Gas, power sectors brace for cyber-attacks [NGW Magazine]
Apart from data theft and other regular cyber-threats faced by all businesses, interference in the gas and power sector can cause major disruption and damage, and severely affect many aspects of daily life.
Cybersecurity ranks second among corporate treasuries’ top areas of concern for the next three years, according to a recent survey by the Association for Financial Professionals. The issue is moving up the agenda as it grows in scale, with one aspect – data theft – projected to balloon to around 33bn records in 2023, up from 12bn in 2018, according to Cybercrime & the Internet of Threats 2018 from Juniper Research.
In the gas and power sector, however, the risks extend well beyond the theft of data. Critical assets can be taken offline or even physically threatened by cyberattacks, with the impact potentially influencing markets and prices. They can also impact the security of power supply – which is crucial to so many aspects of life today, including internet operation and wider communication. So, the challenge raises questions of national/economic security and stability, as well as the more mundane privacy issues.
Until a few years ago, operational assets such as offshore production facilities and electricity substations, worked largely in isolation, but as they are all digitised and wired up to the internet for remote monitoring, control and updates, they have become vulnerable to cyber attack. It is easier for newer facilities to be designed and built with cyber threats in mind, as there are often weaknesses in older devices, although these can be identified by ‘penetration testing’.
The primary cybersecurity perpetrators in terms of the risk they pose are state-sponsored agencies with specialised hackers at their disposal, followed by corporate espionage and syndicated crime, according to PWC1. The main reasons for this sort of attack are to acquire intellectual property, reservoir information or research and exploration data.
As a weapon of war
However, the motivation for cyber-attacks can be more serious still, with several countries around the world using them to attack rival interests. This can present serious challenges, threatening life, assets and the environment. By accessing control systems hackers could, for example, cause the flow of natural gas through a pipeline to grind to a halt, trigger an explosion at a petrochemical facility or do damage to an offshore drilling rig that could lead to an oil spill, according to EY.
One such attack was the Triton malware incident in the Middle East, which was thought to be state-sponsored, and which only failed because of an error in the hacker’s software that caused the safety system to shut down, according to DNV. Cyberattacks have caused serious problems for Saudi Arabia since the Shamoon virus was first identified in 2012. The hackers inserted malicious software into Saudi Aramco’s computer systems, and are likely to have been Iranian backed. The financial impact of such attacks probably runs well into the billions of dollars.
There have also been major attacks in Europe, including one on the Norwegian oil industry in 2014. At the time, National Security Authority Norway (NSM) said 50 companies were hacked and 250 more were put at risk. Reports suggested the perpetrators were attempting to install themselves inside corporate networks where they could plant malicious code at will. NSM regularly warns that cyber espionage campaigns, possibly state-backed, continue to target the Norwegian industry.
In Norway, companies from the gas and cybersecurity sectors have set up a Joint Industry Project (JIP) to establish common recommended standards, helping enhance security. This can also cut insurance premiums and avoid fines, including under new European regulations such as the EU Network Installation Security (NIS) directive, which is designed to enforce common minimum standards across critical infrastructure.
Experts say most attacks are still from far more mundane perpetrators, including disgruntled employees or those attempting to collect and sell data, which is often done on a fairly random basis. Nevertheless, such attacks can cause considerable damage – as recent ransomware incidents have shown – and the industry needs to be prepared for both types of attack.
In early July, the EU’s energy commissioner Miguel Arias Canete raised particular concern over cybersecurity across power sector infrastructure, noting the grid’s growing importance as hydrocarbon fuel use falls, and that the system’s increased digitisation meant a higher risk from cyber threats. He said links with the power network and the Internet of Things (IoT) had also heightened the strategic importance of the grid.
He pointed to recent reports, which state that “foreign actors have been allegedly probing or even infiltrating the US, Russian and Asian electrical grids,” he said.
As well as the NIS, the EU has bolstered cybersecurity through its Directive on Security of Network and Information Systems, which was adopted in 2016 and is being implemented. And this year, a new Cybersecurity Act creates a framework for voluntary European cybersecurity certification of products, processes and services. In addition, plans for dual gas/power grids are now obligatory in the EU, which is partly designed to enhance system cyber-resilience, alongside its main goal of facilitating decarbonisation.
Canete said key issues specific to the power sector included “real-time requirements” and “cascading effects” – implying that any security impact could have a direct and immediate impact on users, which could spread quickly. He also said that, as in the upstream gas sector, there would be complications related to the mix of legacy technologies with smart and state of the art technology.
To further address these and other issues, he said that new regulation on electricity risk preparedness for 2019 meant EU members had to develop national risk preparedness plans and coordinate their preparation at regional level, including measures to cope with cyber-attacks. He also called for the development of a network code on cyber security, to increase the resilience of the energy sector.
On the ground, a void can often remain between IT systems – which are regularly updated and patched by specialists – and the operational systems, which are normally in the hands of the engineers who run and maintain facilities, according to Simon Daikin of cybersecurity consultancy, Leidos. This can make the operational systems more vulnerable. In the energy sector, therefore, it is particularly important for cybersecurity to be employed as part of the culture across all areas of an organisation.
To be effective, he said companies need to take a strategic approach, with cyber-security more than just an add-on to the digital transformation. Many hackers employ a series of consecutive steps, starting with reconnaissance. Good defences can mitigate each step and gain intelligence from what’s going on, which is more proactive and engaged than a tactical response that addresses threats as they appear. In this way, only the most sophisticated of hackers can gain access and systems should remain safe.
A new business – but a fast-growing one
Cybersecurity is a new business, but it is growing fast. Companies need protection from a new and little-understood outside threat as they implement digitisation schemes.
The chief security office at Claroty Dave Weinstein told NGW: “We and our half-dozen competitors are only about four years old, and it is a niche domain but one that is growing rapidly. We have amassed $100mn in private equity in four years, such is the demand for protection against malicious exploitation.
“Contrary to what most people think, it is the operational side of a company's business, the internet of things, rather than corporate networks and data protection, where a cyberattack can do the most damage. There is a massive convergence of information technology that controls physical processes and industrial environments.
“The internet of things includes devices, routers and sensors that perform monitoring functions, and these present a far lower barrier to entry for hackers than ever before. It is now much easier to gain and maintain access to networks that had been almost entirely isolated. The opportunities are much greater because of the much larger attack surface.
“Claroty offers extreme visibility into what is going on, and monitors threats to operations. At its most basic it is the equivalent of an intruder detection system, but one where the intruder does not know he has been seen.
“The most common attacks are on corporate sites, rather than critical infrastructure. It is harder to attack industrial networks and hacking into them takes a lot of time and resources. Each network poses its own challenges, so what works on one target will not work elsewhere. And because the hack can be prevented from recurring with a system update, the hacker only uses their skills when needed, which is why they tend to be financed by governments. They want to hold targets at risk in the event of an escalation of geopolitical events.
“But also this kind of hacking is an expensive operation and so most of the activity we see stops short of pulling the trigger; it is more about gathering intelligence and gaining persistent access. They can get on the network whenever they need with the least effort necessary, hold the target at risk and deploy their capability when it is most needed – this is typical of a nation state’s behaviour, rather than an individual.
“The second threat is more scalable: malware and ransomware like the NotPetya attacks. There, the virus starts on an IT network and migrates into operational networks and causes significant downtime. All these can be attributed to a lack of isolation, as no one department is responsible for stopping them and they can find their way into control systems.
“Claroty’s security system sends alerts to whichever department at the client company needs to know of an intrusion: for example the power plant floor, the back office, or an interface with the central operations centre. There is the risk too of sending so many alerts being generated whenever a change is detected that none are believed and so we have developed an algorithm based on machine learning. This cuts out false alarms. Like the boy crying wolf, all alarms will get ignored if there are too many false ones.
“A lot of our customers present very attractive targets to hackers interested in industrial espionage, especially those in aerospace and energy.
“Finding a balance between the costs and benefits for a client is achievable. Part of the problem is that companies are diving into digitisation without regard for the security risks that ensue. This opens up a lot of doors to cyber risk. If the security is brought in early enough then the digital transformation has a better chance as the hacker comes up hard against a brick wall.”