The meteoric acceleration of cyber attacks against service operators, organizations and strategic companies is a worrying reality today that requires urgent measures to be taken to protect themselves. All the more so when their consequences can be catastrophic for the entire population. Electricity suppliers are particularly concerned by this subject. In the last five years, a number of attacks have marked the world of electrical energy and, for some, instilled awareness and changes in cybersecurity.
Electricity infrastructures facing new challenges
Generally, the cyberattacks carried out take place in a tense geopolitical context. Indeed, the supply of electrical energy to a country constitutes a privileged target since it affects the economic activity and the means of communication of the targeted country which can be quickly paralyzed if it is deprived of it. Regarding the attacks that took place between 2015 and 2020, we see that they are in fact linked to new challenges facing the electricity production sector. : a test of the resilience of the operational infrastructures, undermining the availability of equipment and the integrity of the data, and the major financial losses linked to cyber attacks and their impact on the pricing of the Internet market. ‘energy.
Another challenge facing this sector concerns its digital transformation. Indeed, the development of new technologies, connected objects and sensors allows energy producers to access valuable benefits in their production and distribution chain: anticipation of possible breakdowns, finer management of capacities ( Smartgrid), etc. To do this, the deployment of Cloud and Edge Computing technologies is necessary to guarantee computing power and ensure real-time processing of the data collected. But this emergence of connected objects and cloud environments is leading to the opening up of operational networks and thus increases the attack surface of cybercriminals, networks that were previously isolated finding themselves connected to the company’s computer network.
In addition, OT network equipment has a very long lifespan, generally more than 25 years. This is the case with electrical infrastructures, designed to operate for more than 50 years. Most of them are based on obsolete technologies and therefore highly vulnerable in terms of security. And to further add to their fragility, electrical environments often rely on turnkey systems, which were not designed to receive patches. Since the systems used have been available in the market for quite some time, they can be more easily dissected by cyber criminals.
Finally, the biggest breach in the cyber defense systems of OT and IT systems is linked to users and operators, who are often little aware of basic cybersecurity rules. Using similar passwords regardless of the sensitivity level of the system or personal USB drives for business purposes can help expose electrical infrastructure
The energy sector, a highly regulated field
Over the years, the cyberthreats weighing on power grids have evolved.
As a result, the electric power sector has already taken the measure of the cyber risks to which it is exposed, equipped itself with an arsenal of standards to manage these risks and thus become one of the sectors most regulated in terms of cybersecurity. We could, for example, cite the American standard NERC-CIP, which defines a set of rules to secure the assets necessary for the operation of power grid infrastructures in North America. In the same vein, we find in France the Military Programming Law and the NIS directive at European level aimed at respectively securing operators of vital importance and operators of essential services. In terms of standards, IEC 62645 represents a set of measures to prevent, detect and react to malicious acts committed by cyber attacks on the computer systems of nuclear power plants., for its part IEC 62859 frames the management of interactions between physical security and cybersecurity, ISO 27019 contains security recommendations applied to process control systems used by the energy operator industry and finally, IEC 61850 is a communication standard used by substation protection systems in the power generation sector.
How to ensure effective resilience of the operational infrastructure?
The first response consists of addressing the issue of obsolescence of operating systems and applications used in the operational infrastructure. On this point, an approach based on in-depth protection devices is essential in order to block suspicious behavior in system calls and respond to threats that exploit application flaws. It is then necessary to check the messages exchanged in the operational network. Indeed, historically independent subsystems are increasingly required to exchange information and be interconnected. It is therefore essential to start by isolating the networks of these different systems using an approach based on segmentation.
This type of measure also offers the possibility of blocking the propagation of an attack by complicating the discovery of the operational network. It will also be noted that restricting the access of a particular piece of equipment to a single one or a group of workstations may be relevant to limit the attack surface.
Then, given the criticality of the substations, it is also recommended to apply other protection measures, such as network filtering at the level of IEDs equipment, for example to allow restricted access to a single group of workstations, according to a very specific time slot. It is even possible in certain use cases to apply a control according to the user, in order to know precisely who is connected to the control station and when.
Operational messages exchanged between electrical equipment, IEDs and supervision stations are another important point of vigilance. Indeed, if a cyber attacker succeeds in establishing a remote connection with a physical device or a remote maintenance station, it will then be possible for him to analyze the network, understand the organization and send malicious messages. The solution to mitigate this type of risk is therefore to deploy industrial probes, IDSs or even IPS in order to control the messages exchanged with the most sensitive equipment.. Their implementation will make it possible to check the consistency of the messages exchanged between the equipment and the upper management layers., to ensure that they do not jeopardize the operational process. The chosen solution must obviously support business protocols to ensure good coverage in the protection of electrical equipment control commands.
Finally, remote connections for remote maintenance needs, in particular at the level of electrical substations, require the deployment of VPN type tunnels or even TLS type secure connections to ensure data confidentiality.
But we must not forget the risks related to humans, especially with the still very common use of USB keys in operational environments. As a result, it is necessary to tighten up the control and supervision posts by setting up whitelisting (or allowlist) solutions or scan storage devices to reject any operation of an unauthorized profile. But also to make operators aware of all cyber risks to avoid any errors or unintentional actions that could jeopardize industrial processes.
In view of these few non-exhaustive examples, an integrated approach taking into account all the necessary fundamentals and relying on several levels of protection is required to effectively secure the production systems of companies in the energy sector.