Is China’s power grid safe from hackers?
It happens not with a bang, but a whimper.
The lights go out, public transport is halted, networks go dark, and a city is shutdown and paralysed, as an attack against a nation goes beyond bombs and targets its critical infrastructure – all with a few keystrokes.
This isn’t just an imagined scenario, it has happened around the world. Hackers have been targeting energy and power networks and can hold countries ransom.
Cyber attacks are the number one threat to power and utility companies worldwide, a new EY report has found.
More than 80 per cent of respondents to EY’s Risk Pulse Survey considered business interruption from cyber attacks as their top concern, which will only increase in the coming years.
It also listed catastrophic weather events and storms, as well as energy and environmental regulatory change as major risks to the international energy sector.
The survey outlined the growing importance of these threats to the sector, particularly as it transitions to a digitised energy world.
“The growth of digital technologies and data-driven services is expanding the attack surface for cyber threats across the power and utility ecosystem,” the EY report stated.
“The distributed denial-of-service (DDoS) attacks that have brought major websites and internet infrastructure to a screeching halt in places as varied as New Hampshire and Liberia could serve as a harbinger for the havoc Internet of Things-enabled devices could unleash on the utility grid.” A growing threat
The importance of cyber security for utilities is of little surprise to many in the industry.
While much of the focus of cyber attacks has been on personal scams, the real damage is done by malicious attacks against major utilities and institutions, such as Wannacry’s global ransomware attack on targets as varied as the UK’s National Health Service and Spain’s telecommunications network.
While less publicised, a wave of cyber attacks targeted Europe and North America’s energy sector this year, CISCO’s cyber intelligence group Talos stated.
“These attacks target both the critical infrastructure providers and the vendors those providers use to deliver critical services,” Talos said.
“Attacks on critical infrastructure are not a new concern for security researchers, as adversaries are keen to understand critical infrastructure ICS networks for reasons unknown, but surely nefarious.”
According to Symantec, a computer security group, while these attacks have been occurring since 2011, they have ramped up over the last two years.
It pointed to what are believed to be Russian state-backed groups known as Dragonfly or Energetic Bear as the main perpetrators, who use methods as simple as malicious Word documents disguised as job resumes in order to surreptitiously gain access to company login details and user credentials.
The most recent serious attacks were in Ukraine, where hacking caused disruptions to the power system and affected hundreds of thousands of people. In April this year, Ireland’s entire electricity and transmission control system – EirGrid – was hacked into, although no systems were shut down.
Iran’s nuclear energy sector was attacked and nearly destroyed by programmable logic controller virus Stuxnet, while Shamoon – disk-wiping malware – hacked into Saudi Arabia’s energy networks in 2012 and 2016, destroying master boot records.
Earlier this year, the US’ Wolf Creek nuclear power plant was also attacked, however security specialists managed to respond to the threat before their system was penetrated.
In May this year, President Trump signed an executive order aimed at strengthening the US’ critical infrastructure network, specifically addressing cyber threats that could cause electricity disruption and power outages.
But what steps has taken to protect itself? at risk?
‘s relative distance from other nations has not made it invulnerable to attack, with Minister for Cyber Security, Dan Tehan, stating the nation must be on constant guard.
“We are naive if we think that in we are immune to [cyber attack] threats,” Mr Tehan said.
“A cyber-secure will only be achieved if governments, industry, and individuals continue to work together to share information and strengthen our defences against cyber threats,” he told Fairfax Media.
In 2016/17, the n Cyber Security Centre reported that 7283 cyber security incidents affected major n businesses.
“The ACSC also responded to 734 cyber incidents affecting private sector systems of national interest and critical infrastructure providers,” Mr Tehan said.
launched a $230 million cyber security strategy for the nation in April, led by attorney general George Brandis, and zeroed in on our critical infrastructure – our power and water networks – in October.
“With increased foreign involvement, through ownership, offshoring, outsourcing and supply chain arrangements, ‘s national critical infrastructure is more exposed than ever to sabotage, espionage and coercion,” Mr Brandis said.
Mr Tehan added, “Securing critical infrastructure assets in partnership with industry is a key focus of ‘s $230 million Cyber Security Strategy.”
“The new Critical Infrastructure Centre in the Attorney-General’s Department will work closely with our national critical infrastructure companies to identify cyber vulnerabilities, develop risk assessments and risk management strategies.”
This partnership has developed a new bill, the Security of Critical Infrastructure Bill 2017, in order to counter threats to the nation’s energy networks.
“Firstly, it will create a ‘last resort power’ which will allow the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate significant national security risks,” Mr Brandis said.
“Secondly, a critical assets register will be created providing the government greater visibility of who owns, controls and has access to, critical infrastructure assets. This information will inform the government’s assessments of assets most at risk from espionage, sabotage and coercion.”
Last month, Mr Tehan and Minister for Foreign Affairs, Julie Bishop, also launched an international cyber engagement strategy which “aims to foster good cyber security practices in our region and improve our collective capacity to respond to global cyber incidents”.
While legislative steps have been put in place to protect critical infrastructure, the onus remains on industry to ensure their data and access to their systems remains secure.
“Businesses and individuals must also take responsibility for their own cyber security and the government encourages the operators of critical infrastructure to adopt the n Signals Directorate’s Essential Eight cyber security risk mitigation practices,” Mr Tehan said.
Even with these measures, how safe are ‘s power and distribution networks?
“There is a threat [to energy infrastructure] that is persistent in the n landscape,” Schneider Electric senior cyber security consultant Peter Clissold told Fairfax Media.
Within , AGL and Origin have both taken steps to secure their business against cyber threats.
AGL has created a cyber threat intelligence and incident manager role to recognise and protect against these kinds of intrusions.
Origin regularly commissions independent penetration tests and carries out other security reviews to test its security and improve controls.
“Our strategy is focused on protecting information and operational performance and safety from cyber security threats,” a spokeswoman said.
Origin’s executive general manager, technology, risk, and transformation, Carl McCamish, added, “We protect our people and assets through a dynamic cyber security strategy that is regularly tested and reviewed to ensure we remain agile and resilient to emerging threats.” Beyond the screen
While the lights will come back on soon after a cyber attack, Mr Clissold said the real damage will be in the changed perception of the company.
“The biggest impact will be on reputation, it will have a far bigger impact than the punitive cost or loss of supply,” Mr Clissold said.
This can have a flow-on effect to a company’s bottom line.
“There has been evidence of share prices falling,” he said.
“The share price of companies were impacted because of their public notification of an attack,” Mr Clissold said.
This was supported by an Oxford Economics report, which found that “publicised cyber attacks generally have some impact on stock market valuations and by extension company reputations”.
There is also the loss of customers who no longer trust the capability of their energy company after such an event.
The impacts of cyber attacks are multi-staged, and go beyond the initial intrusions.
Energy companies need to put in place measures in order to present a less vulnerable target.
“Utilities need to ask themselves whether their operating model is agile enough to react to unexpected events as they unfold and whether they have the right resiliency to recover,” EY global power and utilities risk and cyber security leader Matt chambers said.
“This is further compounded by the rising importance of data privacy and protection, which demands that companies place greater emphasis on cyber security as an enterprise priority.”