Digital transformation has brought undeniable benefits to the energy sector in terms of flexibility and streamlining of the distribution network. At the same time, however, it has introduced significant vulnerabilities, creating additional points of entry to an already extensive physical area spanning energy production, transmission and distribution. As a result, energy infrastructure, which is of essential and vital importance to our economy, is increasingly exposed to the risk of cyberattacks.
How can we protect the various entry points to such critical infrastructure? And how can we minimise damage, ranging from disrupted operations to the physical destruction of equipment? A better understanding of the various methods employed by cybercriminals, the most common types of attack and the solutions available will put infrastructure managers in a better position to prepare for and deal with them.
An extended attack surface
Even before digital transformation, energy infrastructure had its own specific geographical distribution, based on several production centres and a fragmented distribution network. As a result, the attack surface is already extensive – and will become even more so with the arrival of countless sensors, robots and connected objects, increasingly interconnected networks and access to cloud environments.
Computers, various smart devices and even communication flows all act as potential entry points for cybercriminals. After all, these energy infrastructures are decades old, as is some of the equipment that comprises them. Having usually been designed for a working life of over 50 years, the only aspect of operations to have generally kept up with trends and modernised its equipment is the IT function. The operational (OT) part, on the other hand, has tended to remain in its original state... so much so, in fact that (too) many machines are still operating today with old, obsolete software versions that have not been patched to address the latest vulnerabilities. While systems and/or private networks within plants and power stations remained disconnected from one another, the risk was minimised. But the (famous) IT/OT convergence has challenged this already fragile isolation. At the same time, the various items of equipment used in power, hydroelectric and thermal plants have not been designed with a “cybersecurity by design” approach. All these sensors, whether IEDs (Intelligent Electronic Devices), RTUs (Remote Terminal Units) or others, become entry points that are easily accessible to cybercriminals as soon as they are connected. And to make matters worse, such environments often use turnkey systems that were never designed to accept security patches.
In addition to these initial entry points, the communication protocols used in the energy sector are another major concern in terms of cybersecurity. Communication protocols were often developed at a time at which security was not a priority. For example, the IEC-104 protocol is commonly used for telemetry in the power generation sector. But it has no authentication or encryption mechanism, making it extremely vulnerable to cyberattacks. The same is true of the GOOSE (Generic Object Oriented Substation Events protocol, a feature of the IEC 61850 standard). Originally designed to minimise time-consuming checks and speed up system resilience in the event of failure, this protocol can now be easily exploited to inject malicious packets. This vulnerability also affects remote connections, as in the case of remote maintenance. Such connections – which are, for example, essential for the operational efficiency of substations – can also be exploited to gain unauthorised (and malicious) access to the network.
For easier access to these various points, cybercriminals can exploit a range of attack vectors: network, software, physical or even human. This human factor is especially sensitive in the energy sector, where there are a large number of subcontractors.
Multifaceted cyberattacks
Cybercriminals use various types of cyberattacks to target the energy sector. Since business continuity is crucial in this sector, Distributed Denial-of-Service (DDoS) attacks and ransomware are part of the classic offensive arsenal.
But energy infrastructure espionage and sabotage can take other forms... or even other paths, such as the sector's supply chain. Supply chain attacks thus have the particular characteristic of targeting suppliers and commercial partners in the energy sector. Through these much less secure (and therefore more vulnerable) entities, cybercriminals gain indirect access to the networks of energy companies. These attacks are particularly insidious in that they exploit the relationships of trust between energy companies and their service providers.
In addition to this already substantial arsenal, energy companies also have to contend with another level of risk: the highly sensitive nature of the sector prompts state actors to take an interest in it in connection with geopolitical conflicts. They may even invest in specialised malware that has been written to target specific equipment or operational processes. Stuxnet in 2010, BlackEnergy in 2015 and Industroyer in 2016 are all prominent examples of this. For example, the Industroyer malware is capable of detecting and exploiting the communication protocols used in an industrial network, and can effectively target energy systems.
More recently, the Industroyer.V2 and Cosmicenergy malware have put OT protection back in the spotlight – whereas other cyberattacks have focused on the IT sector. Described by the Mandiant team in 2023, the Cosmicenergy malware intercepts commands issued via the IEC-104 protocol to interact with RTUs and the OT network. “Having obtained access this way, an attacker can send remote commands to influence the operation of power line switches and circuit breakers, and thus interrupt the power supply,” explains the researchers’ article. This malware was detected not as a result of an attack, but because it was... downloaded from a public malware analysis utility. Whether this was a fluke or a misstep, this episode shows that cybercriminals are focusing their research on malware that targets industrial energy protocols.
Protection mechanisms in the energy sector
In the light of such facts and threats, how can we protect the energy sector? Back in 2018, Guillaume Poupard – at that time Director-General of France’s ANSSI cybersecurity agency – appeared before the French Foreign Affairs, Defence and Armed Forces Committee to warn of the consequences of an attack on a country's energy distribution networks.
To ensure effective protection of such complex, interdependent systems, a comprehensive, multi-layered approach is necessary. Faced with the various points of entry for the threat, it is vitally important to deploy an appropriate defence strategy, ranging from the implementation of appropriate cyber tools to ongoing training for employees and service providers. Each type of attack presents unique challenges in terms of detection, prevention... and above all, response. Traffic mitigation and filtering systems, fine-tuned network segmentation, the use of intrusion detection systems and regular back-ups are just a few examples of the non-exhaustive list of industrial cybersecurity essentials. “In the real world, we have seen that the energy sector in France has already implemented a number of security mechanisms tailored to their operations,” explains Khobeib Ben Boubaker, Head of Industrial Security Business Line at Stormshield. And this approach is beginning to bear fruit in terms of cybersecurity.”
This is an area in which energy professionals need to draw on the concept of defence in depth that is so valued by the French agency ANSSI. This concept is set out in detail in IEC 62443, a cross-functional standard that advocates security in each sub-assembly of the system. After all, the regulatory aspect is also useful in the energy sector, given its comprehensive treatment of the subject. Standards include: IEC 62645, a set of measures to prevent, detect and respond to malicious acts committed by cyberattackers on the IT systems of nuclear power plants; IEC 62859, which provides a framework for the management of interactions between physical security and cybersecurity; ISO 27019, which contains security recommendations applied to process control systems used by the energy operator industry; and lastly, IEC 61850, mentioned earlier in this paper, as the communications standard adopted by substation protection systems in the power generation sector. Across the Atlantic, there are standards such as the American NERC-CIP, which specifies a set of rules for securing the assets needed to operate power grid infrastructure in North America, in the same way as France's military planning law (LPM). Finally, NIS2 – the second version of the European NIS Directive – applies to players in the supply chain (subcontractors and service providers) with access to critical infrastructure. It requires stakeholders to comply with security measures relating to the protection of networks run by operators of essential services (OSEs).
Examples such as BHI Energy (USA), Energy One (Australia) and HSE (Slovenia) show that cyberattacks against the energy sector are more topical than ever. With cyberattacks increasing in terms of both number and complexity, cybersecurity in the energy sector has become a top priority for 2024 and beyond. Protection requires constant vigilance and close cooperation between companies in the sector, governments and cybersecurity experts.