by Fernando Guerrero B., OT Security Expert
Electricity is an essential element of our society, it is the primary enabler of most businesses, and therefore the foundation of a nation’s development.
The electricity sector belongs to the critical infrastructure of a country. When its functionality is endangered (availability), the consequences to society could be serious and even catastrophic.
The value chain in this sector includes the generation, transmission and distribution of electrical energy, and is supported by control, regulation and government authorities. Each segment of the value chain has a team operating the electro-mechanical equipment, a task carried out with the support of diverse technologies (e.g. systems, networks, electronic devices).
Each element of each segment is subject to risks (e.g. physical, natural, technological and human errors). Thus, the number of threats, their probability of occurrence and their impact on the integrated power system multiply as new elements are implemented. With the increasing presence of Smart Grids and IIoT devices, these risks are no longer solely affecting large organisations responsible for components of the value chain, but are now also a problem for consumers.
This complex environment, and the risks that it is exposed to, has made governments and standardisation bodies to create regulations and defined requirements for companies in the electric industry to fulfil. There are several cyber security standards, norms and technical requirements for this industry, like the NIS directive in Europe and the NERC-CIP in the USA. Nowadays, electricity companies are more aware of the need to understand cyber risks, and start taking action to protect their infrastructure to avoid service outages and financial penalties.
The Operation Analogy
Every electricity company has an Operations Centre where the electrical system is orchestrated in real time. These Operation Centres, which can be local, regional or national, are operated 24 hours a day, 365 days a year by specialists working in shifts. The specialists are able to supervise normal operations, as well as maintenance and all kinds of incidents in the electrical infrastructure.
These specialists are the first ones to guarantee that the company satisfies the demand, that the generation, flow and electricity distribution is uninterrupted, and that the actions taken in a failure or shutdown of a plant take into account the entire network to avoid a blackout. The specialists (often called operators) understand the whole electricity process, the way the power system works and how it reacts to certain conditions, as well as the architecture of the power network and the locations and devices that are part of it. But most importantly, they know how to respond when there is an issue on the Grid. These are some of the reasons why the operators and the Energy Operation Centres are one of the main components for ensuring the extremely high availability that is required for electric service delivery.
The need for a team specialised in monitoring the health of the infrastructure
As with Energy Operations, in cyber security there is also the need for a team specialised in monitoring the health of the infrastructure, the Security Operations Centre (SOC). The SOC consists of a team of professionals who understand the business (its entire value chain), in such a way that they can provide appropriate responses. Among these professionals, some have specific knowledge of Industrial Control Systems (ICS) or Operation Technology (OT) in order to protect those critical systems in the best possible way.
In addition, the SOC ensures that security devices are operational, and are available, with required security patches installed with all necessary updates as well as checking on any anomaly within the network.
The SOC team monitors the entire industrial network (from a cyber security point of view) permanently, similar to the electrical Operations Centre. The SOC is in charge of handling security incidents, based on well-established protocols, which can vary depending on the needs of the organisation and the criticality of the incident; e.g., responding to problem in an nuclear power plant is not the same as in a wind generation plant, because each environment is unique but also because the consequences of a failure in the former could be of a much greater proportion.
In the case of a power failure caused by a cyber security incident, the SOC team performs forensic analysis, which requires detailed knowledge of the elements that constitute the industrial network. This analysis makes it possible to determine the source of the problem and preventing it to happen in the future.
Both operation teams (electric and cyber security) have their own scope of acting, technical knowledge and tools to work with, however, they always complement each other. As stated above, issues affecting the power system may rise and the technical knowledge of the asset operator will be needed in order to understand abnormal behavior of devices (e.g. due to a zero-day attacks), to perform forensic analysis, and to implement solutions within the network (e.g. patching field devices). This is also true the other way around, Energy operators may also profit from timely SOC alerts to prevent the dissemination or escalation of a small problem to the whole Power Grid.
The consequences of blackouts
Every failure in a network has administrative, economic, and social repercussions. Several hours without energy during winter time would cause multi-million euro losses and severe issues for all citizens. Imagine what would happen if the population suddenly did not have access to banks, transit systems, or health systems, among others. These types of failures can be caused by natural, technical, or human error, and are handled by electrical operations personnel. They take into account particularities of the electricity systems that require special attention, as failure to do so can lead to a chain reaction, further blackouts and even cause physical damage.
As the entire society is dependent on the primary service that this industry produces, all stakeholders along the electricity supply chain are considered part of the “Critical Infrastructure” of every nation; which means that any negative impact to its infrastructure can severely impact a nation’s economy and to the ability to defend itself.
The need for regulations to guarantee the availability of the service
Due to this and other technical reasons, each country has its own regulations to guarantee the availability of the service, thus this has evolved to a more “integrated” regulatory environment during the last decade. For example, the NERC standards in North America, which are a set of requirements that aim to standardise the way the electricity infrastructure is maintained, operated, distributed and protected. The European Union is also heading in the same direction with the appearance of the “Directive on common rules for the internal market for electricity (EU) 2019/944”, the “Regulation on the internal market for electricity (EU) 2019/943”, and the “Regulation on risk preparedness in the electricity sector (EU) 2019/941”. Both the American and European regulations take into account the need to protect an international interconnected supply chain, which essentially means that they acknowledge the interoperability of all systems, their interdependency, as well as the need to protect them.
Moreover, regulations and standards not only take into account the technical damages but they also acknowledge that there are other reasons why power outages can occur: cyber-attacks orchestrated on critical infrastructure, specialised computer viruses, malware, and other types of cyber-threats. There are various sub-sets of these regulations and standards, and other norms worldwide that outline the ideal cyber security architecture, requirements or guidelines for the protection of companies and critical assets in the electricity sector, while some of them are recommended (e.g. IEC 62443, ISO27019, etc.) and others are mandatory (e.g. KRITIS, BSI, NIS Directive, NERC-CIP, NERC-EOP, BSI, NISTIR 7628, etc.).
Fernando Guerrero B., OT Security Expert
“In 2015 more than two hundred thousand Ukrainian citizens were left without electricity due to a cyber-attack targeting industrial control systems at three national energy companies. Similar to this one, several other attacks have been performed on utilities around the world in the past decade using phishing techniques, malware (Stuxnet, Duqu, Dragonfly, among many others) impacting not only the confidentiality of proprietary information (e.g. project files and network topologies), but the availability of power systems by causing centrifuges to spin out of control. All these examples show that it is very important to work on implementing prevention, protection and response measures like incident response. The adequacy of these protections must be reflected in capabilities, which must be periodically evaluated and improved.”
The inclusion of any cyber security control in the industrial network or in general in the value chain should not affect the ultra-high availability required for service delivery. At the moment of generating, updating and protecting the infrastructure each element must have the technical specifications that guarantee the operation (availability), confidentiality and integrity, since any delay in the transmission of information can result in failures to the power system (given the real-time nature of power systems).
The risk of hyper-connectivity between industries
Economic growth, population density, industrial evolution, among others, has made the electrical infrastructure grow proportionally so that it can satisfy the demand. Similarly, these infrastructure and businesses are connected to or interdependent with other industries (sometimes also part of a country’s critical infrastructure), e.g. telecommunications, gas, water, logistics and transport, health. This hyper-connectivity represents a greater day-to-day risk for any of these industries. All it takes is for the right element of the chain to become infected to cause damage to all of its members, spreading regionally, nationally and even continentally.
The electrical sector deals with a heterogeneous environment with regard to technology. Devices can have several decades of life without being updated, whilst at the same time there are new devices with the latest security patches that are fully tested. If hackers manage to find an old item, without updates and with vulnerabilities, they could take control of it, and if this device turns out to be critical to the value chain, a blackout could be some clicks away.
The presented analogy aims to show that the way the power grid is operated and how the entire electricity supply chain is maintained, from an electrical perspective, has similarities to the operation of cyber security. Both deal with a complex infrastructure and high impact consequences when an issue rises.
Moreover, it is clear that the cyber security operation stakeholders must understand the value-generating process, the hyper-connectivity of the infrastructure and the heterogeneous nature of the technological infrastructure. But they should also interact with the Energy Operators to guarantee that the service delivery is the top priority whenever they are fulfilling their job.
It is also clear that, having a SOC adds a good layer of protection to the business process, but it is also important to add that there are more safeguards from the security-in-depth approach that all companies should have. Each layer of cyber security that is added to the infrastructure and to the business overall, needs to be there as part of a well-established strategy that is aligned to regulatory requirements and supported by a risk management approach that takes into account the criticality that each asset has for the business and the service delivery.
Airbus CyberSecurity provides several services, which cover all elements of the cyber security life cycle, to help you establish, manage, operate and improve the cyber security of your business for IT, OT and Platforms.
As part of the security-in-depth offering, Airbus provides real-time monitoring of its customers’ industrial networks through its SOC 4.0, thus providing high levels of protection for its most critical assets, as well as increasing its cyber security capabilities. To know more about this service, you can download the whitepaper on SOC 4.0 and read more on the key features and benefits a SOC 4.0 can offer.Back to News