In an exclusive article, Anjos Nijk, managing director of the European Network for Cyber Security, provides a review of the cybersecurity wins and losses for 2018, and gives his predictions as to what to expect in 2019.
Here we are in November 2018, and perhaps we can start to tentatively look back at the year in energy cybersecurity and pass some initial judgements. It’s fair to say there have been some positive steps – especially on regulation and cooperation – and the headlines have certainly been calmer, with nothing in the league of 2017’s WannaCry or NotPetya making the front pages.
How are we to interpret that? When it comes to high impact, low probability scenarios like major cyber attacks on electricity infrastructure, it’s expected in a given year that there will be few problems.
So, it’s difficult to argue that 2018’s thusfar quieter headlines are evidence of defensive success.
What’s the verdict then? In short, that we should celebrate and encourage the positive steps taken over 2018 while realising that there is still a long way to go.
In fact, looking ahead to 2019, we will need to do more, faster, to stay ahead of threats.
The quiet ones are the most dangerous: 2017 vs 2018
It may seem counterintuitive to begin a retrospective of 2018 by discussing the significant events of 2017, but it’s only human to view this year in light of what came before.
The big cybersecurity stories of 2017 were WannaCry and NotPetya. The former was a ransomware attack that eventually affected as many as 230,000 Windows computers worldwide using a leaked NSA hacking tool named EternalBlue. The vulnerability had already been patched by Microsoft, but not everyone had installed the update, making WannaCry a powerful reminder of the importance of good update hygiene. However, limited as it was to the IT realm, it wasn’t much more than that in the utility sector.
NotPetya was a bigger worry. In the Spring of 2017, a Russian hacking group named Sandworm reportedly gained access to the servers of Ukrainian company Linkos Group.
The group used this to spread malware to every computer in the country running the company’s accounting software. But it didn’t stop there. It spread globally to all manner of companies, including utilities.
At first, it masqueraded as ransomware with demand for bitcoin payment to restore systems, but this was a ruse, and the actual goal was merely destruction.
NotPetya caused approximately $10 billion in damages globally.
For utilities – along with all other sectors affected – NotPetya was a wake-up call to what was possible. Especially so given that Sandworm, the group behind the attack had – allegedly – also orchestrated the successful attacks on the Ukrainian power grid in the Decembers of 2015 and 2016.
Those attacks had demonstrated that it was possible to infiltrate OT systems via IT ones and gain control of industrial control systems (ICSs) such as SCADA – the backbone of most grid infrastructure.
They also demonstrated that hackers can remain within systems for long periods of time completely undetected, waiting for an opportune time or a particular set of circumstances to converge before triggering an attack.
We can ask then: was the link between the two sufficiently defended? Was the system hardened by erecting barriers to prevent illegitimate commands? Was proper monitoring in place to detect threat actors in the system? The answer was ‘no’ in the case of the Ukraine attack, but what would be the answer for other grid operators across Europe?
If NotPetya hinted at the scale of destruction possible, and the Ukrainian grid attacks showed us that hackers could remain undetected in the system, then there’s an important conclusion we can draw. The fact that 2018 was quiet doesn’t mean we are safe. You could argue that the attacks that make the biggest bang – because they hit as widely as WannaCry and NotPetya – are less of a worry than smart, targeted attacks that purposefully fly under the radar.
A quiet 2018?
In fact, there is every indication that criminal and nation-state groups are increasing their activities. The US, for example, reported infiltrations into their grid operators in both March/April and June/July. There is no reason to suppose Europe isn’t similarly being targeted.
The fact that no major breeches have been discovered (or publicised) doesn’t preclude the chance that there is one underway right now.
Hackers also move more quickly than the energy industry, combining the agility of individuals and small groups with knowledge sharing across worryingly broad networks. It’s a powerful combination that means we risk being left behind.
In any case, the task for utilities remains the same. On the one hand, there is work to be done monitoring for suspicious activity, mapping out both IT and OT architectures (as well as the links between them) and looking for vulnerabilities. On the other, there are significant changes underway in how utilities procure secure equipment as they transition to smarter systems, on how employees interact with systems and with how information and experience in combating threats are shared across the industry.
There are some real signs of progress this year that are to be welcomed, especially at the European level.
We have seen greater cooperation between European associations such as EDSO and ENTSO-E and we at ENCS have continued our work with these organisations and others. This type of collaboration produces research and standards that can guide utilities in creating secure environments and procuring secure components.
There has also been tangible progress from the European government with the Directive on network and information security (NIS Directive) coming into force in May.
The NIS Directive applies to all ‘operators of essential services’, including utilities.
It calls upon the Member States to put in place stringent measures to protect such sectors, including a national cybersecurity strategy, a computer security incident response team (CSIRT) and a national NIS authority.
It also, encouragingly, stresses the importance of information and knowledge sharing across the Member States and companies, which is essential to effectively combat cyber threats and one of the foundational principles of ENCS. In fact, the board of utilities is now explicitly liable for cybersecurity incidents.
As a result, we have seen security
standards such as the ISO 27000 and IEC 62443 series come into play after a long incubation period. It’s fair to say that European regulators can reflect on a year of solid progress in cybersecurity. However, we are still waiting for incentives for manufacturers to resolve vulnerabilities to be addressed.
Looking to the future
In many ways, we must hope that 2019 offers more of the same: More quiet headlines, more progress on awareness, implementation of good security practices and regulations. We will see further developments with the Cybersecurity Act and a network code for cybersecurity as part of the Clean Energy Package.
We will need to see greater and faster progress, though, on some of the measures these regulations have laid out. Good security requirements for systems and operators and cross-border information sharing frameworks have all been hampered by the perennial cybersecurity skills gap in the sector.
We need people trained, communities built, mechanisms implemented and governmental support from both the EU and the Member States to ensure these are fit for purpose. Much of the success of 2019 will be judged on this.
We also need, in general, to significantly increase both the scale and speed of our efforts in the ‘good guys’ camp. Utility executives have grown accustomed to a breath-taking pace of change during these past few years of the energy transition. That is nothing compared to the speed with which threats develop in the cybersecurity world.
Just look at the NIS Directive, which traces its roots back to 2013 before implementation half a decade later. Think about the laptop you had five years ago, or the phone in your pocket – technology moves at a pace that regulators can’t always handle.
As an industry, we can’t afford to wait for regulation or standardisation to act. As we look ahead to 2019 where the grid rapidly gets ever smarter, ever more connected, and we start to see devices such as electric vehicle chargers and domestic and commercial storage proliferate, we need to pick up the pace. It is essential that grid operators harmonise security requirements and best practices, drawing on the expertise in their community. ENCS actively focuses on expert community building in the domains of security policy, architectures and operations and we have seen the value of collaboration in the sector.
So, back to that verdict. I think the energy sector can look back over 2018 from a cybersecurity perspective with a sense of guarded optimism. There has undoubtedly been progressing – both in the intangible aspects such as ‘awareness’ and solid ones such as increased security testing, training and implementation of security requirements and standards by grid operators. The trick will be to ensure we stay awake and don’t become complacent.
There is a lot of work yet to do to ensure this isn’t the silence before the storm. SEI
About the author
Anjos Nijk is managing director of the European Network for Cyber Security (ENCS). In addition to his duties with ENCS, he is a member of the steering committee of the Smart Grids Task Force of the European Commission Directorate-General for Energy, a member of the Cyber Security Expert Group and ENCS liaison with European associations including EDSO, ENTSO-E and EUTC.