making utility networks “soft targets for adversaries”. Current regulations do not require continuous monitoring of control networks, meaning unauthorized activity can theoretically go unnoticed, leaving utilities blind to attacks.

Measures are unlikely to be difficult or costly to implement within the scope of a large-scale renewables project, but with low confidence in internal security solutions, utilities will look to outsource cybersecurity measures, including penetration testing. As utilities are dependent on technology from both developers and manufacturers, this will likely spread through the industry, increasing demand for cybersecurity specialists across the energy sector.

Wind turbine manufacturer Siemens Gamesa this week announced a long-term partnership with IT company Infosys to provide an end-to-end IT infrastructure transformation service, which will inevitably entail an overhaul of existing security measures. Similarly, recent investment by the US Department of Energy has specifically detailed allocations of funding to make the renewable sector more resilient to future cyber-attacks.

Studies such as “Caught in the crosshairs” hope to “help utilities benchmark their readiness and leverage best practices to stay ahead of attackers” according to Siemens VP Leo Simonovich, who claims that the utility industry has “woken up to the industrial cyber threat and is taking important steps to shore up defenses”, although it’s unlikely that this will be the last time utilities have to be warned about the risk of hackers.