As international conflicts migrate to the digital domain, state-sponsored hackers are increasingly targeting energy grids, intending to cause outages that could disrupt the critical infrastructure of entire nations. Andrew Tsonchev, Director of Technology, Darktrace.
No invention has transformed civilisation quite like electricity. However, the days of taking electric power for granted may be nearing an end. As international conflicts migrate to the digital domain, state-sponsored hackers are increasingly targeting energy grids, intending to cause outages that could disrupt the critical infrastructure of entire nations.
The Light Bulb Goes Off
In December 2015, at the Prykarpattyaoblenergo power plant in Western Ukraine, a worker noticed his computer cursor quietly flitting across the screen of its own accord.
Unbeknown to all but a select few criminals, the worker was witnessing the dawn of a new era of cyber warfare. For the next several minutes, the cursor systematically clicked open one circuit breaker after another, leaving more than 230,000 Ukrainians without power.
Since the watershed Ukraine attack, the possibility of a similar strike has been a top-of-mind concern for governments around the globe. This year it was reported that Xenotime had been scoping US and Asia Pacific power networks. Then last month, India’s largest nuclear power plant was compromised, probably by a state-backed group.
Governments across Asia Pacific have been paying close attention to this topic – the Australia Energy Market Operator (AEMO) has been vocal about their concerns, and Australia’s energy sector was also identified as having the greatest number of reported or near-incidents related to critical infrastructure.
During the fourth Singapore International Cyber Week (SICW) in October 2019, the Operational Technology (OT) Cybersecurity Masterplan was unveiled. A world leader in innovation in technology, this move by Singapore demonstrates the significance of the risk of cyber-threat to national critical infrastructure – and will no doubt set the trend for other Asia Pacific countries.
Smart Meters, Smarter Criminals
Power distribution grids are sprawling, complex environments, controlled by digital systems, and composed of a vast array of substations, relays, control rooms, and smart meters.
Between legacy equipment running decades-old software and new Industrial Internet of Things (IIoT) devices designed without rudimentary security controls, these bespoke networks are ripe with zero-day vulnerabilities. Moreover, because conventional cyber defences are designed only to spot known threats facing traditional IT, they are blind to novel attacks that target such unique machines.
Among all these machines, smart meters — which communicate electricity consumption back to the supplier — are often highly vulnerable. The rapid adoption of connected meters presents a possible gateway for threat-actors seeking to access a power grid’s control system. In fact, disabling individual smart meters could be sufficient to sabotage the entire grid, even without hijacking that control system itself. Just a 1-percent change in electricity demand could prompt a grid to shut down in order to avoid damage, meaning that it might not take many compromised meters to reach the breaking point.
More alarmingly, a large and sudden enough change in electricity demand could create a surge that inflicts serious physical damage and enduring blackouts. Smart energy expert Nick Hunn asserts that, “the task of repairing the grid and restoring reliable, universal supply can take years”.
Empowering The Power Plant
Catching suspicious activity on an energy grid requires a nuanced and evolving understanding of how the grid typically functions. Only this understanding of normalcy for each particular environment — comprised of millions of ever-changing online connections — can reveal the subtle anomalies that accompany all cyber-attacks, whether or not they’ve been seen before.
The first step is visibility: knowing what’s happening across these highly distributed networks in real-time. The most effective way is to monitor the network traffic generated by the control systems, as OT machines themselves rarely support security agent software.
Fortunately, in most power grid architectures, these machines communicate with a central SCADA server, which can provide visibility over much of the grid. However, traffic from the control system is insufficient to see the total picture, since remote substations can be directly compromised by physical access or serve as termination points for a web of smart meters. To achieve total oversight, dedicated monitoring probes can be deployed into key remote locations.
Once you get down to this level — monitoring the bespoke and often antiquated systems inside substations — you have firmly left the world of commodity IT behind. Rather than dealing with standard Windows systems and protocols, you are now facing a jungle of custom systems and proprietary protocols, an environment that off-the-shelf security solutions are not designed to handle.
The only way to make sense of these environments is to avoid predefining what they look like, instead using artificial intelligence (AI) that learns to differentiate between normal and abnormal behaviour for each power grid. AI can then detect threats against both outdated machines and new Industrial IoT objects.
With power plants and energy grids fast becoming the next theatre of cyber warfare, the switch to AI cybersecurity cannot come soon enough.
KEEP YOURSELF UPDATED, SUBSCRIBE TO IAA NOW!