Cybersecurity tops agenda for utilities industry
Cyber-attacks on utilities and other critical infrastructure are not just on the increase, but have transitioned from speculative to indisputable. Utilities in the GCC, as well as vendors of ICS (industrial control systems), are now on the alert and taking remedial action.
About six year ago, Saudi Aramco was attacked by hackers who were able to infect 30,000 of the company’s computers with the Shamoon worm. Although gas and oil production was not disrupted, the company’s networks were brought down by the attack.
Only days after the attack on Saudi Aramco, computer systems at a neighbouring country’s energy firm were taken offline by a computer virus. Although production was not hit by the attack, it forced the firm to shut down its website and email systems.
The Stuxnet worm, first discovered in June 2010, clearly demonstrated that worms and related types of malware can successfully infiltrate programmable logic controllers or other types of hardware and cause significant damage, after it destroyed nearly 20% of Iran’s centrifuges.
AnonGhost, a politically motivated group of hacktivists, has issued a warning saying that is planning to launch cyber-attacks on energy companies globally, including Adnoc and Enoc in the UAE, for using the dollar in oil trades.
In 2015, grid control centre operators in Ukraine watched helplessly as their cursors moved across their computer displays, clicking substations offline. They frantically struggled to retake control until being involuntarily logged out.
Before the cyber-attack ended, three stations were seized and over 225,000 Ukrainian electricity customers lost power. The hackers also shut down the three centres’ uninterruptible power supplies (UPS), leaving the operators themselves in the dark.
The remote cyber-attacks directed against Ukraine’s electricity infrastructure were bold and successful. It was the first time the world had seen this type of attack against OT (operational technology) systems in a nation’s critical infrastructure.
In May 2016, ransomware attacked the power and water utility at Lansing, Michigan, USA, resulting in a loss of about $2mn. These, along with several similar hacks appear to have increased utility concern about the security of their power systems.
“The scale, nature and speed of cyber-attacks targeting energy and utilities installations are changing as technology evolves,” says Eugene Kaspersky, CEO of Russian headquartered cybersecurity firm, Kaspersky Lab. “A few years ago, cyber-attacks were restricted to office software. But with increasing vulnerabilities in the software and hardware used in utilities, cyber criminals are now toying with digital industrial networks.”
According to Kaspersky, utility professionals say cyber and physical security is the most pressing concern for their companies with the majority of them stating it is either “important” or “very important” today.
“Today, security issues rank highly among utility concerns right from electric power generation, transmission to distribution, largely due to the distributed energy policy being adopted by utilities across the world,” says Kaspersky.
He says that increased attention to ongoing cyber threats around the world by the media and industry groups is amplifying the genuine concern about security of critical infrastructure.
“Cyber-attacks such as the one in Ukraine are not being treated in isolation by the industry. There is a genuine concern that similar attacks might take place elsewhere,” Kaspersky points out. “And utilities are starting to share vital information on cyber-attacks and threats.”
In fact, the real awakening to the reality of cyber threats in the Middle East is as recent as five years, and this comes at the back of a series of cyber-attacks at some of the region’s largest installations.
In a 2013 report, one electric utility reports that it endures roughly 10,000 attempted cyber intrusions on a monthly basis.
Dealing with highly focused and highly skilled attackers who perpetrate sophisticated incursions into the utility infrastructure, requires a robust and integrated set of capabilities. To prevent such incidents from occurring, utility organisations in the Middle East need to detect cybercriminal activity and respond quickly to suspicious behaviour and resolve the issue at hand.
But while previous attacks continue to animate utility sector planning for enhanced security, new distributed resources and grid technologies are adding more complexity to the system, which means that keeping security practices up to date will most likely be a continuous job.
“The rise in distributed energy provides a weakness for the existing model of cyber-attacks,” says Andrey Doukhvalov, chief strategy architect and head of future technologies department, Kaspersky Lab.
“This is good news. However, the bad news is that in the future the main challenge will be how to provide a trusted source of information from these distributed systems since information flow has to be centralised for effective management. And of course the issue of cybersecurity will now change to the area of trusted information.”
By examining the current cases of cyber-attacks, Doukhvalov says it is clear that cybercrime might shift from theft of information to theft of business continuity. “If the bad guys know the price of unplanned outage of a plant or digital substation, they no lo longer then need to steal personal information from bank accounts or money transfers. They just may attack installations and ask for a ransom that is almost equivalent to the cost of an unplanned outage of that particular installation.”
Data from a survey conducted by Ernest and Young (EY) shows that 80% of utility companies have witnessed an increase in external threats, with mobile computing, malware and phishing the most prevalent concerns.
But while they may recognise the threats, only 11% of survey respondents said they felt their current information security measures fully meet their organisation’s needs, 60% are running no or informal threat assessments while 64% believe that their security strategy is not aligned with today’s risk environment.
It is a trend that worries cyber security solutions providers who feel that the scale of threats is not widely understood by industry players and are now calling for a complete change in the approach for securing vulnerable utility infrastructure and systems.
The story of critical infrastructure security is part of a familiar narrative of the clash between old technology and new cyber threats, between government regulation and company motivation, and between cost and security – with security consequences unique to critical infrastructure.
“A large section of the existing utilities infrastructure is old and not resilient enough to withstand the emerging cyber threats,” says Andrey Suvorov, head of critical infrastructure protection business development, Kaspersky Lab.
Suvorov says that a complete change in attitude and approach is required to lessen threat levels, and to boost the security of all attack vectors at any given unit that could be a potential target.
Critical infrastructure systems including the electrical grid and water disbursement are in need of some serious security overhauls to prevent the hacking threats currently impacting those sectors, he says.
“What we are witnessing is mostly a reactive approach where companies deploy security solutions only after threats become palpable. But to guarantee high availability, reliability and safety, the entire system must be insulated from current and future threats because attackers are always changing tactics.”
A number of companies tend to give less attention to real possible targets and instead focus on areas such as data, which downplays the very real possibility of cybercriminals taking control of essential resources, says Suvorov.
“With the increased convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks, and can have a physical impact in the real world,” Suvorov points out.
“It makes economic sense to make a single investment in a security solution that will protect your infrastructure for many years ahead rather than waiting for a threat to happen and then take action.”
The industrial CyberSecurity expert says that it is important that utilities implement IT security solutions that integrate network, endpoint and malware analysis, threat intelligence and remediation capabilities and don’t just deliver rapid detection and response, but continuous automated incident resolution.
“But most importantly, any solution must take people into consideration, both as strong and weak points in securing a system. People pose a real threat than the processes within a company. Therefore, sensitisation is needed at all levels along with building a robust secure perimeter, based on a layered approach to prevent abuse,” says Suvorov.
In October 2012, a contractor at a US power plant accidentally infected a turbine control system with a worm delivered via a USB drive and took the power plant offline for three weeks.
The scale of the damage could have been unimaginable had the contractor been an accomplice working with cyber criminals inside.
In a recent report by PWC, 67% of participants said that within the past year, they have had at least one security compromise that led to the loss of confidential information.
The report also revealed that 47% of the attacks came due to negligence on the part of staff members.
“People must be provided appropriate training to guide them in working on sensitive systems. At the same time, measures should be put in place to restrict movement of unauthorised personnel at the installation,” says Jari Kaija, senior vice president, ABB Group Services.
ABB’s Cyber Security Service Monitoring Service powered by ServicePort, identifies, classifies and helps prioritise opportunities to improve the security of a control system. By overseeing the cyber security status of a control system, ServicePort collects system data for comparison against industry best practices and standards to detect weaknesses within a system’s defence.
“This pinpoints areas that require action to help protect your control system by ensuring it has multiple layers of security. The ABB Cyber Security Monitoring Service is non-invasive, and can be applied to any control system,” points out Kaija.
Honeywell has devised a six cycle security solution to help detect threat vectors within the utilities sector and provide real time remedies to any potential security breach.
The Honeywell Industrial Cyber Security Risk Manager has been designed to simplify the task of identifying areas of cyber security risk, providing real-time visibility, understanding and decision support required for action. It monitors and measures cyber security risk in multi-vendor industrial environments.
“We are working with a number of companies around the world and helping them to conduct full assessment of their infrastructure, their policies, and compliance to regulations. Based on our findings, we build the most optimised design for them,” says Safdar Akhtar, director of CyberSecurity, Honeywell process solutions, EMEA.
“Bearing in mind that there are a number of old infrastructure, our solutions are tailored to meet the specific security requirements of each installation. We will advise a client if the infrastructure needs a complete overhaul.”
Honeywell has made significant investments in a cyber security lab to help identify vulnerabilities through various diagnostics techniques geared towards the creation of a more resilient system. It has built a $1.5mn state of the art cyber security lab in Dubai, the first ever outside USA, and it is being used to remotely monitor installations in the region to protect them from any possible attacks.
The reality of cyber-attacks has seen a significant increase in budgets for IT security worldwide with some utility companies creating divisions dedicated to cybersecurity.
General Electric is reported to have so far invested over $1bn into the Industrial Internet and cybersecurity solutions.
GE has acquired Vancouver-based Wurldtech, which specialises in security software that protects big industrial sites used by the energy, chemical, nuclear and manufacturing industries at an undisclosed sum.
Established IT companies are increasing cybersecurity solutions that target the utilities sector, as the industry becomes a clear target for cyber criminals.
“A lot of customers are smart about cybersecurity and most have strong IT security practices. What needs to happen is the operations technology security has to bridge to the IT practices,” says Ganesh Bell, chief digital officer, GE Power.
“The operations side is catching up. The other wrinkle here is the role of the government given that utility cyberattacks can be carried out by state actors. There are a number of private-public initiatives revolving around cybersecurity.”
Microsoft has invested more than $2bn improving smart and cybersecurity solutions for utilities infrastructure.
“In the past, we have seen C-level executives of organisations adopting a very conservative approach to technology adoption. They only view technology in terms of new business models and cost optimisation but often downplaying the real possibility of this same technology being compromised,” says Kaspersky. “We see this changing as due consideration is now being given to the likelihood of cyber-attacks.”
“Another challenge has always been resistance from OT (operational technology) staff who do not want any interference with their existing technology set up. That is why we have based the genealogy of our solutions on passive ways of monitoring which leaves any existing technology set up intact.”
Kaspersky Lab recently signed a Memorandum of Understanding (MoU) with UAE headquartered Injazat Data Systems (Injazat), an industry-recognised market leader for secure data centre and managed services solutions. The agreement will see the two parties working together to develop a potential partnership in the areas of industrial IT security, cyber defence and other offerings.
As the drive to connect citizens and devices through smart city initiatives gain momentum in the Middle East, the threat of cyber-attacks remains real and its potential to ruin these dreams is inescapable.
This probably explains the growing market for cybersecurity solutions in the region estimated to reach $13.43bn, according to a recent report by Cybersecurity Ventures.