When a wave of cyber attacks threatened Australia’s critical infrastructure this year, Canberra took the threat seriously, stepping up efforts to track cyber criminals and to boost funding for security agencies.
Australia was one of many targets in 2020: cyber attacks on infrastructure were reported in Germany, Ukraine and Azerbaijan, among others, while Washington imposed sanctions on Russia for targeting utilities in the US and the Middle East.
As power infrastructure is upgraded and becomes increasingly reliant on internet connectivity — an evolution known as the Internet of Energy (IoE) — cyber criminals have more opportunities to disrupt energy supplies.
“The number one reason for attacks is ransomware,” says Gareth Williams, vice-president for secure communications and information systems at Thales UK, a unit of the French defence and technology group. “We’ve noticed a shift from ‘cyber hoodies’ demanding small amounts of money from multiple easy targets to hackers spending more time creating sophisticated malware to take out essential energy services for a huge sum of money.”
The 2017 WannaCry attack on the NHS — a malicious code that took advantage of a flaw in commonly used software — highlighted how disruptive ransomware can be for critical infrastructure.
An energy company with weak cyber security can be vulnerable to amateur hackers, says Mr Williams. Much operational technology across the energy sector is generally at least a decade old and is designed to be kept offline and siloed from internet-connected technology, he adds.
Connectivity is increasingly being bolted on to legacy equipment. These include what Duke Energy in Florida dubbed its “self-healing grid”, which added smart sensors and switches to existing power lines to detect faults, reroute energy and perform repairs.
Even with reasonable cyber protection, energy networks can be attacked by ransomware aimed at exploiting vulnerabilities in systems adapted for the Internet of Things — the expanding web of interconnected everyday devices.
Much ransomware targets industries that rely on operational technology — the computerised systems used to control industrial operations — according to Nick Rossmann, IBM’s global lead for threat intelligence. Many vulnerabilities in such systems cannot be significantly reduced, he says, because they are too old or expensive, or because they were not designed for internet connectivity.
“The rise of ransomware is an advantage for cybercriminals today who are going after companies or networks that need to always be on,” he says.
Adding connectivity to a grid can enable better energy load management informed by smart meters and real-time demand data, resulting in a more efficient and resilient power supply.
It also allows for consumers to sell any excess electricity — for example, stored charge in an idle electric vehicle — back to the grid, alongside other “distributed energy resources” (DERs) such as solar- and windpower generation.
In principle, an interconnected supply chain provides better value for customers, wastes less power and can balance generation and consumption to help prevent outages or shortages. However, it can also increase the entry points for hackers to gain access into grids.
In 2019, the UK’s Department for Business, Energy and Industrial Strategy, and the energy regulator Ofgem, reviewed cyber security risks relating to distributed energy resources. They warned that “the potential impact to the grid stability from a cyber compromise of multiple smaller DER assets could be significant”.
The challenge is heightened by the fact that consumer technology including smart meters and electric vehicles also interact with the power distribution network by receiving and transmitting data.
By accessing and manipulating data through a compromised device, or through vulnerabilities in internet connections and IT systems, a hacker need not penetrate the main grid to cause a significant outage.
As energy generation and distribution are increasingly controlled with real-time information, any attack on data integrity and reliability can cause ripple effects such as triggering emergency control systems into action.
Mr Williams highlights the risks of more data being harvested from consumers. For example, smart energy systems can use data about when individuals usually drive their electric vehicle in order to schedule energy distribution. Such systems can even scrape data from calendar apps to determine how long a car may be in a parking space.
So far, so good. However, as more sensitive information is shared by devices and third-party services — whether charging stations, household smart energy meters or associated apps — so does this increase the amount of data potentially accessible to hackers.
“We’re opening up our threat surface,” Mr Williams says. “The digital transformation opportunities are phenomenal. They’re going to change our lives and our world. But if you don’t underpin it with the right resiliency and trust at the start, then you introduce unintended consequences.”