Cybersecurity in the Electricity Industry
What Is the Electricity Industry?
The electricity industry is a type of national critical infrastructure that’s “necessary to maintain normalcy in daily life,” as stated by the U.S. Department of Homeland Security.[1] In total, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified 16 critical infrastructure sectors whose systems and networks are vital to national security and public health in the United States.[2] Energy is one of those sectors. It comprises electricity, oil, and natural gas.[3]
CISA noted that the U.S. electricity sector consists of over 6,413 power plants and that 48% of the nation’s electricity comes from coal combustion. This was followed by natural gas combustion, nuclear power, hydroelectric plants, renewable sources, and oil at 22%, 20%, 6%, 3%, and 1%, respectively. Moreover, CISA noted that many if not all other industries including critical infrastructure industries depend on the electricity sector, making electric utilities and the power they provide important fixtures of modern life.
How Fast Is the Electricity Industry Growing?
Electricity sales increased 3.8% through August 2021 over the previous year.[4] The International Energy Agency (IEA) went on to report that global electricity demand had grown 6% by the end of 2021, constituting the largest rise in percentage terms since 2010. It also noted an increase of 1,500 terawatt hours in absolute terms for the year. Approximately half of this growth took place in China, where demand increased by 10%. Electricity produced by renewable sources rose by 6% during the same period.[5]
Looking ahead, IEA anticipates that electricity demand will grow an average of 2.7% each year. Renewables will constitute 90% of net demand growth during that period, with annual growth estimated at 8%. Meanwhile, IEA expected nuclear-based generation to grow 1% a year.[6]
What Are Some of the Risks Facing Electricity Organizations?
First, the convergence of Information Technology (IT) and Operational Technology (OT) opens opportunities for attack. Organizations can use connected sensors, Industrial Internet of Things (IIoT) devices, and other products to monitor the performance of their OT assets, conduct preventative maintenance, and maximize uptime. But there’s a flip side to the IT-OT convergence. Many OT systems use legacy software and hardware that’s decades old and that can’t receive updates remotely. This means the systems are susceptible to well-known vulnerabilities that digital attackers can use to establish a foothold into a victim’s network and pivot to business-critical assets.
There’s also the use of satellite Global Positioning System (GPS). The electric grid needs signals delivered by GPS to synchronize the transmission and distribution of electricity as well as to report on potential issues in real time.[7] The problem is that malicious actors can capture unencrypted GPS signals in civilian applications. Depending on the types of technologies used at electric utilities, malicious actors can leverage that opportunity to conduct GPS spoofing attacks and broadcast a fake signal. This can provide electric utilities with false insights into the state of the electric grid, providing cover which nefarious individuals can use to create blackouts.
Finally, electric utilities’ supply chains continue to grow in complexity. Many organizations in the sector now purchase equipment from manufacturers in Taiwan, Singapore, China, South Korea, and elsewhere. protection standards and compliance frameworks than those in the United States and Europe. Depending on the strength of those commitments, malicious actors could use certain oversights to compromise essential hardware and software for the purpose of gaining access to customers’ networks and systems.
What Motivations Do Attackers Have for Targeting Electricity?
Some attackers are intent on disrupting the availability and reliability of electricity in certain countries. Doing so can harm the host country’s national and global economy. These types of effects can benefit another utility that’s looking to undermine the reputation of a competitor. They can also work to the advantage of a nation-state that sponsors digital attackers as part of an interstate conflict.
That said, individuals who target electric utilities and other energy organizations tend to fit a certain profile. Most (98%) of them are external actors, with at least 78% of those attackers motivated by financial gains. Threat actors can capitalize on an attack against an electric organization by stealing data, selling it to a competitor, and/or handing it to a state sponsor.
How Are Attackers Targeting Electricity?
Three security incidents help to illustrate various ways that malicious actors are targeting entities in the electricity sector. One of those incidents was the SolarWinds supply chain attack. As a reminder, malicious actors infiltrated a software update distribution channel used by the company and abused it to push out malware to approximately 18,000 users. Once active, the malware attempted to contact a command and control (C&C) server operated by the attackers. If successful, this connection enabled the campaign’s operators to enter an affected organization’s network and perform follow-up attacks like dropping additional malware payloads. Indeed, of those 18,000 victims, nearly 2,000 experienced a Sunburst malware infection, with a third of those organizations based in electricity and other industrial sectors.
The incident discussed above wasn’t the only time that attackers targeted partners, suppliers, and third parties serving the electric grid. On May 14, 2020, Elexon, which administers the Balancing and Settlement Code (BSC) in the UK, that it had fallen victim to a digital attack. The incident affected the company’s internal IT network and employee laptops along with its email server, though it did not disrupt systems responsible for managing the transit of the United Kingdom’s electricity. Elexon didn’t clarify the source of the attack in a statement posted to its website, but some experts thought that ransomware had been responsible.[8]
There were other instances in which digital attackers targeted electric organizations directly, however. Around Christmas Day 2015, for example, malicious actors entered the supervisory control and data acquisition (SCADA) networks used by Prykarpattyaoblenergo, an electric power distributor for the Ivano-Frankivsk in western Ukraine. The attackers used a phone-based denial-of-service (DoS) attack against customer call centers as cover to open breakers and take some substations off the grid. They also overwrote legitimate firmware with malicious code, rendering the converters unrecoverable, and leveraged malware called “KillDisk” to wipe the operator stations.[9]
What Standards and Frameworks Apply to
There are two major sets of standards that apply to electric organizations. The first is ISA/IEC 62443. This framework isn’t specific to the electricity sector. It seeks to address the challenges that electric utilities. pipeline companies, petroleum production plants, distribution facilities, and other organizations might face when attempting to secure their industrial automation and control systems (IACS) along with other assets in their OT environments. It does this by providing organizations with reference architectures by which they can build cybersecurity into their networks along with direction for crafting security processes and cybersecurity management systems (CSMS).[10]
The second set of standards relevant to electric organizations is the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP). The suite includes requirements that electric organizations in North America can use to secure their systems against digital threats like cyberterrorism and state-sponsored attacks. The standards include CIP-013-1, which requires organizations with bulk electric system (BES) Cyber Systems to implement a supply chain risk management program. They also cover CIP-008-6, a control which mandates that in-scope entities meet certain incident response requirements.
Electric utilities can do several things to minimize the risk of a hack. First, they can focus on achieving visibility of their assets—particularly software components within their applications. Organizations can do that by creating a Software Bill of Materials (SBOM) and investigating for potentially dangerous components, software dependencies, and supply chain risks. They can also use periodic walkdowns to verify that their inventories on file reflect what’s actually deployed across their environments.[11] With an accurate inventory in hand, electric utilities can then go about patching vulnerabilities in those authorized devices on a timely basis.
Next, they need to work to eliminate information silos. Utilities can do this by requiring leaders of relevant business leaders to participate in group meetings around digital security topics. Doing so will help to provide all stakeholders with a voice in the decision-making process so that organizations can create a holistic plan and allocate resources effectively.[12]
Third, organizations in the electricity sector can segment their IT and OT networks. This will help to prevent malicious actors from exploiting a vulnerable IIoT device for the purpose of accessing and tampering with OT assets.
Finally, electric utilities must avoid thinking of themselves as insulated entities. They might face unique challenges in terms of geography and local legislation, but they largely face similar digital threats. That’s why they might consider working together with industry peers and government agencies. By participating in drills such as NERC’s GridEx or the EIS Council’s transnational EarthEx exercise, these organizations can exchange intelligence on threats and vulnerabilities as well as hone their own company-wide defense plans.[13]
How Can Electricity Organizations Maintain a Strong Security Culture?
Aside from the measures described above, electric utilities must also take steps to build and maintain a strong security culture. They can do this by designating groups of “cybersecurity champions” within each business unit to help document employees’ security behavior Once they have that understanding, organizations can select behaviors they’d like to address and work with the cybersecurity champions as well as through an ongoing security awareness training program to change those behaviors over time.
This can be difficult for some electricity organizations to do on their own. That’s where Itegriti comes in. ITEGRITI is a cybersecurity consulting and advisory firm with deep expertise gained through our work in protecting large-scale and distributed National Critical Infrastructure since those Standards first became mandatory in 2008. The cybersecurity resilience programs we develop will help you avoid hacks, detect breaches, minimize business disruption during an event, and reduce incident recovery time. They will also help you to build cybersecurity into your compliance programs.
[1] “Critical Infrastructure.” The U.S. Department of Homeland Security. Retrieved 2022-03-01.
[2] “Critical Infrastructure Sectors.” The U.S. Cybersecurity & Infrastructure Security Agency. Retrieved 2022-03-01.
[3] “Energy Sector.” The U.S. Cybersecurity & Infrastructure Security Agency. Retrieved 2022-03-01.
[4] “2022 power and utilities industry outlook: The clean energy transition powers on.” Deloitte. Retrieved 2022-03-01.
[5] “Surging electricity demand is putting power systems under strain around the world.” The International Energy Agency. Published 2022-01-14. Retrieved 2022-03-01.
[6] Ibid.
[7] “Evolving Electric Power Systems and Cybersecurity.” U.S. Congressional Research Service. Published 2021-11-04. Retrieved 2022-03-01.
[8] Cimpanu, Catalin. “UK electricity middleman hit by cyber-attack.” ZDNet. Published 2020-05-14. Retrieved 2022-03-01.
[9] Zetter, Kim. “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.” WIRED. Published 2016-03-03. Retrieved 2022-03-01.
[10] Gordon, Jonathan. “The Essential Guide to the IEC 62443 industrial cybersecurity standards.” Industrial Cyber. Published 2021-12-26. Retrieved 2022-03-01.
[11] Sanchez, Michael. “10 Essential Steps to Cyber Resilience as Hackers Target Critical Infrastructure.” Homeland Security Today. Published 2021-03-18. Retrieved 2022-03-01.
[12] Bailey, Tucker. “The energy-sector threat: How to address cybersecurity vulnerabilities.” McKinsey. Published 2020-11-03. Retrieved 2022-03-01.
[13] Livingston, Steve, et all. “Managing cyber risk in the electric power sector Emerging threats to supply chain and industrial control systems.” Deloitte. Retrieved 2022-03-01.