“The issue of cybersecurity permeates every facet of society. And attackers are constantly developing new methods.”

© Tobias Kruse

In this inter­view, Dr. Stephan Beir­er from infor­ma­tion secu­ri­ty con­sul­tan­cy GAI Net­Con­sult explains why cyber­se­cu­ri­ty needs to be tak­en into account in each and every area of the pow­er grid, which attacks are most like­ly, and what needs to be done after an attack has occurred.

Hackers attacking power grids is a popular theme in novels and films. How do you rate the threat level?

The threat is quite real and, in my opin­ion, it has increased in recent years. This can be seen not only in var­i­ous media reports, such as those cov­er­ing the attacks in Ukraine dur­ing Christ­mas 2015 and 2016, when up to 700,000 house­holds were left with­out elec­tric­i­ty for hours. Indi­ca­tors also include, in par­tic­u­lar, the con­crete non-pub­lic warn­ings issued to oper­a­tors by the secu­ri­ty author­i­ties. Such warn­ings are not issued with­out rea­son.

What kinds of attacks do you think are most likely?

If we are talk­ing about tar­get­ed attacks, these are sce­nar­ios in which an attack­er tries to inter­vene in the pow­er sup­ply, for exam­ple by trig­ger­ing unau­tho­rized switch­ing oper­a­tions. In the worst case, a suc­cess­ful attack on the grid infra­struc­ture could lead to a sup­ply dis­rup­tion. As we are increas­ing­ly cre­at­ing inter­faces with end users – I’m think­ing par­tic­u­lar­ly of smart meter­ing, that is intel­li­gent elec­tric­i­ty meters, con­trol box­es, and elec­tric­i­ty mobil­i­ty – in future we can also expect attacks on the tech­nol­o­gy used by con­sumers and on their per­son­al data.

Physi­cist Dr. Stephan Beir­er is Team Man­ag­er for the Infor­ma­tion Secu­ri­ty of Process Con­trol and Automa­tion Sys­tems depart­ment at GAI Net­Con­sult GmbH. In this role, he pri­mar­i­ly advis­es medi­um and large indus­tri­al and ener­gy sup­ply com­pa­nies, trade asso­ci­a­tions, and man­u­fac­tur­ers. (© Tobias Kruse)

Who is interested in carrying out large-scale attacks?

Accord­ing to cur­rent infor­ma­tion, the biggest threat is from state or semi-state actors. They have the nec­es­sary exten­sive resources to car­ry out such sophis­ti­cat­ed attacks. It is also con­ceiv­able that attacks might be used for black­mail attempts by those involved in orga­nized cyber crime. Although the media often reports on the pos­si­bil­i­ty of ter­ror­ist attacks on our pow­er grids, I think this risk is rel­a­tive­ly un­likely at the moment. On the oth­er hand, the clas­sic hack­er stereo­type of a tech-savvy indi­vid­ual is more rel­e­vant in the area of end-user inter­faces.

What hardware and software measures are needed to protect against such attacks?

Nowa­days, hard­ware and soft­ware must always be con­sid­ered as one and, unfor­tu­nate­ly, the grid infra­struc­ture can­not be pro­tect­ed with indi­vid­ual mea­sures.

Man­u­fac­tur­ers and oper­a­tors have to work hand in hand and imple­ment mea­sures from a range of areas, includ­ing well-reg­u­lat­ed access pro­tec­tion, mal­ware pro­tec­tion (in par­tic­u­lar for PC-based sys­tems), and net­work zon­ing so that the entire net­work can­not be com­pro­mised in the event of an attack. In addi­tion, it is essen­tial to only use sys­tems that offer avail­able secu­ri­ty sup­port enhanced by an adapt­ed patchman­age­ment process which updates soft­ware.

<Net­work zon­ing>
Divid­ing a net­work into dif­fer­ent areas inter­con­nect­ed by secure Inter­faces.

<Patch>
Soft­ware pro­gram intend­ed to rem­e­dy the errors con­tained and detect­ed in a pro­gram. Patch man­age­ment refers to the planned pro­ce­dure for imple­ment­ing
patch­es.

<Hard­en­ing>
Process that increas­es the secu­ri­ty of a sys­tem by using only the fea­tures that are actu­al­ly need­ed, dis­abling unnec­es­sary ser­vices and acti­vat­ing secu­ri­ty-enhanc­ing options for the appli­ca­tion.

The hard­en­ing of all sys­tem com­po­nents, that is deac­ti­vat­ing unnec­es­sary ser­vices and func­tions, can increase secu­ri­ty, as well as using secure net­work pro­to­cols for para­me­ter­i­za­tion and com­po­nent man­age­ment. It is absolute­ly nec­es­sary for oper­a­tors to estab­lish a secu­ri­ty orga­ni­za­tion and com­po­nent man­u­fac­tur­ers must ensure secure and robust imple­men­ta­tion.

How important is it to keep all components up to date?

Mod­ern com­po­nents have an exten­sive and often com­plex soft­ware and firmware instal­la­tion. This soft­ware con­tains pro­gram­ming errors which can­not be com­plete­ly avoid­ed and which can man­i­fest them­selves as secu­ri­ty vul­ner­a­bil­i­ties. They can be harm­less, but also high­ly crit­i­cal and can endan­ger the safe and secure func­tion­ing of the com­po­nent.

There­fore, man­u­fac­tur­ers must iden­ti­fy vul­ner­a­bil­i­ties in the com­po­nent soft­ware; for exam­ple, by active­ly track­ing secu­ri­ty gaps in third-par­ty com­po­nents. De­pending on their crit­i­cal­i­ty, the detect­ed vul­ner­a­bil­i­ties have to be fixed as part of release upgrades or with emer­gency patch­es in urgent cas­es and then pro­vid­ed to cus­tomers.

Oper­a­tors must con­clude main­te­nance con­tracts so that they are informed about vul­ner­a­bil­i­ties and receive updates. This patch man­age­ment must be car­ried out based on the spe­cif­ic risks in ques­tion, as not every oper­a­tor has the same secu­ri­ty require­ments and as the vul­ner­a­bil­i­ties are also not exploitable in every envi­ron­ment. If an acute risk occurs which exceeds a pre-defined thresh­old, the soft­ware patch must be rolled out as soon as pos­si­ble after the required tests. Less crit­i­cal patch­es are usu­al­ly installed dur­ing peri­od­ic main­te­nance win­dows.

How can operators prepare their employees?

It is essen­tial to train them prop­er­ly. For net­work or com­po­nent man­agers, this train­ing must obvi­ous­ly include the fun­da­men­tals of infor­ma­tion secu­ri­ty and the re­quired tech­nolo­gies. Users from oth­er areas should start with aware­ness train­ing which address­es issues such as typ­i­cal secu­ri­ty prob­lems, what an attack looks like, and how it can be detect­ed. Very prac­ti­cal issues are also impor­tant. For exam­ple: What do I need to bear in mind when using my para­me­ter­i­za­tion lap­top? Can I con­nect an exter­nal USB stick? What kind of poten­tial secu­ri­ty inci­dents do I have to report?

How can grid operators test the security of their systems?

Self-assess­ment is an impor­tant part of a func­tion­ing secu­ri­ty man­age­ment process, and the nature of the tests can vary. In this way, com­pli­ance with ISMS and stan­dard require­ments can be checked with­in the frame­work of orga­ni­za­tion­al audits. For exam­ple, tech­ni­cal tests are usu­al­ly used to ver­i­fy the con­crete imple­men­ta­tion of the sys­tems with­in the infra­struc­ture from a secu­ri­ty per­spec­tive.

here are var­i­ous approach­es depend­ing on the tar­get envi­ron­ment: Due to their crit­i­cal­i­ty, live envi­ron­ments can usu­al­ly only be test­ed with non-inva­sive test­ing tech­niques, such as a con­fig­u­ra­tion review, where­as in an iso­lat­ed test envi­ron­ment, more in-depth test meth­ods can be used. A test which is often cit­ed in the media is the pen­e­tra­tion test, where a tester with­out spe­cif­ic pri­or knowl­edge uses hack­er meth­ods to sim­u­late an attack. This test must only be used after exten­sive prelimin­ary plan­ning and only on less crit­i­cal inter­faces, such as between the office and process net­work. Anoth­er impor­tant area of ​​test­ing are accep­tance tests in which, in addi­tion to func­tion­al tests, secu­ri­ty tests are car­ried out when sys­tems arere­newed or expand­ed in order to ver­i­fy their secu­ri­ty char­ac­ter­is­tics.

<Crit­i­cal­i­ty>
The impor­tance of a sys­tem in rela­tion to the task it ful­fills.

<Non-inva­sive test­ing tech­nique>
Test meth­ods that do not inter­fere with the sys­tem being test­ed. Par­tic­u­lar­ly used to test crit­i­cal live sys­tems.

How can we find a reasonable balance between cost-effectiveness and security?

As with every­thing in life, costs are also an essen­tial fac­tor in the field of informa­tion secu­ri­ty. Vary­ing require­ments must also be met depend­ing on the crit­i­cal­i­ty of the ener­gy util­i­ty. There­fore, for legal rea­sons alone, an oper­a­tor of a crit­i­cal infra­structure will have to invest con­sid­er­ably more effort than a small pub­lic util­i­ty. How­ev­er, when con­sid­er­ing cost effec­tive­ness, it is impor­tant to take into account the entire appli­ca­tion rather than just the secu­ri­ty mea­sures.

For exam­ple, whether the con­ve­nience and effi­cien­cy of access­ing the sub­station automa­tion sys­tem via an app on your cell phone jus­ti­fies the com­pre­hen­sive secu­ri­ty mea­sures required in this sit­u­a­tion must be decid­ed on a case-by-case basis. The com­plete dig­i­tal­iza­tion of the grids and the wide­spread net­work­ing which this entails are only fea­si­ble if com­pre­hen­sive secu­ri­ty mea­sures are tak­en into account. After all, no one would ever think of launch­ing a car into the mar­ket with­out brakes.

And if the hacker was successful…?

In addi­tion to pre­ven­tive mea­sures – which come under the key­word “Pro­tect” – Detect, Respond, and Recov­er mea­sures are just as impor­tant. Sim­ply because, for rea­sons of cost alone, pre­ven­tive mea­sures can nev­er pro­vide 100% pro­tec­tion. An oper­a­tor must there­fore be ready to detect a secu­ri­ty prob­lem such as an attack or a com­pre­hen­sive infra­struc­ture dis­rup­tion at an ear­ly stage, to con­tain it, and to recov­er from defined emer­gency oper­a­tion back to nor­mal oper­a­tion. This requires appro­pri­ate prepa­ra­tions and emer­gency plans.

How will the topic of cybersecurity in power grids evolve in the future?

In recent years, infor­ma­tion secu­ri­ty has evolved from a spe­cial­ized prob­lem to a top­ic that per­me­ates every facet of our tech­no­log­i­cal soci­ety. This nat­u­ral­ly includes all auto­mat­ed indus­tries, but espe­cial­ly the ener­gy- sup­ply indus­try. In the future, both man­u­fac­tur­ers and oper­a­tors will try to devel­op and imple­ment stan­dard­ized solu­tion con­cepts. How­ev­er, as the fields of IT and con­trol tech­nol­o­gy are pro­duc­ing ever more com­plex appli­ca­tion sce­nar­ios and the attack­ers are con­stant­ly devel­op­ing new meth­ods as well, the top­ic will con­tin­ue to play an impor­tant role. Per­son­al­ly, I’m not wor­ried about the pos­si­bil­i­ty of being out of a job in ten years’ time.

More Informations

Cybersecurity @ MR

MR takes the top­ic of cyber­se­cu­ri­ty into account for all its com­po­nents and ensures that it is imple­ment­ed right from the start. With this in mind, MR focus­es on pro­duc­ing a high lev­el of prod­uct secu­ri­ty, con­tin­u­ous­ly opti­mizes its process­es with regard to secu­ri­ty, and main­tains a com­pre­hen­sive risk man­age­ment sys­tem. A ded­i­cat­ed MR-CERT (Cyber​security Emer­gency Response) team is the cen­tral point of con­tact for all ques­tions relat­ing to IT secu­ri­ty. The MR spe­cial­ists advise cus­tomers and are involved in the devel­op­ment of a prod­uct from the out­set. Among oth­er things, they deter­mine which stan­dards and guide­lines have to be observed for a spe­cif­ic project.

Mission: Cybersecurity

GAI Net­Con­sult GmbH is an inde­pen­dent con­sult­ing com­pa­ny which spe­cial­izes in infor­ma­tion secu­ri­ty. A par­tic­u­lar focus of ​​activ­i­ty for the com­pa­ny is indus­tri­al IT secu­ri­ty, espe­cial­ly in the area of ​​ener­gy sup­ply. In addi­tion to project work, the com­pa­ny also deals exten­sive­ly with the top­ic in the con­text of stan­dard­iza­tion and asso­ci­a­tions. A num­ber of key Ger­man and inter­na­tion­al indus­try rec­om­men­da­tions and stan­dards, such as the BDEW/OE white paper (Ger­man Asso­ci­a­tion of Ener­gy and Water Indus­tries (BDEW) and Aus­tri­an elec­tric­i­ty indus­try asso­ci­a­tion (OE)) and ISO/IEC 27019, are based on the work of GAI Net­Con­sult GmbH employ­ees.

Share with your network!

Never miss an issue again!

Click here to subscribe for free.