You don’t know the power of the Dark Side

In the past week, security firm Symantec warned that a series of recent hacker attacks compromised energy companies in the US and Europe and resulted in the intruders gaining hands-on access to grid operations.

The European Commission is due to release a review that recommends bolstering cyber security in the EU by increasing investment in technology, setting stricter consumer safeguards and stepping up diplomacy to deter attacks by other nations, among other measures. In Australia, the Department of Prime Minister and Cabinet recently put out a call for a dedicated cyber security deputy secretary to sit within its national security and international policy group – a second high-profile cyber security executive in addition to the Prime Minister’s top cyber adviser, Alastair MacGibbon.

The Symantec post revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year.

The Symantec warning follows the cyber attacks that knocked out the electricity system in in the Ukraine and ongoing global concerns about the scale and nature of attacks on digital assets.

Source: World Energy Council, The road to resilience: Managing cyber risks.

The energy sector has been identified as the sector most targeted for malicious attacks that may compromise cyber security. As the grid is becoming more and more dependent on enhanced grid intelligence, digitalisation and data-sharing, it is becoming more responsive to changes in electricity demand and better at integrating new sources of generation at any level in the system.

This introduces new cyber hazards to the security of grid assets, management systems and customer data. The enhanced connectivity and responsiveness, if not managed correctly, could leave the system open to attack by hackers.

The Australian response

The Finkel review Blueprint for the Future[1], recognises the need for strong cyber security measures. Finkel recommends that:

An annual report into the cyber security preparedness of the National Electricity Market should be developed by the Energy Security Board, in consultation with the Australian Cyber Security Centre and the Secretary of the Commonwealth Department of the Environment and Energy.

The annual report should include:

• An assessment of the cyber maturity of all energy market participants to understand where there are vulnerabilities;
• A stocktake of current regulatory procedures to ensure they are sufficient to deal with any potential cyber incidents in the National Electricity Market;
• An assessment of the Australian Energy Market Operator’s cyber security capabilities and third party testing; and
• An update from all energy market participants on how they undertake routine testing and assessment of cyber security awareness and detection, including requirements for employee training before accessing key systems.

The initial report should be completed by end-2018.

Basic representation of the key dimensions in cyber security relevant to the electricity system[2]

Parallel to Finkel, cyber security has been elevated as a key strategic priority for energy networks in the past two years.

Network businesses use advanced cyber security strategies to deter, detect and respond to threats.  It is a core part of their detailed risk management planning, asset management and IT and communications planning. Businesses are constantly monitoring and regularly auditing their cyber security defences.

With the increase in cyber security risks, networks have strengthened collaborative approaches in the past 12 months to heighten the capacity of the sector to identify hazards and respond quickly.

Energy networks do not openly discuss their efforts and initiatives to manage cyber security risk to protect the safety and security of Australians. However, the recent publication Cyber Security and Energy Networks provides an overview of the areas where cyber security must be managed.

Regulation and compliance

A multi-pronged approach to cybersecurity preparedness is required. The Australian Energy Market Operator (AEMO) has current cyber security protocols in place and is working with network companies and other key stakeholders across the country including the Australian Government’s Australian Cyber Security Centre (ACSC) and CERT Australia to monitor the grid for attacks, as well as requiring safeguards to keep unauthorised intruders from accessing control networks.

As recommended by the Finkel review, AEMO’s cyber security protocols will need to be assessed regularly to ensure they continue to provide appropriate coverage to mitigate all malicious cyber activity.[3]

Networks will also work with other stakeholders on developing new cyber security protocols and standards to ensure all participants in the electricity system maintain strong safeguards.

Widespread connection of distributed energy resources (DER), smart appliances, and more complex electricity markets will also heighten privacy concerns, as more personal and corporate information is gathered and stored by utilities and other key market actors. If network companies and other key stakeholders such as retailers expand their services beyond the current ones used to deliver electricity today, by interacting with DER aggregators, for example, specific procedures to protect data will be needed.[4]

Regulators will need to work with key industry stakeholders to establish:

• New rules governing the industry that will allow for the raising of minimum cybersecurity standards that are adaptable to evolve with changing threats;
• Access to data which safeguards privacy and commercial confidentiality including the establishment of new standards for privacy for all components of an interconnected electricity network;
• New secure systems to share current cyber threat information quickly and effectively between all electricity system ecosystem stakeholders; and
• New training modules to teach the future workforce to be not only electricity experts but also awareness of good cyber security practices so that they are also cyber security defenders.

To support this, energy networks have adopted a number of key measures to prepare and respond to the risk, including:

• Establishment of a Cyber Security Forum dedicated to gas and electricity networks, consisting of IT and OT cyber security specialists in Energy Networks Australia member companies;
• New information risk-sharing protocols and alerts between energy networks;
• A new initiative with Standards Australia to directly adopt existing international cyber security standards and protocols for Power Systems management and Associated Information Exchange and Industrial Process Measurement, control and Automation;
• Collaboration with AEMO to review data communications security standards;
• Close cooperative engagement with the Australian Cyber Security Centre, Attorney-General’s Trusted Information Sharing Network and Critical Infrastructure Centre, Department of the Environment and Energy’s Energy Security Office, and CERT Australia; and
• Working with the training sector to revise industry training packages to incorporate cyber security capabilities.

Cyber security and the system of the future

When designing the electricity system of the future a number of new features to maintain cyber security should be considered.

One key consideration should be the development, establishment and ongoing maintenance of data hubs or data exchanges. These would serve several purposes:

• securely storing metered data on customer usage;
• telemetry data on network operation and constraints, and other relevant information; allowing non-discriminatory access to this data to registered market participants; and
• providing end consumers with timely and useful access to data on their own usage of electricity services.

Responsibility for this function will need to be carefully assigned, with priority given to data security and consumer privacy considerations.[5]

Another design consideration is the system resilience required to contain and minimise the consequences of any cyber incidents. For example, microgrids using DER are helpful for resilience, and with “islanding” operations can assist in “black-start” or continued operations if the broader grid goes down due to a cyber or physical incident.

Ongoing assessment, implementation and management

In addition to the Finkel recommendations it is essential that energy networks and other market participants regularly assess how their organisational cyber security strategies evolve over time. A strong defence against cyberattacks is a continuous process and requires an ongoing effort and a recurring annual investment. To support this, Energy Networks Australia and its members have instigated a cyber security maturity assessment program which will assist the networks to anticipate and meeting evolving threats.[6]

Other participants across the energy supply system should adopt similar assessment programs of their own to ensure no weaknesses can develop in any other part of the system.