In this interview, Dr. Stephan Beirer from information security consultancy GAI NetConsult explains why cybersecurity needs to be taken into account in each and every area of the power grid, which attacks are most likely, and what needs to be done after an attack has occurred.
Hackers attacking power grids is a popular theme in novels and films. How do you rate the threat level?
The threat is quite real and, in my opinion, it has increased in recent years. This can be seen not only in various media reports, such as those covering the attacks in Ukraine during Christmas 2015 and 2016, when up to 700,000 households were left without electricity for hours. Indicators also include, in particular, the concrete non-public warnings issued to operators by the security authorities. Such warnings are not issued without reason.
What kinds of attacks do you think are most likely?
If we are talking about targeted attacks, these are scenarios in which an attacker tries to intervene in the power supply, for example by triggering unauthorized switching operations. In the worst case, a successful attack on the grid infrastructure could lead to a supply disruption. As we are increasingly creating interfaces with end users – I’m thinking particularly of smart metering, that is intelligent electricity meters, control boxes, and electricity mobility – in future we can also expect attacks on the technology used by consumers and on their personal data.
Who is interested in carrying out large-scale attacks?
According to current information, the biggest threat is from state or semi-state actors. They have the necessary extensive resources to carry out such sophisticated attacks. It is also conceivable that attacks might be used for blackmail attempts by those involved in organized cyber crime. Although the media often reports on the possibility of terrorist attacks on our power grids, I think this risk is relatively unlikely at the moment. On the other hand, the classic hacker stereotype of a tech-savvy individual is more relevant in the area of end-user interfaces.
What hardware and software measures are needed to protect against such attacks?
Nowadays, hardware and software must always be considered as one and, unfortunately, the grid infrastructure cannot be protected with individual measures.
Manufacturers and operators have to work hand in hand and implement measures from a range of areas, including well-regulated access protection, malware protection (in particular for PC-based systems), and network zoning so that the entire network cannot be compromised in the event of an attack. In addition, it is essential to only use systems that offer available security support enhanced by an adapted patchmanagement process which updates software.
<Network zoning>
Dividing a network into different areas interconnected by secure Interfaces.
<Patch>
Software program intended to remedy the errors contained and detected in a program. Patch management refers to the planned procedure for implementing
patches.
<Hardening>
Process that increases the security of a system by using only the features that are actually needed, disabling unnecessary services and activating security-enhancing options for the application.
The hardening of all system components, that is deactivating unnecessary services and functions, can increase security, as well as using secure network protocols for parameterization and component management. It is absolutely necessary for operators to establish a security organization and component manufacturers must ensure secure and robust implementation.
How important is it to keep all components up to date?
Modern components have an extensive and often complex software and firmware installation. This software contains programming errors which cannot be completely avoided and which can manifest themselves as security vulnerabilities. They can be harmless, but also highly critical and can endanger the safe and secure functioning of the component.
Therefore, manufacturers must identify vulnerabilities in the component software; for example, by actively tracking security gaps in third-party components. Depending on their criticality, the detected vulnerabilities have to be fixed as part of release upgrades or with emergency patches in urgent cases and then provided to customers.
Operators must conclude maintenance contracts so that they are informed about vulnerabilities and receive updates. This patch management must be carried out based on the specific risks in question, as not every operator has the same security requirements and as the vulnerabilities are also not exploitable in every environment. If an acute risk occurs which exceeds a pre-defined threshold, the software patch must be rolled out as soon as possible after the required tests. Less critical patches are usually installed during periodic maintenance windows.
How can operators prepare their employees?
It is essential to train them properly. For network or component managers, this training must obviously include the fundamentals of information security and the required technologies. Users from other areas should start with awareness training which addresses issues such as typical security problems, what an attack looks like, and how it can be detected. Very practical issues are also important. For example: What do I need to bear in mind when using my parameterization laptop? Can I connect an external USB stick? What kind of potential security incidents do I have to report?
How can grid operators test the security of their systems?
Self-assessment is an important part of a functioning security management process, and the nature of the tests can vary. In this way, compliance with ISMS and standard requirements can be checked within the framework of organizational audits. For example, technical tests are usually used to verify the concrete implementation of the systems within the infrastructure from a security perspective.
here are various approaches depending on the target environment: Due to their criticality, live environments can usually only be tested with non-invasive testing techniques, such as a configuration review, whereas in an isolated test environment, more in-depth test methods can be used. A test which is often cited in the media is the penetration test, where a tester without specific prior knowledge uses hacker methods to simulate an attack. This test must only be used after extensive preliminary planning and only on less critical interfaces, such as between the office and process network. Another important area of testing are acceptance tests in which, in addition to functional tests, security tests are carried out when systems arerenewed or expanded in order to verify their security characteristics.
<Criticality>
The importance of a system in relation to the task it fulfills.
<Non-invasive testing technique>
Test methods that do not interfere with the system being tested. Particularly used to test critical live systems.
How can we find a reasonable balance between cost-effectiveness and security?
As with everything in life, costs are also an essential factor in the field of information security. Varying requirements must also be met depending on the criticality of the energy utility. Therefore, for legal reasons alone, an operator of a critical infrastructure will have to invest considerably more effort than a small public utility. However, when considering cost effectiveness, it is important to take into account the entire application rather than just the security measures.
For example, whether the convenience and efficiency of accessing the substation automation system via an app on your cell phone justifies the comprehensive security measures required in this situation must be decided on a case-by-case basis. The complete digitalization of the grids and the widespread networking which this entails are only feasible if comprehensive security measures are taken into account. After all, no one would ever think of launching a car into the market without brakes.
And if the hacker was successful…?
In addition to preventive measures – which come under the keyword “Protect” – Detect, Respond, and Recover measures are just as important. Simply because, for reasons of cost alone, preventive measures can never provide 100% protection. An operator must therefore be ready to detect a security problem such as an attack or a comprehensive infrastructure disruption at an early stage, to contain it, and to recover from defined emergency operation back to normal operation. This requires appropriate preparations and emergency plans.
How will the topic of cybersecurity in power grids evolve in the future?
In recent years, information security has evolved from a specialized problem to a topic that permeates every facet of our technological society. This naturally includes all automated industries, but especially the energy- supply industry. In the future, both manufacturers and operators will try to develop and implement standardized solution concepts. However, as the fields of IT and control technology are producing ever more complex application scenarios and the attackers are constantly developing new methods as well, the topic will continue to play an important role. Personally, I’m not worried about the possibility of being out of a job in ten years’ time.
More Informations
Cybersecurity @ MR
MR takes the topic of cybersecurity into account for all its components and ensures that it is implemented right from the start. With this in mind, MR focuses on producing a high level of product security, continuously optimizes its processes with regard to security, and maintains a comprehensive risk management system. A dedicated MR-CERT (Cybersecurity Emergency Response) team is the central point of contact for all questions relating to IT security. The MR specialists advise customers and are involved in the development of a product from the outset. Among other things, they determine which standards and guidelines have to be observed for a specific project.
Mission: Cybersecurity
GAI NetConsult GmbH is an independent consulting company which specializes in information security. A particular focus of activity for the company is industrial IT security, especially in the area of energy supply. In addition to project work, the company also deals extensively with the topic in the context of standardization and associations. A number of key German and international industry recommendations and standards, such as the BDEW/OE white paper (German Association of Energy and Water Industries (BDEW) and Austrian electricity industry association (OE)) and ISO/IEC 27019, are based on the work of GAI NetConsult GmbH employees.