Whilst the trend towards ever more interconnected power grids is understandable from an efficiency point of view, it also increases the risks of cyberattacks. Risks which many players in this market continue to underestimate.
From science fiction to reality
A total blackout. Fifteen years have passed since the disappearance of all forms of electrical energy. The United States no longer exists, in its place is a collection of independent states. Populations who have gone back to living off the land are being terrorised by militia. This scenario from the NBC series Revolution, which was broadcast from 2012 to 2014, undoubtedly belongs to the realm of science fiction. But it hints at a real threat.
Technology has caught up with usRobert Wakim, Offer Manager Industry at Stormshield
“Imagine the consequences of an attack on a country’s energy grids. Let's not be under any illusions, there are teams, countries, armies out there working towards exactly that objective in anticipation of future conflicts. It's not science fiction any more.” Words not from a fictional series but from the mouth of Guillaume Poupard, the Director General of France’s National Cybersecurity Agency (ANSSI). His comments were made in a speech to the French Foreign Affairs, Defence and Armed Forces Committee on 3 October 2018, in which he also took the opportunity to call for more co-ordination and more regulation.
It's true that these threats to power grids are now increasing. Not just because the hackers are becoming more skilful but also, and most of all, because of ever greater connectivity. “Technology has caught up with us, says Robert Wakim, Offer Manager Industry at Stormshield. From the production to the transmission and consumption of electricity, Smart Grids use considerable communication bridges to help them manage this rare asset more efficiently.” This makes protecting the whole chain, from the power station to the smart meter, critical, according to Guillaume Poupard, who had stressed this point a few months earlier, before the same Committee.
This technology race is visible on both sides, amongst industry players as well as malicious parties. Take for example the malware Industroyer, which is capable of exploiting this interconnectivity in power grids. “This malware is capable of communicating through four electrical communication protocols, Robert Wakim explains. It adapts. It’s a sort of magic translator. It’s pretty much the only malware that specialises in the energy sector.” It’s possible to get hold of Industroyer on the darknet and target any facility. “We know that it was the malware used in the second series of attacks on Ukraine’s power grids at the end of 2016”, he adds.
Widespread attacks... since 2010
Shamoon, Stuxnet, BlackEnergy... Industroyer isn’t the only malware that has struck the energy sector, thereby engraving itself in the memories of numerous hackers and analysts. But unlike Industroyer, this other malware needs to really know the infrastructure before attacking it, meaning it makes do with less network connectivity. Stuxnet, in particular, made people “sit up and take notice”, as Gabrielle Desarnaud, a researcher at the French International Relations Institute, puts it in her study Cyberattacks and energy systems, published in January 2017. Although it was uncovered in 2010, in 2017 the researcher still rated Stuxnet as “the most advanced attack ever on a nuclear infrastructure”. The malware caused damage in uranium enrichment centrifuges in the Natanz complex in Iran for years.
In Saudi Arabia, Shamoon affected 30,000 computers and blocked the oil company Saudi Aramco’s trucks in 2012. “The attack started with a phishing email, recalls Robert Wakim. A secretary clicked on an email. But her infected PC continued to behave normally. This meant the attacker was able to discretely take control of the computer from the inside and go deep into the servers.”
The BlackEnergy virus that was the source of the first wave of attacks on the Ukrainian power grid in December 2015, also started with a phishing campaign. This is good news and bad news: as in other industries, cyberattacks on power grids often rely on human error.
A feeling of invulnerability?
But this human vulnerability is also due to a failure to recognize the risks at the highest corporate levels. “Clients usually approach us out of the need to comply with regulations, rather than the fear of being the target of an attack”, points out Robert Wakim. Why is there such a lack of awareness? “The problem, the expert continues, is that operators underestimate the effect of an attack. They see their facility as insignificant in relation to the grid as a whole, and so imagine it wouldn’t be a worthwhile target.”
Clients usually approach us out of the need to comply with regulations, rather than the fear of being the target of an attackRobert Wakim, Offer Manager Industry at Stormshield
Another reason for this feeling of invulnerability has to do with the fact that many facilities, such as nuclear power stations, are not connected to the internet. “But this is an illusion, claims Robert Wakim. A connection is essentially a communication, an exchange of data, even if it is only activated briefly once a year. A risk arises the moment I connect to an object that is itself connected, or use a USB stick.”
To date, two of the main motivations behind cyberattacks like this have been the domino effect and competitive advantage. The first would include an attack designed to disrupt the network enough to have consequences on a national level. “And the specific characteristics of this type of attack mean it is capable of causing a domino effect, or in other words, having the maximum effect with minimum effort”, explains Robert Wakim. “The best illustration of this is the impact on French oven clocks of an electricity shutdown in Kosovo”. An example of the second type would be an attack by a smaller competitor on the market being targeted. Corrupting, limiting or even stopping the production or transmission of electricity will give them a not inconsiderable competitive advantage, regardless of size, on the market of the company being targeted.
An increasingly connected future
And how does the future look for these power grids? Apart from installations of one or more megawatts, the future lies in lower-power, renewable energy facilities: wind and solar farms, even solar panels on private homes… These individual producers will be linked and organised by aggregators or as Gabrielle Desarnaud calls them, “virtual power plants”.
The future of energy therefore lies in a larger number of production points and interconnections. A development which will increase attack surfaces all the more, but also heighten the risks for all of the players. And whilst to date there is no legal framework in place that provides for this increase in the number of players, we still need to protect the whole. Although setting up virtual power plants is a very good thing for resilience in terms of production for the market overall, it is imperative that we understand the cyber threat to these new players ahead of time. And in so doing, prepare for a safer energy future.