Cyber Challenges in the Energy Sector

The electricity, oil and gas and civil nuclear sectors have recently seen improved cyber resilience as a result of regulations such as the European Union (EU) Networks & Information Systems (NIS) Directive. However, there is still work to be done as rapid technology advancements within these sectors bring a plethora of cyber risks that, if left unaddressed, can severely harm these critical infrastructures and their customers.

The reason for the energy sector’s present cyber challenges is examined in this article. We explores the drivers for advances in technology such as the Internet of Things (IoT), Microgrids, Virtual Power Plants (VPP), cloud services, and digitisation, as well as how the technology adoption by the sector has created more cyber risks.

Protecting against current threats and risks

Historically, investment within the energy sector for business-as-usual activities tended to follow the life span of equipment such as transformers or generators. Until recently, Information Technology (IT) systems were viewed as supporting technologies to ensure the reliability of this equipment.

As a result, when compared to other sectors that tend to refresh IT systems more frequently, the investment cycle (and therefore lifespan) for these IT systems is relatively extended within the energy sector. The growing use of these IT systems is largely due to advances in technology and equipment, which means that these systems are now vital to guarantee the energy sector’s desired level of reliability and resilience.

While it is essential to integrate IT systems to support new technologies and modernise the energy sector, these systems often share the same network as critical equipment which adds complexity, introduces new dependencies and exposes potential cyber vulnerabilities.

These energy IT systems are subject to the same threats and risks as general-purpose IT systems used in other industries but investment cycles, previously limited connectivity, usage, performance demands and communication methods that negated the investment case for regular upgrades.

As a result of these historical issues, combined with recent technological advancements, the energy sector faces a unique challenge in terms of cyber resilience.

Adoption and integration of new technologies

Due to lower adoption of new technologies to date and tighter regulation, this cyber issue is a higher concern in the electricity and oil and gas sub-sector, and less so for civil nuclear.

IoT is helping develop new innovative services for customers, such as smart meters in the electricity sector, as well as improving efficiency and monitoring for equipment at remote locations in the upstream oil sub-sector.

IoT devices increase the attack surface for a prospective attacker, posing key cyber challenges such as preventing physical attacks against the device itself, securing communication and ensuring security by design in crucial domains like software development and authentication.

The need for modernisation of the energy sector is largely driven by the growing use of renewable resources, and more complex power requirements that drive technologies like microgrids and virtual power plants.

Other emerging cyber challenges are securing ‘big data’ technologies as a result of increased analytics, as well as securing expanding telecommunications infrastructures and networks as a result of growing usage of mobile devices and new applications

Microgrids aid in the resilience of local power supplies and can leverage local renewable power generation by operating independently from the main grid as needed, such as to support critical services such as health or the military in the event of a natural disaster.

As microgrids become more complex, they require computer networks to control and manage them, and as such become more vulnerable to cyber-attacks. The impact of such attacks could have consequences such as cost for business disruption and damage to equipment, as well as potential power losses in critical scenarios.

Virtual Power Plants (VPP) are another fast-growing distributed energy resource technology. They integrate several localised power generating units through interconnection and smart central control rooms to enhance generation, as well as trade it in the electricity market.

Due to the nature of the architecture in a VPP, which typically comprises of many interconnected devices, attacks can potentially take place on any of the devices, rendering the entire network inaccessible if a successful cyber-attack were launched. As VPP’s grow, as will the expense and impact of cost and disruption.

Cloud services and digitisation

Due to increasing cost pressure and the growing demand for data services and dedicated telecommunication networks, the introduction of these new services and technologies has led to a search for improved operational efficiency. As a result, the previously dependable energy sector is becoming reliant on other sectors, such as cloud service providers, which typically have lower requirements on availability and integrity.

The European Commission has recently launched a roadmap for the digitisation of the energy sector which sets out key actions. This includes a system-wide ‘digitalisation of energy’ action plan that could accelerate the implementation of digital solutions and energy system integration across multiple energy carriers, infrastructures and consumption sectors.

Considering these technology advances and commission plans, is important that energy firms define levels of service expected from their cloud providers, such as latency to ensure availability, and cyber security. Outsourcing of infrastructures and services requires appropriate third-party management and contractual due diligence to ensure cyber risks are appropriately managed.

The way forward

The start of this year has already seen disruption in the oil industry. A cyber-attack has impacted the flow of fuel across a total of 17 terminals across Germany and Amsterdam, with many cargo vessels being diverted to other terminals in the region. It is not only the diversion costs and delay in business operation that has impacted the business, but the pending significant post cyber breach remediation costs to help prevent a similar incident.

The introduction of NIS has helped improve cyber resilience within the energy sector, although there is still work to be done. There is a need for a common threat and risk framework, and improved threat intelligence and knowledge sharing in order to help understand and address the cyber threats and risks concerning the energy sector. This framework should be updated regularly due to the ever-changing threat landscape. This would help provide a consistent approach to protect not only the energy infrastructure but also ensure the data protection rights of citizens.

An effective common cyber response framework and a rationalised view of the required capacity and capabilities of human resources to help ensure these cyber risks can be adequately mitigated will also help strengthen cyber resilience in the Energy sector.

Power Sector Cybersecurity Building Blocks

The?Power Sector Cybersecurity Building Blocks, developed through the U.S. Agency for International Development (USAID)-National Renewable Energy Laboratory (NREL) Partnership and the Partnership’s Resilient Energy Platform, are designed to help a variety of stakeholders improve security for the electrical grid. This effort grows out of USAID and NREL’s discussions with utilities around the world, as well as past cybersecurity assessments performed by NREL on dozens of utilities and government agencies, with a focus on the cybersecurity challenges faced by small and under-resourced utilities.

The building blocks function as a guide to help organizations develop a?robust cybersecurity defense program. Individually, each building block represents a cluster of related activities within cybersecurity on which an organization should focus. Using the building blocks, organizations can effectively prioritize their cybersecurity efforts to best thwart a wide range of potential cyberattacks.

The 11 Cybersecurity Building Blocks each discuss a particular element of a well-rounded cybersecurity framework:

• Governance:?The processes that direct a utility-wide cybersecurity effort and provide accountability for that effort. Cybersecurity governance requires the understanding and action of those at the very top level of the utility, such as the executive director, chief executive officer, board of directors, and others.
• Organizational Security Policy:?This building block focuses on the high-level document that captures the essential elements of a utility’s efforts in cybersecurity and includes the effort to create, update, and implement that document.
• Risk Management:?Activities that identify and evaluate cybersecurity risk, with the goal of reducing that risk to a level appropriate to the utility’s business objectives.
• Cyber Threat Intelligence:?Cyberattack tools and adversaries that might constitute a threat and the vulnerabilities they could exploit. Utilities need CTI to understand the threat landscape and take action to mitigate cyber risks.
• Laws, Regulations, and Standards:?Laws and regulations are the compulsory host country directives that a utility must comply with regarding cybersecurity. Regulations sometimes enforce standards created by nongovernmental entities that capture best practices.
• Compliance:?The effort within a utility to remain in compliance with laws, regulations, and standards.
• Procurement:?The processes used to monitor and improve the cybersecurity of devices, applications, and services as they are acquired and integrated into utility operations, as well as efforts to manage supply chain risk.
• Technical Controls:?The hardware and software components that protect a system against cyberattack. Firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms are examples of technical controls.
• Incident Response:?The actions taken by a utility to prepare for cyberattacks. This includes creating plans for response, rehearsing the response prior to an attack, continuous monitoring to identify attacks, and the actual response.
• Cybersecurity Awareness Training:?Steps taken by utilities to educate all employees (including nontechnical staff) about potential cyber threats and their roles in preventing them.
• Workforce Development:?The efforts by multiple organizations, such as government, industry, or academia, to ensure an adequate supply of workers with specialized cybersecurity knowledge and skills

The Need

There are already many excellent guides, standards, and frameworks for organizations seeking to improve cybersecurity. Some are produced by standards bodies, such as the International Organization for Standardization. Others are produced by government agencies, such as the United States National Institute of Standards and Technology (NIST). Equipment vendors, consultants, and nonprofits have also created useful resources.

However, many organizations still struggle to create a cybersecurity program that is balanced across all areas required to protect their assets from attack. They may have heavy investments in one area, with little investment in another. For these organizations, the “building block” approach will hopefully prove useful. The building blocks define clusters of related activities within a balanced cybersecurity program and provide references and resources for each area. Since the building blocks correspond to activities, staff time and resources need to be allocated to them in the same way that staff time and resources are allocated to noncyber activities (such as accounting). The clusters of related activities defined by the Power Sector Cybersecurity Building Blocks span multiple stakeholders. Organizations in the early stages of cybersecurity maturity will likely get the most benefit from these building blocks because they are likely to struggle with the question of what a complete cyber program looks like. More “cyber mature” organizations can also use the building blocks to gain a fresh perspective on their efforts and fill in gaps in their existing cyber programs.

The Power Sector Cybersecurity Building Blocks are not meant to be the final word on cybersecurity for the power sector, as this field is evolving rapidly with the introduction of new power grid technology and an ever-changing threat landscape. USAID and NREL welcome discussion regarding updates to future iterations of these building blocks.