Cybersecurity in the electricity industry: when hackers play with your light switch

Cybersecurity has been a trend over the past few years. All modern equipment supports network technologies and can be accessed via the Internet. The smarter network devices become, the more they need to be protected.

Kaspersky Lab’s report on Cyberthreats for ICS in Energy in Europe[m1] for the first quarter of 2020 indicates that 1,485 modifications of malware were blocked on 20.4 % of ICS computers in the energy sector. Moreover, most of the attacks came via the Internet and email. But even where there was no access to the World Wide Web, attacks through removable media and the corporate network were reported.

The Positive Technologies report describes vectors of cyberattacks on industrial enterprises. Hackers can easily gain access to your system if:

· There are errors in the hardware configuration,

· There is no network segmentation,

· OS vulnerabilities are not covered,

· Too simple or outdated passwords are used,

· Outdated software is used at any facility levels.

General information about digital substations

What is the difference between a digital substation and a traditional one?

· In digital substations, most of the physical analog and discrete connections are replaced with digital ones;

· Any microprocessor device now has some computing capabilities;

· Digital and optical current (CT) and voltage (VT) transformers have emerged, which convert analog parameters into digital form.

A digital substation provides in-depth monitoring and control of all systems through the introduction of digital communications. They can also be susceptible to a cyberattack with the subsequent disruption of the digital substation. An attack can target:

· External digital channels through which technological and operational communication with power facilities is carried out;

· Local communication networks of the power facility, including switches and routers;

· Process buses and object buses in accordance with the IEC 61850 protocol;

· Digital control and monitoring devices for electrical equipment.

Therefore, communication networks and channels, in particular, are the bottleneck of a digital substation. For comparison, operational direct current systems (ODCS) were the bottleneck in traditional substations. The breakdown of the ODCS led to a complete loss of controllability of the power facility. All other control subsystems were fairly independent of each other, so the failure of one subsystem did not affect the functioning of the other.

Possible consequences of a cyberattack

If all individual devices of the equipment control system are digital and combined into a single information control system, then a cyberattack may result in a complete loss of controllability of the entire power facility.

An example is an incident that happened in December 2015 at PJSC Prykarpatyeoblenergo. Back then, a targeted phishing email attack led to a six-hour power outage in five regions of Ukraine. This also led to devastating consequences for the substations: the RTU firmware was changed, the remote control was disabled. The company’s call centers were also subjected to DDoS attacks.

On December 17, 2016, Industroyer software, which allows the user to control relay protection and automation devices (RPA) at substations, disabled Kiev’s power infrastructure for an hour.

In March 2019, a DoS attack disrupted power plants in several areas in California, Utah and Wyoming.

In late October, India acknowledged an attack by the Lazarus hacker group on the Kudankulam nuclear power plant infrastructure.

Cybersecurity laws in the Russian Federation

In Russia, cybersecurity is given great attention. At the level of federal laws and ministerial decrees, companies are required to implement technologies for protecting data and infrastructure of major facilities.

The main document regulating protection against computer attacks on automated systems of industrial facilities is Federal Law №187-FZ of July 26, 2017, “On the security of the critical information infrastructure of the Russian Federation”.

There are also orders issued by the FSTEC, the Ministry of Energy of the Russian Federation and the FSB on special requirements for the creation of security systems at critical facilities in Russia.

How to protect your company

A system is harder to hack if potential hackers don’t know how the security system is organized and what equipment is installed. Therefore, detailed information should not be disclosed. Security experts recommend the following actions to improve the cybersecurity of digital substations:

· Dividing information flows of various subsystems into physically unconnected segments of communication networks for data transmission inside the substation, i.e., creating independent process buses and object buses for each control function;

· Ditching mono-technology in communication networks for data transmission inside the substation so that Ethernet and TCP/IP are not the only communication technologies of a digital substation;

· Using simplex channels with one-way information transmission where it is sufficient to perform an applied function, for example, one-way information transfer from a digital TT (VT) to relay protection devices, excluding the possibility of a cyberattack on the TT (TN) itself from a faulty relay protection device;

· Dedicating specialized segments of communication networks for configuring and reconfiguring devices, and during operation, these segments should be normally disconnected (power is switched off from communication devices or connectors are physically disassembled);

· Using firewalls to separate segments of communication networks at the physical (analog) level in order to prevent unauthorized functions. Firewalls today are usually implemented at the software level;

· Using specialized firewalls for GOOSE message transmission between physically separated segments of communication networks with the ability to physically cut off any signal from operation (analog of a regular keypad for a traditional substation);

· Using simplified, highly specialized communication protocols that do not allow unauthorized information transfer for critical functions. For example, Ethernet and TCP/IP are not suitable because they support the transfer of any information;

· Taking the human factor into account when designing systems;

· Keeping non-digital protection and control means to a minimum. For example, gas, arc and other similar equipment protection can be easily built on a base independent of digital subsystems, and directly act on disconnecting switches, bypassing digital control systems;

· Creating integrated security and operational systems — SOC-centers (Security Operations Center) and continuously monitoring information and events in SIEM (security information and event management);

· Updating software regularly, changing passwords, restricting user access, using encryption;

· Creating fragments of false dispatch computer networks to detect insider intelligence activity, internal corruption and selective viral infection;

· Avoiding the use of wireless and remote access in APCS without authorization and authentication.

How to counter cyberattacks

Conclusion

The energy system digitalization process, the use of intelligent technologies, sophisticated technical, information and communication equipment have increased cybersecurity risks for energy companies.

The loss and inaccuracy of information due to cyberattacks on the information and communication subsystem can lead to emergency situations both in the digital substation itself and in the whole system of substations. Therefore, the problem of cyber stability of energy facilities is critically important and should be solved both by technical means and by organizational means, including advanced training of operating personnel.