November 22, 2022


State of Physical Access Trend Report 2024

Securing the world’s energy systems: Where physical and cyber security must meet

Energy has become the new battleground for both physical and cyber security warfare, driven by nation state actors, increasing financial rewards for ransomware gangs and decentralised devices. Chris Price reports.

The physical threat to the world’s Critical National Infrastructure (CNI) has never been greater. At least 50m of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September, though it remains unclear who is to blame.

More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine’s President Volodymyr Zelensky on October 18, ‘30% of Ukraine’s power stations have been destroyed, causing massive blackouts across the country’ while on November 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between ‘30% and 40% of its energy systems had been destroyed.’ At the time of writing, four million people across 14 regions in Ukraine are still without power while scheduled hourly power outages affect the entire country.


Growing cyber security threat

However, physical security threats resulting from the War in Ukraine and increasing tensions between East and West aren’t the only serious threats to our CNI. There is a growing cyber security threat too. On May 7, 2021 the Colonial Pipeline that originates in Houston, Texas and which carries gasoline and jet fuel to the south-eastern US was forced to halt all of its operations to contain a ransomware attack.

In this attack, hackers gained entry through a VPN (virtual private network) account which allowed employees to access the company’s systems remotely using a single username and password found on the dark web. Colonial paid the hackers – who were an affiliate of a Russia-linked cybercrime group Darkside – a $4.4 million ransom shortly after the attack.

Less than a year later, Sandworm – a threat group allegedly operated by the Russian cybermilitary unit of the GRU – attempted to prevent an unnamed Ukrainian power provider from functioning. “The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, [and] active network equipment,” the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Slovak cyber security firm ESET, which collaborated with Ukrainian authorities to analyse the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.

“The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine,” ESET explained. The victim’s power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.

Digitised environments

According to John Vestberg, CEO of Clavister, a Swedish company specialising in network security software, ‘it is now beyond doubt that cyber criminals pose an ever-increasing threat to critical national infrastructure.’ He adds: “CNI, such as oil and gas, is a prime target for ransomware gangs.” He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cyber security using predictive analytics and tools like AI (Artificial Intelligence) and ML (Machine Learning) technologies.

Camellia Chan, CEO and Founder of Flexxon brand X-PHY agrees: “It’s crucial that CNI organisations never take their eyes off the ball,” she says. “Good cyber security is an ongoing, proactive, intelligent and self-learning process and embracing emerging tech such as AI as part of a multi-layered cyber security solution is essential to detect every type of attack and help create a more robust cyber security framework.”

Nor is just increasingly well-organised, and often state-sponsored ransomware gangs, that are the only problem CNI organisations face. Part of the issue is that as industrial organisations (including utilities such as water and energy companies) digitise their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.

Integrated OT/IT networks

Whereas traditionally security was not viewed as being of critical importance because an organisation’s OT (Operational Technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.

As Daniel Trivellato, VP of OT Product Engineering at Forescout, a cyber security automation software company, says: “OT environments have modernised and are no longer airgapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk.” In connecting these two environments, organisations are increasing the threat landscape, but not necessarily putting in appropriate measures to mitigate the risk.

FURTHER READING: How to protect our critical infrastructure from attack

According to Trivellato, this hasn’t gone ‘unnoticed by threat actors’ with ICS and OT specific malware such as Industroyer, Triton and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. “While most OT devices can’t be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation and continuous monitoring of traffic,” adds Trivellato.

Grid edge risk

For Trevor Dearing, Director of Critical Infrastructure Solutions at zero trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. “Many of the gangs are realising that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data,” he says.

DataProtection-CyberSecurity-21A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what’s emerging is what’s known as the ‘grid edge’ – de-centralised devices such as smart meters as well as solar panels and batteries in people’s homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cyber security attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.

One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter’s software isn’t updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.

According to Ali Mehrizi-Sani, Associate Professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cyber security risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.

“This is a vulnerability that can be, and has been, exploited to attack the power system,” he told online publication PV Tech in November 2020. And while currently the potential risk of a cyber security attack to solar power networks remains low because the technology hasn’t yet reached critical mass, as it become more decentralized – with solar panels installed in public places and on top of buildings – managing networks will increasingly rely on robust, cloud-based IoT security.

“Nor is just increasingly well-organised, and often state-sponsored ransomware gangs, that are the only problem CNI organisations face. Part of the issue is that as industrial organisations (including utilities such as water and energy companies) digitise their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.”

Greater regulation

One way that governments as well as organisations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS) while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.

Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America – though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, Head of Cyber Incident Response at GRCI Law, a legal, risk and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that ‘their actions can have real consequences’. “This means they can’t simply copy and paste traditional IT cyber security measures over to the IT environment – it just doesn’t work like that.”

However, Illumio’s Trevor Dearing, says that what’s happening is that more and more companies are developing a single strategy for both ‘OT and IT environments’. “The key,” he says, “is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn’t necessarily going to have a knock-on effect on all the other parts.”

The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially as we move closer to winter in the northern hemisphere. However, that’s not the only concern. Cyber security attacks on CNI are increasing, partly because of a growing threat from nation state actors but also because cybercriminals are realising that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.

Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.


Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Andrew Sabota
Andrew Sabota
September 26, 2023 5:42 pm

Great read. Some other cybersecurity considerations can be done with threat modeling. Topical to the energy in general and specific to Bulk Energy Systems (BES), there was a good anecdotal reference that can be found here on EETimes for cybersecurity strategies in the Energy sector. Bulk Energy System Security – EE Times