Emerging focus on cyberthreats to energy infrastructure

Last week was an exercise simulating attacks on the power grid and computer networks. Participants, first responders, and private sector representatives engaged in health and security.

The exercise centered on how it would react if hackers were able to take down energy grid while simultaneously engaged in the exfiltration of information from computer networks. The goal was to provide a gap model and develop best practices that can be utilized.

Also, a partnership between the public and the private sector to protect critical infrastructure and provide a comprehensive effort to recognize and support critical infrastructure security. The initiative supports the programs of infrastructure protection mission to raise awareness around critical infrastructure protection.

And perhaps the most concerning of news activity was the announcement by head of the nuclear watchdog, international atomic energy agency director Yukiya Amano, that a nuclear power plant in Germany was hit by a “disruptive” cyberattack within the past three years. Amano was quoted by Reuters as saying:
“This issue of cyberattacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.” And he noted that this is "not an imaginary risk."

“Cyberattacks on nuclear-related facilities or activities should be taken very seriously,” international atomic energy agency director Yukiya Amano recently told Reuters.

Without getting into specifics, Amano revealed that a nuclear plant had been the target of a “disruptive” - but not destructive - cyberattack two to three years ago, according to an Oct. 10 story published by Andrea Shalal. In addition, Amano recounted how there was an attempt to smuggle a small amount of highly enriched uranium about four years ago. "This is not an imaginary risk," he said. Though he had not previously discussed these events publicly, Amano did say he highlighted the issue of increasing precautionary measures for nuclear sites at an IAEA cybersecurity conference in June 2015 and increasing cyber and overall nuclear security would be a topic again at a summit in Vienna in December.

While no hackers have impacted reactor operations at nuclear installations, there have been cases of data exfiltration and viruses infecting internal networks. Amano said IAEA continues to support global nuclear security training databases and the distribution of thousands of compact radiation detection devices.

It should also be noted that in 2014, a computer in the control room at Monju Nuclear Power Plant in Tsuruga, Japan, was subjected to malware, but possibly by accident. And in 2015, South Korean hackers targeted Korea Hydro and Nuclear Power Company, but luckily to no avail. Most cyber experts believe that North Korea was behind the attempted cyberattack. These incursions are a wake-up call as there is a very real and growing fear that a future cyberattack on a nuclear plant could risk a core meltdown.

Non-nuclear power plants have also been subjected to intrusions and breaches. A hack in Ukraine was held up as a prime example. In December 2015, hackers breached the IT systems of the electricity distribution company Kyivoblenergo in Ukraine, causing a three-hour power outage.

Refineries, dams and data centers are all potential targets of cyber incursion. According to a report released last month titled "The Road to Resilience: Managing and Financing Cyber Risks," oil and gas companies around the world could face costs of up to 1.87$ million(eu format) in cybersecurity spending by 2018.

There have been attempted cyberattacks on grids and utilities, many via phishing and ransomware, and some have been successful. Head of the National Security Agency has stated that only two or three countries have the ability to launch a cyberattack that could shut down the entire power grid and other critical infrastructure.

Much of our grid still relies on antiquated technologies, and more investment in defenses are needed. As technology exponentially advances and as threat actors (including cyber mercenaries) gain tools via the dark web, that number of potential state-sponsored adversaries could expand in the near future.

In 2013, president Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cyber-security,” which called for the establishment of a voluntary risk-based cybersecurity framework between the private and public sectors. Chairman of the congressional EMP Caucus, and considered the foremost expert in congress on electromagnetic pulses, has introduced legislation (HR 3410) called the Critical Infrastructure Protection Act. The law would enable to implement practical steps to protect the electric grid by training and mobilizing first responders for possible events.

While the threats are complex and the threat actors varied among hackers, sponsors, organized criminal enterprises and terrorists, there are several themes to adhere to mitigate risk. These include:

Remain vigilant and continually analyze and game the energy cyberthreat landscape, as the methods, means and malware variants are constantly morphing.

Share and communicate cybersecurity information between the public and private sectors (a majority of the energy infrastructure is owned by the private sector). The government and industry are currently using pilot programs including cybersecurity risk information sharing program and the trusted automated eXchange of indicator information to facilitate rapid sharing of security information. Emergency Response Team responded to 295 cyber incidents in the energy sector in 2015.

Follow industry protocols, especially related to Supervisory Control and Data Acquisition (SCADA). Power companies use SCADA networks to control their industrial systems, and many of these networks need to be updated and hardened to meet growing cybersecurity threats.

Maintain robust access management control and cyber incident response programs. This includes following National Institute of Standards and Technology, North American Electric Reliability Corporation, Federal Energy Regulatory Commission and U.S. Nuclear Energy Regulatory Commission cybersecurity protocols.

Invest in next-generation security controls and cybersecurity technologies.

The World Energy Council says countries must raise their game in combating cyberattacks on nuclear and other energy infrastructures. They note that the frequency, sophistication and costs of data breaches are increasing. The expanding cybersecurity focus on energy infrastructure by both the public and private sectors is certainly a welcome development.