by Hubertus Breuer
Without comprehensive defensive measures against increasingly sophisticated cyberattacks, we would literally be sitting in the dark. Here is how we can protect our power plants from multistage cyberattacks and flexibly adapt to new threats.
The cyberattack on a Ukrainian utility in December 2015 is considered to be one of the first successfully executed threats on a power grid. The hackers overwrote the utility’s firmware, deactivated operator accounts, and deleted workstations and servers.
It was a targeted multi-stage attack. The hackers were able to get past several hurdles in order to reach their target – first compromising information technology (IT) networks in order to manipulate operational technology (OT) that controls physical energy assets. Like so many attacks on energy infrastructure, the Ukraine breach originated as a phishing attack on a single office laptop which went undetected. With a malware infected laptop operating within the energy company’s IT security perimeter, hackers could obtain critical information to install additional targeted malware capable of taking over critical control systems. Only after these systems were breached did the actual attack begin which ultimately cut off the power supply to around 225,000 households.
The sophisticated attack not only exposed the dangers facing the energy industry today by shrewd hackers – including criminals, politically motivated or even state-sponsored actors. It also showed how cyberattacks on our energy infrastructure are becoming more sophisticated as the industry becomes more digitized. “In the past, the attacks would primarily target IT to obtain data," says Leo Simonovich, head of industrial cybersecurity at Siemens Energy. “Now, more and more OT – plants, machines and their control systems – are being targeted. The risk is therefore no longer simply data theft, but sabotaging energy assets that are responsible for our economic and physical security. That's why we are constantly working on cybersecurity strategies adapted to new threat scenarios.”
Attacks on the energy sector have only increased in sophistication and rate since the Ukraine cyberattack – although not every attack is as serious or as successful. A 2019 study conducted by Siemens Energy and the Ponemon Institute - surveying more than 1,700 cybersecurity experts from the energy sector - examined the industry’s preparedness to address the increase in the frequency and complexity of attacks. The report found that more than half of those surveyed reported that at least one cyberattack on their organization within the previous year was successful, resulting in operational disruptions, power failures, property and environmental damage, and in some cases even physical injuries. They now consider multi-stage attacks to be the greatest cybersecurity risk for the energy sector.
Now, more and more OT – plants, machines and their control systems – are being targeted. The risk is therefore no longer simply data theft, but sabotaging energy assets.
Leo Simonovich
Head of industrial cybersecurity at Siemens Energy
So how to get ahead of attackers? Accomplishing this requires a look at how the energy industry has changed over the past decades. Before the energy sector’s OT assets became digitally connected, operators relied on the fact that many of their plants and networks were, digitally speaking, isolated. That is now a thing of the past. Today, hackers have more opportunities to exploit power plants or the electric grid than ever before.
Nowadays, almost every plant’s piece of critical infrastructure or energy technology is connected to the Internet in some way for good reason. Without digitalization, energy companies would not be able to meet the challenges of a dynamic energy market, including the opportunity to leverage new, decentralized technologies - such as renewable power generation, electric vehicles or control systems that optimize energy efficiency.
For that reason, energy companies have to ensure every aspect of their supply chains are secure. Not an easy task. Power plants, power lines, converters and substations are not acquired from a single manufacturer. They are made up of a wide variety of devices, components and software applications from different suppliers. Any link in this chain could have a security gap. “That is why energy suppliers must make cybersecurity a central component of their business model,” says Simonovich. “We are helping them do this, since we are very familiar with the risks thanks to our expertise in the energy industry and in cybersecurity.”
It’s a big job, but one we can accomplish.
Leo Simonovich
Head of industrial cybersecurity at Siemens Energy
Cybersecurity experts at Siemens Energy leverage their knowledge and challenges faced by various industries. They are constantly checking for weaknesses in products and provide solutions. They also continuously improve new security concepts to provide multi-layered protection for plants.
But what about blind spots? For Siemens Energy’s cybersecurity and detection platform Simonovich's group has developed a methodology called Process Security Analytics that translates data from IT and OT into one uniform data stream. Artificial Intelligence (AI) applications work on this stream to identify threats at an early stage. This data can also be incorporated into digital twins, which in turn enable a comparison of a plant’s target operation with its actual status.
AI certainly is paramount. For that reason, Siemens Energy also joined forces with a U.S. company specializing in AI-based cybersecurity solutions, SparkCognition, to develop a monitoring system that can detect threats and protect remote energy assets that go long periods of time before they receive security updates. These assets exist on the periphery of an energy company’s operating environment – whether it be commercial smart meters, EV charging stations, or pipeline compressors.
Finally, nothing happens in the energy sector without partners. Siemens Energy recently began collaborating with the New York Power Authority to test AI-based cybersecurity capabilities in New York’s digital energy ecosystem. The partnership is developing an industrial cybersecurity Center of Excellence focused on new technologies, collaborations across industry and with academia. “We are certain," says Simonovich, "that companies that continue learning and adapting their defense strategies based on AI technology and strategic partnerships will significantly reduce their risks. It’s a big job, but one we can accomplish.”
December, 14 2020
Hubertus Breuer is an independent journalist specializing on technology reporting. He lives and works in Munich, Germany.
Combined picture credits: Siemens Energy