Defending energy infrastructure from escalating attacks
Cyber attacks are becoming more sophisticated and frequent within the energy industry. Whether it’s a direct attack on a gas pipeline like the Colonial Pipeline breach or a sweeping supply chain intrusion that infects up to a quarter of North American electrical utilities like the SolarWinds attack, the reality is that the next attack is a matter of when, not if.
The attack that kicked off this streak came in 2016 when malware hackers used a script called ‘Crash Override’ to seize Ukraine’s power grid and briefly black out the capital city of Kiev. In 2018, it was announced Ukraine was not alone and that the U.S. electric grid, among other critical infrastructures, had been targeted by Russian state-backed hackers as far back as 2016. Soon after that in March, 2020, the European Network of Transmission System Operators for Electricity (ENTSO-E), the organisation responsible for coordination of European electricity markets, was also breached in a separate incident.
Only a few months later, UK-based Elexon, responsible for overseeing payments between UK power station operators and companies that provide electricity supply to consumers and businesses, were the victims of a ransomware attack that stole important internal data, stemming from a supply chain software vendor called Pulse Connect Secure, who themselves were found to be the victim of a massive persistent ransomware attack. Then later in 2020 India’s Energy Efficiency Services Limited (EESL), who had just launched an initiative to install 240 million smart meters across the country, faced a sabotage of its smart meters, which left 160,000 homes without power. The breach was the largest of its kind in India’s history and forced the project to pause its massive rollout.
State-level governments have begun to recognise this worsening national security risk. Officials in the EU have initiated legislation to protect their energy sector, with the proposed bill including increased cyber security requirements for critical infrastructure companies, though each country gets to decide for themselves which companies to classify as such. Finland declared more than 10,000 companies as critical infrastructure, while Cyprus designated just 10. Standardising across a single classification with more thoroughly articulated security requirements is advisable. The American government is aware of the worsening threat environment for their energy sector as well, and following a recent memo on the subject from US President Joe Biden, over 150 utilities signed on to deploy new security technologies for their control systems.
Awareness, action and authorisation
These state-level actions, though leaving a bit to be desired regarding consistency, urgency, and enforceability, are steps in the right direction. That said, the measures will not be enough without widespread awareness and action on behalf of their partners at the regional and local levels of government. There are two primary lessons that these decision-makers, as well as their equivalents in private energy industry, ought to keep in mind considering the ongoing and escalating series of attacks on energy infrastructure.
The first is that supply chain vendors and organisational insiders can no longer be trusted with system access unless continually authorised. A Ponemon Institute study published in January 2021 found that insider cyber security incidents have risen 47 per cent since 2018 and the average annual cost of an insider-caused breach also increased, up 31 per cent to $11.5 million. The European Union Agency for Cybersecurity, or ENISA has reported similarly stark figures about attacks from along the supply chain and expect 2021 will conclude with four times as many such attacks as the year prior.
One of the reasons for the increase in these attacks is that the rapidly scaling connectivity of energy industry endpoints like smart meters has vastly increased the attack surface for these organisations without an equivalent bolstering of security postures. Connected devices are prime targets for advanced persistent threats (APTs), which work by gaining access to the device, exploiting vulnerable endpoints, and injecting malicious code into the non-volatile memory of the device in order to gain persistency that survives a restart or power loss. This persistent presence allows bad actors to take their time and try multiple strategies to get from the device to the network it’s connected to, at which point the hackers can manipulate data, change commands, seize control from operators, or simply lay dormant until the time is right.
Within the energy sector, among the most vulnerable targets for these APT attacks are network assets like advanced metering infrastructure (AMI), which includes newly networked Operational Technology (OT) devices like smart meters that the energy industry is rolling out at dramatic speed. Research from Omdia projects global spending on advanced metering infrastructure to rise to $13 billion by 2023, a nearly 50 per cent increase from 2018 numbers.
Given the vulnerability of legacy OT devices, the nature of APT attacks on these devices, and the diverse sources these attacks have stemmed from, local and regional governments, energy sector decision-makers, and supply chain manufacturing partners must ensure that each device on their network is itself impermeable. One solution is to introduce an embedded software gatekeeper within the flash or non-volatile memory of the networked device that will provide a Zero Trust architecture and passive prevention against outsider, supply chain, and insider APT threats by automatically rejecting all changes unauthenticated by a trusted external server. This Zero Trust, perimeter-less approach prevents persistency and maintains the device integrity by preventing bad actors from injecting code into the device’s memory and impacting functionality. This will not stop future hackers from trying to breach the devices and their networks, but it will at least prevent them from achieving any results.
It should be clear by now that the energy industry is a significant target for hackers eager to intrude into the vast number of vulnerable targets that utilities keep rolling out, either for financial or geopolitical leverage. Public and private stakeholders have started to take notice of this worsening threat landscape, but lest we be left in the dark, local, regional, and state-level governments need to act immediately to protect their energy infrastructure – and thereby their constituents – from the effects of cyber attacks.
Written by Sagi Berco, VP of Research & Development, NanoLock Security & David Stroud, GM of Europe/APAC, NanoLock Security.
Sagi Berco¸ VP R&D of NanoLock¸ has over 20 years of experience in cyber security and technology management. Formerly¸ Sagi worked in the Israeli Intelligence community.
David Stroud is NanoLock’s GM of Europe and APAC, overseeing strategic partnerships in Europe and APAC. Based in NanoLock’s UK office, Stroud is an industry-recognised leader with over 15 years of deep international experience, along with direct expertise in the energy and metering sector – including through his successful tenure as executive director of EDMI Europe, a leading smart metering solution provider, and as general manager of Advanced Metering Services, New Zealand’s largest metering provider.