Hackers can take down energy systems

The Titanic was unsinkable—until it sank. The Danish energy infrastructure may suffer the same fate if it is not constantly updated to withstand the thousands upon thousands of cyberattacks that its digital control systems are exposed to every single day. It is an eternal battle between the hackers and the authorities responsible for the energy infrastructure, points out Jørgen Spangsberg Christensen, CTO at Green Power Denmark and chairman of the joint competence centre for cyber and information security EnergiCERT, which is a united defence front of the electricity, gas, and heating companies against cyberattacks on the Danish energy infrastructure.

“There are still no examples of hackers or saboteurs succeeding in penetrating deeply into the Danish infrastructure in Denmark. But everything that is made by people can also be circumvented by people,” Jørgen Spangsberg Christensen says.

He explains that EnergiCERT specializes in assessing the technical ability of hackers and saboteurs and identifying the energy system’s vulnerabilities.

On a scale from 1 to 10, how big is the risk of us experiencing an outage of, for example, the electricity system due to a breach in our digital devices in Denmark?

“The vast majority of attacks on the infrastructure’s digital systems are carried out by criminals as a means of extorting money from those responsible. And these criminals do not yet seem to have the ability to take down the entire system. They typically only cause local damage,” he says and adds that the situation looks different when it comes to foreign powers, some of which “certainly have the capacity.”

“Certain countries are capable of getting people on the ground and breaking into the most secure places. But if these states actually do that, we are in for something akin to war. The question is whether they have the will to do it. I cannot assess that.”

Electricity infrastructure is the least vulnerable

A vulnerability of the energy system’s digital control system is that it is based on operational technology (OT). The term covers both hardware and software, which e.g. are built into alarms that monitor the electricity, gas, and heating networks for faults. Using switches, the technology makes it possible to remotely connect and disconnect lines based on detected changes in the system’s electrical cables, piping, fans, routers, etc. These can be changes in temperatures, amperage, pressure, flow rate, and a large number of other parameters characteristic to the energy system. This summer, Danish specialists worked on an in-depth analysis for the European Commission, which pointed out the places where that type of digital devices can be found in, for example, in submarine cables in the waters around Europe.

“OT is found in all digitalised critical infrastructure. So the risk of cyberattacks applies to all critical infrastructure,” Jørgen Spangsberg Christensen says. He sees a tendency to view electricity infrastructure as the most critical infrastructure. But many overlook that a number of authorities and companies have secured themselves with their own backup supply in the event of a blackout. So it is actually water, wastewater, and district heating that represent the most critical infrastructure because there is rarely a backup if the system goes down.

“So, EnergiCERT actually focuses at least as much on other infrastructure that isn’t electricity, and we are in dialogue with several other infrastructure sectors regarding them joining EnergiCERT,” Jørgen Spangsberg Christensen says.

Less competition, fewer updates

Operational technology also makes the systems vulnerable because fewer companies have specialized in it. All Danes together have millions of PCs, but there are only 35 energy companies in Denmark. This makes it less attractive to develop services for the energy system.

“The consequence is that there is much less development in the energy area, which is thus a niche market,” Jørgen Spangsberg Christensen says.

Another challenge is that data technology is used much longer in critical energy infrastructure than it normally is in society’s vital systems.

“Computer technology is used significantly longer in the energy system. It’s not replaced every five years, as digital solutions do as part of the ongoing updates normally used to keep the system up to date,” he says.

Internet is a vulnerability

Obsolete systems are naturally more difficult to protect against hacking and sabotage. It is therefore important to ensure that these parts of the energy infrastructure cannot be accessed via the Internet.

“When working in the OT domain, one has to be particularly aware that some of its devices communicate via the Internet using specially encrypted standards. One has to be careful when using them, as they can open the way for hackers via e.g. phishing emails and allow them to unlawfully gain access as a system administrator,” Jørgen Spangsberg Christensen says.

He refers to the fact that large parts of the critical energy infrastructure are 10, 20, or 30 years old and are thus based on an outdated safety standard.

“The control systems that could not be hacked 10 years ago do not use the standard we have today. These are examples of systems to which outsiders must not be able to have access at all. They must only be part of closed networks, they must not be accessible on the Internet in any way,” he says and points out that the segmentation od networks is one of the most important initiatives to keep older systems secure.

Kalundborg Forsyning hacked

The situation could, for example, have ended up very badly when Kalundborg Forsyning was hit by a ransomware attack back in August 2021. During the attack, cybercriminals locked down access to the utility’s data, and the company assumed that the attack was launched “for the sole purpose of obtaining a ransom to make data available again.” With the help of the police and the Centre for Cyber Security, the utility immediately started the process of protecting the digital access to the facilities, which fortunately turned out not to have been compromised.

However, this was not the case for the Ukrainian electricity supply—several times back in 2015 and 2016, hackers infiltrated the electricity grid and created extensive power outages that affected hundreds of thousands of customers. Significant parts of the capital Kiev went black. The hackers prolonged the agony by simultaneously ensuring that the staff in the control room could not see the outage on their screens. In addition, they made sure to overload the telephone lines so much that it was impossible for the affected customers to get through.

“The cyberattack on the Ukrainian energy infrastructure is the most extensive we have seen anywhere so far. And this was clearly not a classic attack, which are carried out to blackmail someone for money. It was an attack launched by a state that most people can probably guess the name of today,” Jørgen Spangsberg Christensen says.

Remember to lock the back door

The biggest fear of those responsible for critical infrastructure is that there are unknown vulnerabilities in imported control systems. Such vulnerabilities can be fatal, which is evidenced by the hacking of Maersk at the end of June 2017, when both the digital systems of the port operating company APM Terminals, Maersk Line, and the logistics company Damco were hit by a Russian virus which was hidden in Ukrainian software. The NotPetya virus disabled computers and software, paralyzing the company’s container ports around the world and cutting off all telephone contact with the company. This made it impossible for customers to find out where their shipment was. Maersk spent weeks getting the situation under control, which, among other things, required a shutdown of all IT systems. The digital clean-up and loss of revenue amounted to just under DKK 2 billion.

“This case is an example of how a company can do its job well enough and still become the victim of a cyberattack because the hackers manage to find a backdoor,” Jørgen Spangsberg Christensen says and continues:

“It underlines how important it is that authorities and companies design the systems based on the realization that they will definitely be hacked—it is far better than designing them based on the belief that it probably won’t happen.”

Practice makes perfect

The risk of Denmark’s critical energy infrastructure actually being hacked has caused the energy industry to intensify its testing of the systems. The exercises involve managing the energy system without the use of IT systems and telephony. Instead, all manoeuvres must be initiated via special emergency communication systems.

EnergiCERT’s threat assessment per 3/10 2022 is BLUE

This assessment is based on:

• A general risk of serious hacking activity, malware, or other malicious activity.

• Potential for harmful cyber activities, but EnergiCERT does not see any cyber activities among its members that can be expected to affect critical infrastructure.

• The geopolitical situation—especially regarding gas pipelines—which entails an increased risk of cyberattacks in relation to the war in Ukraine. However, we believe that these attacks will be on the same level—that is, DDoS and ransomware attacks, which have a high degree of credible deniability and a low chance of affecting critical infrastructure.

• Unchanged attack patterns against the Danish energy and utility companies and no indications from international partners that this is not the case in other countries.

• Many companies in the sector are well protected against current attack methods, which means that the risk of damage is relatively low.

Source: https://energicert.dk/publikationer/

“If our IT system is compromised and we cannot trust it, then it is equivalent to turning off all the traffic lights in Copenhagen. It would cause some chaos when people have to drive home, but the roads are still there. It’s still possible to use them,” Jørgen Spangsberg Christensen says. He says that the authorities have developed emergency routines that make it possible to operate the energy system manually, corresponding to e.g. driving according to the duty to give way to vehicles approaching from the right when the traffic lights are not working.

“If it’s been a long time since we’ve practiced driving according to the duty to give way to the right, it will take some time before we get used to it. But once we do, it starts rolling again. These are the same emergency procedures we have for IT when the vital parts are no longer reliable.”

How often do you run these procedures?

“Often enough. I’m not going to say more,” Jørgen Spangsberg Christensen says, but highlights the fact that there has also been a greater focus on security at EU level.

“The President of the European Commission Ursula von der Leyen recently asked the national authorities of the member states to stress test their critical infrastructure. We don’t yet know what it specifically entails, but it’s a way of ensuring a minimum standard to make sure that all countries have done what we have already been doing for years. Whether that means that we’ll have to do something different or do more than we have done so far, I don’t know yet. But we will look into it,” Jørgen Spangsberg Christensen says.