Energy sector: Cyber security obligation to ensure provision of essential services in the face of attacks

Posted by

The cyber challenges of the energy sector

The energy sector is composed of infrastructures considered as vital and provides essential services for a country. The sector, marked by an increasing digitalization, is undoubtedly a privileged target of cyber-attackers with consequences that can affect by rebound almost all the infrastructures and services of our society. If the electricity supply was interrupted for several days, other services such as transport, health and communications would not be able to function.

A sector in full transformation

The energy sector is undergoing an energy transition with the arrival of renewable energies. It also relies on new ways of managing the balancing of the network, which is essential to the sector and is becoming increasingly complex. At each moment, the quantity of electricity injected into the network must be equal to the quantity of electricity withdrawn. This transformation leads to an increase in the need for flexibility to ensure security of supply and significant investments in the network. This is the objective of concepts such as Smart Grids, which make it possible to control energy consumption and optimize it for the consumer.

To respond to this business transformation, the energy industry is in the midst of a digital transformation that is disrupting the modes of production, transformation, storage, transport and consumption of energy. Information and communication technologies have made it possible to optimize the entire supply chain.

Thus, we notice the deployment of a large number of Industrial Internet of Things (IIOT) devices, with greater connectivity. This transition has triggered an unprecedented explosion of data. Energy companies must now be more agile in their decisions by effectively leveraging this data.

Such a transformation exposes the energy industry to increased cyber risks. This situation forces cybersecurity to be a priority for the energy sector.

Let’s take a concrete example: remotely controlled, wind turbines and solar panels are by nature connected objects. They must be remotely accessible and therefore secure. However, these new projects do not systematically take into account all the cybersecurity constraints and associated technical solutions (secure protocols, appropriate access technologies, etc.) from the design phase.

An increasingly targeted sector

Let’s do a little “archaeology” of cybersecurity related to the sector: the discovery of Stuxnet in 2010 created a shock wave within the energy industry. This attack served as a spotlight on unknown vulnerabilities.

In December 2016, part of the population of Kiev and its outskirts was deprived of electricity for about 1 hour due to the disconnection of the Pivnichna sub-station of the power transmission network. The attack began as part of a massive phishing campaign that occurred in July of the same year.th year, which exploited a vulnerability in Windows XP. The failure was caused by the remote switching of circuit breakers in order to cut off the power supply.

Not a year has passed without a cyber event. Another example: renewable energy is a new target for cyber attackers. In 2019, in Utah, USA, a wind and solar grid suffered 12 hours of lost connection to the company’s control center, causing power outages to homes in the surrounding area. The cyberattackers exploited a known vulnerability on unpatched firewalls causing a denial of service of the equipment.

In 2021, executives at Colonial Pipeline, which connects refineries across the United States, decided to block all of their distribution operations after a ransomware spread. The company said it paid $4.4 million in ransom for the hackers to provide a computer tool to restore their operations [1].

The energy sector is one of the most targeted industries. According to the X-Force Threat Intelligence Index 2022 report [2], in 2021, the energy sector ranked as the fourth most affected sector, with 8.2% of observed attacks, behind manufacturing, finance and professional services.

In 2021, ransomware was the most common type of attack against energy organizations with 25% of attacks. Oil and gas companies are particularly affected by this phenomenon. Trojan horse (RAT), DDoS, and corporate identity theft (CIV) attacks were also heavily reported with 17% of attacks each.

While cyber attacks are most often aimed at profit and espionage, the energy industry is also confronted with sabotage intentions, sometimes for geopolitical reasons. Some hacktivists can also represent a threat by attacking critical infrastructures. Recent major geopolitical destabilization events reinforce these risks.

The energy sector has critical infrastructure assets. In an increasingly interdependent world, any disruption, even initially limited to one entity or geographic area, can produce wider cascading effects as presented below:

Impact-Wavestone Chain

In order to fight effectively against these new threats, states and the European Union have adopted binding regulations to ensure a reinforced level of cybersecurity on the most critical installations.

What is the role of regulations?

In France, the competent authority for cybersecurity is the National Agency for Information Systems Security (ANSSI). To respond to the increase in threats, the defense strategy has been based on the military programming law since 2013 (LPM) in order to secure Vital Importance Operators (VIO). The ANSSI insists mainly on procedures of homologation, control and maintenance in security condition of information systems.

ormations of Vital Importance (IVIS).

At the European level, there is also a desire to protect sensitive organizations such as essential service operators (ESOs) in the energy sector. The reference point for cyber security is currently the Network and Information System Security Directive (NIS Directive). Its primary objectives are to increase cooperation between EU member states, facilitating the exchange of strategic and operational information, and to improve the cyber resilience of public and private entities in critical sectors such as energy. Here, for energy, ENISA wants to guard against large-scale threats with increasingly cross-border and interdependent networks.

The complexity now lies in the operational application of certain measures in industrial environments where the equipment and means of production are designed to last several decades. Thus, modifying operational processes and/or equipment to integrate more cyber security is a real challenge. The impact of this transition is significant, both in financial terms and in terms of changing the way people work. This makes it all the more important for energy stakeholders to share their experiences in order to find pragmatic and appropriate solutions: adapted network architecture, technical solutions compatible with the industrial world, vulnerability management processes and updates built with the operational teams, for example.

Conclusion

Given the

criticality of infrastructures, they are prime targets. It is essential that the business and cybersecurity players in the energy sector communicate on good cybersecurity practices, learn from previous attacks and contribute to improving the overall level of protection. It is in this context that the first forum specifically dedicated to the energy industry, “Cyber4Energy”, will be held in Marseille on March 30-31, 2022. This event will be an opportunity for professionals to discuss the challenges of cybersecurity and the specific solutions available to the sector.

References:

[1] United States: the Colonial Pipeline paid a ransom of $4.4 million to hackers (lemonde.fr)

[2] X-Force Threat Intelligence Index 2022, IBM Security X-Force Threat Intelligence Index 2022 (ibm.com)


Continue reading: https://www.riskinsight-wavestone.com/2022/03/secteur-de-lenergie-une-obligation-de-cybersecurite-face-aux-attaques-pour-garantir-la-fourniture-de-services-essentiels/

Leave a Reply

Your email address will not be published.