Cybersecurity is a hot topic across national states and businesses. We talk to Annabelle Lee from Nevermore Security, about combating cyber risks in the energy sector.

With the advent of the global reach of web-based networks and interconnectivity, and an increasing reliance on IT to manage business and governmental functions, cybersecurity has become a huge concern. Comparitech argues that 2016 and 2017 ‘were pivotal years in cybersecurity, marking both rapid growth in mischievous and harmful online criminality, as well as increasingly rapid responses to digital crime.’ It predicted that global cybercrime damages would reach $6 trillion by 2021.

So what can be done? We talked to Annabelle Lee, founder and director of Nevermore Security, about her expertise in the field of cybersecurity.

Nevermore Security specialises in providing cyber resilience guidance for the energy sector, identifying priority risks and offering strategies and solutions to protect energy utilities.

Thanks for talking to us Annabelle. Your company offers cybersecurity consultation for the energy sector. What are the threats that countries and companies face?

Corporate and industrial networks, which form a multilevel hierarchical infrastructure in modern industrial companies, are increasingly being integrated. The control systems in operation today are complex webs of old and new technology provided by a range of original equipment manufacturer (OEM) vendors.

Historically, the combined effect of proprietary technologies and physical isolation protected these control systems from Internet-based attacks that are so prevalent in common internet protocol (IP) communication technologies and commercially available information technology (IT) software.

As the industry looks to the future, however, operators seek to leverage the efficiency provided by these new communication technologies and are connecting these older systems to new systems.

It is this change which is creating new risks for companies and countries.

Are there particular groups that pose a significant threat?

There are quite a few groups who have an interest in disrupting the critical infrastructures ICS systems. They include:

  • Nation state-backed groups, who target ICS to achieve geopolitical goals.
  • Criminals, who want to extort companies for monetary gain.
  • Hacktivists, whose aim is to promote a social, political or ideological cause.
  • Insiders, who inadvertently or maliciously disrupt for personal gain.

Recent high-profile attacks indicate that threat actors are using more sophisticated techniques that exploit vulnerabilities in IT networks to penetrate the operational technology (OT) systems.

The 2010 attack on Iranian centrifuges, known as Stuxnet, relied on complex malware and physically destroyed PLCs. Stuxnet was introduced through a universal serial bus (USB) stick drive.

Malware introduced via spear phishing and social engineering was used to cause severe physical damage to a German steel mill in 2014. Once inside, the attacker used captured credentials and IT connectivity to the plant’s OT network to deregulate critical systems and cause physical damage.

In the 2015 Black Energy attack on a Ukrainian power grid, increasingly networked OT environments opened the door for commodity malware to become a significant threat.

Unfortunately, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists, and hacktivists to get into the ICS attack game.

What have been the fundamental changes over the past twenty-five years concerning cybersecurity in the electric sector?

The electric grid is undergoing a convergence of IT and OT.  With grid modernisation, there is now two-way communications and increased digitalisation of electric sector devices. Until recently, communications and IT equipment were typically seen as supporting power system reliability. However, increasingly the power sector is getting more dependent on communications and IT, and they are becoming more critical to the reliability of the grid.

ICS/SCADA systems were originally isolated from the outside world. Sensors would monitor equipment and provide that information to a control room centre.

As networking technology has advanced and becomes more accessible, organisations have made decisions to integrate systems. This change means that a physical connection to the outside world via the Internet now exists. It opens the way for a determined attacker to leverage zero-day vulnerabilities and social engineering to find a path through the corporate network to these once isolated systems.

Aside from targeted attacks, there is also a constant threat of a path opening from hardware and software vulnerabilities. Infected USB drives, websites, and everyday social engineering attempts on a corporate network may open up paths to an ICS/DCS/SCADA network for the adversaries.

Finally, the renewables sector, which has incorporated new digital technologies and interconnection, poses new potential cyber risks.

What is unique about what your company offers to clients?

I have worked in the field of cybersecurity since the late 1980s. Initially, we called it ‘computer security.’ The focus was on IT and protection of sensitive information, such as personal information and company finances.

I started working on critical infrastructure cybersecurity in 2004, working at the US Department of Homeland Security. I then returned to the US National Institute of Standards and Technology (NIST) in 2008 and led the development of the NIST Interagency Report 7628, Guidelines for Smart Grid Cyber Security. This was the first document that focused on the electric sector. Over 100 volunteers from around the world worked on this document. It has been used internationally.

It is essential to understand the distinction of the cybersecurity needs in the electric sector and OT environment as compared to the IT environment. I have worked with multiple utilities to understand this environment.

Also, I am involved with several Department of Energy (DoE) research projects, and I participate on a Security Advisory Committee for two of the DoE laboratories. This experience gives me a perspective on research trends.

What do you feel will be the key emerging trends over the next decade, and how will your company aim to respond to them?

The continually changing threat and technology environments in the electric sector pose a significant challenge.

New technology is deployed with legacy devices that are 20-30 years old. The older technology does not address cybersecurity, and it is not possible to bolt on cybersecurity to these devices.

Since many of these legacy devices are very expensive, in the millions of dollars and have procurement lead times of years, the devices will not be quickly replaced.

Also, to take advantage of the new technology, such as renewable resources, systems need to be interconnected. This interconnection increases the attack surface for malicious actors.

This combination of new and legacy technology is a challenge for the electric sector that must ensure the reliability and availability of the grid. Therefore, utilities are conservative in deploying new technology and upgrading existing systems and devices.

Finally, the new OT devices will have a lifetime of 20 to 30 years, unlike the IT devices that are updated in three to five years. This situation requires utilities to consider how to protect systems and devices against future attacks and vulnerabilities.

My company works with utilities to manage these risks. We think we will be very busy over the coming years!