Securing the Grid - Solar Africa 9th Jan 2024 (Cape Town)

https://solarpowerafrica.za.messefrankfurt.com/capetown/en.html#

I recently had the privilege of doing a talk on securing the grid at the Cape Town Convention centre at Solar Africa 2024. I had a government and private sector supporting this discussion from a speaker/modulator perspective. Bringing a spotlight on Cyber Security for Critical Infrastructure is really a welcome step in the right direction from the energy sector.

In my presentation I wanted to highlight a few areas around this topic, I covered the below items in more detail to give the audience an understanding of the risk that they as suppliers, operators and consumers of electricity and electrical equipment is exposed to.

-What types of attacks happen in the Energy sector?

-How do the attacks happen?

-Why do these attacks happen?

-What can we do to secure the Grid?

I spoke briefly on the industry trends around type of attacks, type of infrastructure and profile of country that is attacks. Then I narrowed this down to the two recent attacks in South Africa. City Power's ransomware attacks affected 250,000 consumers. Eskom's Ransomware attack made very sensitive information available for purchase on the Darknet.

The discussion the moved into how energy generation in each of its subsections are affected by Cyber-attacks.

This shows us that that the whole value chain of energy generation and consumption is exposed to Cyberthreat.

I then spoke about how threat get into your environment to start with.

Phishing emails: Emails that attempt to convince an employee to click a malicious link. These emails are still incredibly common because they still work.

Denial-of-service attacks: An attacker interrupts the availability of a network device by overwhelming it with digital attempts at communication with that device

Ransomware: Also known as encryption attacks; attackers encrypt data and demand a ransom to unencrypt it, data is normally exfiltrated before the encryption.

Valid credentials: An attacker uses breached login credentials to log into industrial networks using VPN, RDP or Jumper Servers.

IOT: Attackers use CCTV, Access Control and Building Management systems to gain access to Industrial Networks to launch DOS or Ransomware.

Now comes the fun stuff, I took the audience on a journey, the path hackers will take to take control of their energy management software for Solar and other green energy plants. Step 1 is using Shodan to look for exposed devices.

Then using default username/password, stolen credentials or tools like John the Ripper and Hydra to crack the login page.

Next, we had a live example of system and how brand, share price, sensitive data and service disruption can be done from this stage of the exploitation.

We also covered some of the key areas of who would do such attacks.

Nation States: As South Africa has aligned with BRICS, Western states have ramped up their Cyber Warfare activities on our national and municipal infrastructure.

Ransom: The biggest driver of energy attacks is the premise of sensitive data theft and exploitation of ransom for service disruption.

Financial: Service disruption from Cyber Activities has been documented on some international trading platforms, short a stock before launching a Denial Of Service on its customer or billing portal or even stopping generation at a plant.

Hacktivist: Coal, Gas and Nuclear generation has long been targets for cyber activists that are lobbying for greener technology, this trend has also had some reverse action where Solar, Wind and BESS installations have been targeted.

A quick look at how transmission is being targeted by way of Transformers.

I also had to mention the green energy plan for South Africa which will drive remote connectivity from a monitoring and management perspective.

I then overlapped this data with all the current exposed energy assets displayed from Shodan

Then lastly what should we do as a country to protect private and state energy systems?

To mitigate these risks, state and private organizations must implement robust cybersecurity measures, including:

• Network segmentation between IT and OT and between OT Zones
• Modernized access controls / Secure remote access with audit/screen logging
• Vulnerability and attack surface management with advanced Threat Hunting exercises
• Security monitoring / OT Incident Response including Plant Managers and Process Engineers into feedback loop
• OT/IIoT Security Modernization
• Protect the Cloud and your process network as you would your Datacenter

As a country we should

• Asses your equipment for Cyber risk before commissioning
• Build budget into your PPA for OT Cyber Security
• Align with NIST-800, NERC-CIP, NIS-2 and other industry standards for your operations
• CHANGE EQUIPMENT DEFAULT PASSWORDS
• Assign budget for Cyber Managed Services for Critical Infrastructure for all municipalities
• Use two factor authentication for all IOT devices and remote connections
• Make sure your staff’s credentials are not on the darkweb
• Cyber security should be baked into the IPP program
• Review of generation fleet from a Cyber perspective needs to be driven by Eskom and 3de party organizations
• Modernize SCADA systems to reduce CVE risk on Plants, Transmission equipment and Distribution areas.

This was a great opportunity to talk to captains of industry around protecting their critical assets from cyber risk. I look forward to the next session.

Andre Froneman - Industrial Cyber Security Specialist.

DM me for a copy of the presentation.