Benjamin Dickinson, Global Product Manager, Cybersecurity at ABB Energy Industries, considers the evolution of power generation and how the implementation of new smart technologies could be bringing additional cyber risks to the table. The standards are there, but when applied in isolation, they simply won’t be enough to counter the real-world threats we face.
Here’s a rather sobering statistic: we found that 50% of our customers in the energy and utility sectors had been the victim of a cyberattack over a two-year period. As a result, us security professionals no longer think it is a case of if you will be attacked but instead, a case of when. That is unless the right protections are in place.
Indeed, within the walls of ABB, we predict that 67% of our customers globally will face an attack in one form or another, and of those that have already been attacked, 96% could have prevented the incursion with foundational cyber controls.
This is very much a technology-driven problem, and it is up to technology – coupled with common sense and a defence-in-depth approach that goes beyond box ticking – that will be its ultimate salvation.
This risk is something that the International Energy Agency (IEA) points out in its recent report ‘Net Zero by 2050: A Roadmap for the Global Energy Sector’. The report explains, ‘Cybersecurity could pose an even greater risk to electricity security, as systems incorporate more digitalised monitoring and controls in a growing number of power plants, electricity network assets and storage facilities.’
Net zero requires much tighter monitoring of assets and generation, which in turn demands smarter remote equipment and tighter integration. Industry 4.0 and the Industrial Internet of Things (IIoT) are underpinning this greater connectivity and data sharing; however, unfortunately this also offers hackers more entry points, due to the near exponential rise of smart-device endpoints. Indeed, hackers now have a virtual smorgasbord from which they can pick and choose the attack vectors they can use to exploit systems. That is, if the right protections aren’t put in place.
It may sound like a horror story, but happier endings are certainly well within reach. Indeed, there are a myriad of technologies, advice and opportunities available to help counter this growing threat, but simply box ticking national and international standards developed for critical infrastructure is not enough in isolation.
Sure, these legislative measures provide a good starting point or foundation, but to really undertake proper cybersecurity due diligence, you have to look closely at the rationale behind each of the boxes, what technology is available to address them and what pre-emptive action you can take that will deliver more than just a mandated check mark.
The underlying problem is that these regulatory standards simply don’t go into the detail necessary to prescribe fully hardened systems; often due to having to suit the needs of many organisations, being designed by committee, or by taking into account the interests of multiple parties. They will eventually contain the important points and the recommended hardware, but it’s up to the user to ensure that the security solutions are adapted, installed, programmed and maintained in a manner that matches their individual applications and security standpoint.
In fact, for this very reason, this is why the USA’s National Institute of Standards and Technology (NIST) Cybersecurity Framework is so good – as a guidance document, as opposed to being a mandatory standard/requirement. As a publication based around recommendations, it can go into more descriptive and prescriptive detail, compared to the UK’s OG 86 or IEC 62443, which both contain elements of box ticking. The problem is, it’s not widely recognised that you can be compliant with both of these standards, yet fail to significantly improve your risk level. More steps must be taken.
The International Energy Agency is 100% right in its evaluation of the risks; and one only has to look at the recent oil pipeline hijack in the US or the Norsk Hydro attack in 2019, both of which were based around ransomware. Or, rather spectacularly, the deviously clever Stuxnet virus, which hopped from dumb device to dumb device, ultimately reaching its target – a common automation device, made by a certain company, being used in a niche refining application, at a particular plant in a specific country. These attackers are not only finding ways onto your systems, but they are also getting more savvy, as they start to pick on specific targets, who they know can and potentially will pay.
‘Ransomware as a Service’ is the new moniker for a recently introduced and highly unethical practice, where criminals will lease ransomware software, but only if you abide by rules, such as giving hospitals and schools a miss and target organisations that can pay the ransom. They then offer support if the victim chooses to pay. Unhelpfully implying that paying the ransom is the best/quickest/easiest solution.
These risks and their likely impact need to be addressed at a much earlier stage, when an appropriate level of security can be defined in a thorough assessment. Following this, for all the bad news, there is good news too, and this is that there is a plethora of technology, methodology and practice that can sit behind and reinforce the box ticking in the standards.
The standard can form the foundation, much like an office PC – with anti-virus/malware and firewalls – but this foundation must be maintained and strengthened with comprehensive and timely patch programs, updates and back-ups, along with physical security measures, such as managed switches, segregated networks, secure LANs and firewalls.
Firewalls are, in fact, a great example of where the standards are just paying lip service. They say you need a firewall – here’s where you tick the box to say you’re compliant – but in real terms that firewall is only truly effective if it is programmed, configured and maintained to ensure its 100% efficacy as part of a larger security system. This is what is missing from the standards. There simply cannot be any weak links.
Box ticking the installation of a firewall (and that’s it) is one example of where standards fall short, but with a proper security assessment, these procedural weaknesses become immediately apparent and with a thorough analysis of your risks you will achieve a better understanding of where your security journey is going to take you. And it’s better to be a pessimist to start with. Start at a 10% risk threat and use the potential outcomes to define critical objects, equipment or attack vectors.
Utilities will always be classed as critical infrastructure, so cybersecurity must attract the same level of criticality. The standards help, but only as the very first blocks in what needs to be a significantly more detailed and ongoing process of assessment, implementation and maintenance. It will always be a moving target, so a static ticked box will be no match for what you could be facing from constantly adapting hackers.
