Absolute power corrupts, but a power outage disrupts absolutely.
Over the past 10 years, a new form of “economic warfare” has emerged in which nation-states attack the critical infrastructure of countries perceived to be a rival, with the goal creating mass disruption with a much lower risk of open conflict than conventional warfare.
Among recent examples are Sandworm, a hacking group widely believed to be affiliated with Russian military intelligence, which has launched multiple attacks targeting electric grids.
As a region facing massive economic growth and transformation, the Asia Pacific region is certainly not immune to such threats. A recent report found that only 47% of utility executives considered themselves well-prepared to restore normal network operations in the event of a disruptive cyberattack. As the demand for energy is expected to almost double in Asia Pacific by 2030, electric utilities represent a distinct target for threat actors.
This growing threat has also driven a greater recognition of the need to improve defences in operational technology (OT). The Cyber Security Agency of Singapore recently published its Operational Technology Cybersecurity Masterplan which outlines initiatives for OT cybersecurity, including for the energy sector. Taiwan has also developed its National Cyber Security Program, recognizing the threat to its key infrastructure such as power plants.
Power generation plants, along with much of the world’s industrial apparatus, have become increasingly automated and connected over the past 30 years. Automated industrial control systems (ICS) now drive many key operational processes, and this has delivered profound increases in operational efficiency but has also increased the attack surface of these environments.
This is especially pertinent in ASEAN, which aims to source 23% of its energy from renewable sources by 2025. Energy sources such as wind and solar power are intermittent in nature, relying on digital technologies such as smart meters and distributed grid systems to stabilize their supply. Hackers are increasingly exploiting this newly-connected terrain to conduct reconnaissance, gain remote access, and in some cases, mount attacks. It is therefore imperative that plant operators have well-planned cybersecurity strategies in place.
Systemic risk exposed
Corporate IT networks have the luxury of off-hours to conduct system maintenance and patch vulnerabilities. On the other hand, power generation plants operate around the clock, which can mean the simple task of rebooting a workstation to update its software can bring operations to a costly or even dangerous halt.
Further complicating vulnerability management for these companies is the twenty-five-year (or more) lifecycle of most operational technology (OT) assets, which often run proprietary applications supported by legacy operating systems. Many of these systems were never designed to be patched, leaving them exposed. Upgrading this expensive hardware and software can be cost prohibitive for most organizations but vulnerabilities are of little consequence in the absence of credible threats. Unfortunately, the last several years have borne witness to a marked increase in the rise of capable and willing OT attackers.
Malware, ransomware and the persistent threat
In some instances, malware threats are purpose-built to specifically target OT environments. Recent examples in the energy sector include the successful attack on three Ukrainian energy distribution companies, and recent attempts to infiltrate the US power grid. These are generally believed to be the result of nation-states attempting to shut down the critical infrastructure, or to establish persistence within the network as a base from which to initiate some future malicious activity.
More frequently the risk comes from “spill-over” between the IT and OT networks. Ransomware attacks such as WannaCry and NotPetya initially penetrated dozens of industrial sites through the IT network but subsequently jumped the gap to the OT network, causing massive outages and costing operators hundreds of millions of dollars in downtime and lost revenue. In a study by Cisco, 25% of organizations in APAC have already experienced an OT attack, and security leaders in the region have identified ransomware as their top cybersecurity risk.
Expanding attack surfaces
Not long ago, OT attack capabilities were the exclusive property of a few well-resourced militaries and foreign intelligence services, but this has changed as the pool of actors capable of disrupting industrial infrastructure has ballooned to include many more nation-states and even non-state actors.
In addition to falling barriers to entry, the OT attack surface is expanding at an exponential pace. As more and more networked OT assets and other IoT devices populate power plants, attackers are leveraging this newly-connected terrain to access previously hardened targets. This attack surface extends far beyond the confines of a single OT network— it is often globally-dispersed and rife with multi-party interfaces. Each of these connections constitutes new, unmonitored threat vectors that are ripe for exploitation.
Third party management and support in OT networks are in some cases a necessity and require access to support equipment. In doing so, power plants are trusting that their partners follow stringent cyber security controls and practises. Many security breaches have been conducted through these types of third-party vendors who have proved to be the weakest link in the chain.
You cannot protect what you cannot see
OT attacks on power generation plants can result in blackouts, disrupting the everyday lives of citizens, causing reputational damage to power suppliers. The length of time it may take to restore full generation capacity and repair the damaged equipment could lead to months of reduced capacity and increased load on other areas of the grid.
Power generation plant teams must understand the normal behavior of each OT asset and gain system—wide, holistic visibility of all resources in order to make informed decisions about controls and defenses. Installing the right visibility software and security analytics, in addition to having a designated cybersecurity expert in charge of assets, will enable power generation plants to detect threats and protect their devices and processes.