Cyber Attacks in the Energy Industry: Don't Become a Victim

Cyber attacks in the energy industry are becoming more common. As major incidences have shown, the impacts can be costly and hugely disruptive.

When the Pivnichna substation in Kiev, Ukraine fell victim to a phishing attack in December 2016, the city suffered a widespread blackout, affecting 230,000 people. Experts say the incursion was likely a test for a larger planned attack.

In 2012, Saudi Arabia's state oil company, Saudi Aramco, had its operations shut down for five months after an employee opened a phishing email that infected 35,000 company computers. The firm, which provides 10 percent of the world's oil, was eventually forced to give away oil for free to keep it flowing within Saudi Arabia. Recently, there was a warning that the computer virus has returned, with at least one major petrochemical company affected.

Impacts of cyber crime can vary, and many are concerned about the potentially devastating ramifications of an attack on a nuclear power facility. Yukiya Amano, director of the International Atomic Energy Agency (IAEA), said a nuclear power plant had been targeted by a disruptive cyber attack two to three years ago. He warned there is a serious threat of militant attacks on nuclear plants.

However, there are effective and straightforward processes to protect any asset from a cyber attack, as well as many cybersecurity software providers that offer sophisticated and comprehensive solutions to defend against potential threats.

Estimating the Cost

Although the potential impacts of a cyber attack on a power plant are worrying, major breaches, fortunately, remain rare. Instead, the energy industry is seeing an increase in smaller, more targeted violations that can be easily mitigated. Experts say there is a trend of cyber attacks in the form of ransomware, or malware that encrypts a company's data. After which, the perpetrator demands money to remove the malware.

According to Ponemon Institute research for HP Enterprise Security in 2015, cyber crimes cost energy and utility companies around 12.8 million dollars each year in lost business and damaged equipment. This figure could be much higher, however. Companies often do not want to make a system breach public knowledge, as it essentially highlights a weakness in their system, and could damage their reputation.

Mitigating Cyber Crime

If an attack occurs on an asset, acting fast and following several simple steps can quickly get the incident under control. The main priority should be to determine the rogue software in the system. It could have been there for days or weeks, slowly infiltrating the network. Once the responsible malware is identified, it must be contained, and a damage assessment carried out.

Like good maintenance procedures, it's always best to stop attacks before they happen, so an asset manager's priority should be mitigation. In the past, operators have been rightly keen to digitize assets, only then adding cybersecurity barriers as an afterthought—but it's never too late to improve a plant's defenses.

When considering cybersecurity protection, plant managers should always take a holistic, bottom-up approach to implementing security.

Tony Proctor, a principal lecturer, consultant, and information security researcher at the University of Wolverhampton in the U.K., has researched cybersecurity for ten years. He says there are three basic principles to comprehensive cyber protection: confidentially, integrity, and availability—what he calls the CIA triad.

Asset managers should look at how this triangle is implemented across all their online systems. "Managers need to make sure data is confidential and only shared by people that need to see it, yet they also need to ensure systems are available for use because there needs to be a balance—you must establish confidentiality but at the same time ensure availability," Proctor says.

"Anecdotally, there is always what we call a soft reason why the server that has been affected hasn't been patched—perhaps it was out of the organization's control, maybe it was an outside server or a third-party system. It is a common situation I see," he adds. Such weaknesses in the network can often result from human factors, such as a lack of communication or regular tests on the system.

This, however, can be easily mitigated with proper and continuous staff training to spot the warning signs of cybersecurity breaches and weaknesses before they become a problem. Reinforcement of performance standards is also key, as well as continuous monitoring of the effectiveness of cyber controls currently in place.

Industry Collaboration

To raise awareness of cyber attacks in the energy industry, it is necessary to share information, says Proctor, because the more information that is known to the sector, the better we can mitigate the risks. "It's about sharing information, as one operator might see something else another hasn't seen," he says. "If one company deals with an incident, that can be really useful information for another organization, so it can then mitigate potential impacts."

Sharing information can also help suppliers, who might have fewer resources than larger companies, to learn how to better protect their systems. Therefore, sharing information with them can help plug weaknesses in the supply chain and improve cybersecurity for the whole industry.

Ongoing Management

Ultimately, comprehensive protection is achievable. Managers need to know the risks to their facility and then deploy resources to mitigate them.

Cybersecurity software providers themselves can help manage this often overwhelming task. Many organizations provide services and products that help customers design, test, certify, and secure their internet-connected devices, networks, and control systems.

Remember, good cyber security is multilayered, process driven, and should always be ongoing.