Does the trend towards a more distributed electricity network increase the threat of cyber-attacks?
Cybersecurity is undoubtedly a hot topic. Internet service provider Beaming’s Cyber Threat Q3 2019 Report published in October revealed a 243% year-on-year increase in the number of cyber-attacks on UK companies.
A fifth of these hacks targeted an Internet of Things (IoT) device which could be remotely controlled, such as a smart meter.
An inquiry from the House of Commons Public Accounts Committee released in June warned: “The UK is more vulnerable to cyber-attacks than ever before”.
Its analysis states threats are evolving fast and becoming more complex as the boundaries between criminal gangs and hostile countries become blurred.
Cybercrime costs in the UK costs tens of billions of pounds a year, but often the impact is far bigger than the financial loss.
Remember the 2017 WannaCry ransomware attack? It infected 200,000 computers across 150 countries. But is also hit vulnerable IT systems in 47 NHS trusts, causing chaos in GP surgeries and many other parts of the health service.
The combination of readily available high-grade malware and IT system weaknesses is a potentially lethal cocktail.
And it’s not just a small band of elite, well-funded hackers we need to fear. Today, anyone armed with a laptop and enough technical knowhow can launch a potentially devastating attack on our critical infrastructure.
Ciaran Martin, CEO of the body charged with tackling cybercrime the National Cyber Security Centre (NCSC), admits “…it is a matter of when, not if, the UK faces a serious cyber-attack”.
Susceptibility Of Smart Devices
So what does this mean for our power supplies? The industry is only too aware of this increasing threat.
In a 2017 interview with the Guardian newspaper, the former head of National Grid Steve Holliday acknowledged: “Nowhere else is as worried as the UK about cyber threats. We are just off the scale on our energy system concerns on cyber.”
Funnily enough, this warning came a few weeks after state-sponsored hackers managed to compromise the UK grid on 8 June 2017, the day the country voted in the General Election. Leaked memos from intelligence agency GCHQ pointed the finger at the Russian-based Dragonfly group.
Historically, the UK’s energy network is concentrated in a small number of big coal, nuclear and hydroelectric power plants.
Such facilities use strict industry protocols and have robust physical security procedures that are hard to penetrate. Hacking into them is nigh-on impossible because they don’t connect to any outside networks.
Therefore any attempt to infiltrate the grid will take place in other parts of the network. Defences are easier to breach in the various generation, transmission and distribution systems connected to the grid.
This becomes more important as the role of renewables and distributed energy grows hand-in-hand with the rise of internet-connected devices.
The government wants smart energy meters installed in every UK home by 2020. While progress so far suggests this ambitious target won’t be met, the pledge raises legitimate security concerns.
Dr Ian Levy of GCHQ wrote on the NCSC website that the agency was confident the rollout of smart meters struck the “best balance between security and business needs,” although he admitted “no system is completely secure and nothing is invulnerable”.
This doesn’t just apply to smart meters, but all the other intelligent devices we come to rely on in our day-to-day lives. Virtual assistants, smart TVs, internet-connected heating systems, fridges, washing machines – you name it, there’ll probably be a ‘smart’ version available.
And when they get installed, you’d be surprised how many people – including experienced engineers or technicians – don’t bother to update the default password. This offers cyber-villains a route into potentially manipulating the electricity grid.
At first glance, hacking a single smart TV or kettle wouldn’t make too much difference. But what if it’s thousands – or millions in extreme cases – of devices all powering up at the same time?
Triggering such a scenario in the middle of the night when the network isn’t ready for such a massive power surge could play havoc with the network.
On a similar theme, what if devices affected by cyber-attacks started to feed incorrect data back to the grid?
This could exaggerate or understate the true demand for power, causing chaos with smart grids which depend on accurate real-time information to balance supply with demand.
A report published in the Risk Analysis journal a few months back estimated a small-scale cyber-attack centring on London’s electricity network could cost £111.4 million a day.
The ‘Cyber-Physical Attacks on Electricity Distribution Infrastructure Networks’ analysis outlined several scenarios ranging from a four substation event (which would cost £20 million a day) and an incident targeting 14 substations.
A Growing Global Threat
While our attentions lie predominantly here in the UK, cyber-attacks on power grids are a worldwide cause for concern.
The most obvious example took place just before Christmas in 2015 at the height of ongoing tensions between Russia and Ukraine.
A strain of malware dubbed ‘BlackEnergy’ closed down 30 electricity substations throughout Ukraine, leaving nearly 250,000 people near the capital Kiev without power for around six hours.
But there are plenty of other cases over recent years worthy of mention. ‘Trisis’ malware infected the safety system of a major oil and gas company in the Middle East, which gave the cyber-hackers the power to potentially shut a plant down.
Spring 2019 saw the United States’ Department of Energy admit that a cyber event was affecting power grids in California and Wyoming.
This incident didn’t lead to a power cut or disrupt generation. However, it did compromise security and control devices linked to the network.
A few months following this event, the US Senate passed a Securing Energy Infrastructure Act (SEIA). Interestingly, a key part of the new legislation focused on using seemingly retro technologies to enhance grid security.
It will use analogue and even manual technology in a bid to isolate the network’s most important control systems. This will hopefully limit the impact of any cyber-related outage.
The press release announcing the SEIA explained: “This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyberattacks much more difficult.”
While October saw a suspected cyber-attack on Kudankulam Nuclear Power Plant (KKNP) in India. Malware gained access to the plant’s admin network, although it did not compromise critical systems, which are contained in an isolated network.
KNPP issued a complete denial of any incident, claiming systems linked to the functioning of the plant “are not connected to outside cyber-networks and the internet”.
However, several credible media sources stated a foreign country had tipped off the Indian government that the hack had indeed taken place, with the perpetrators gaining domain controller-level access at KNPP.