Get in touch

Secure-by-Design (part 1) – The cyber threat, and regulatory expectations

Cyber attack is a very real threat to the safe and reliable operation of energy transition assets. Attacks can remove or prevent access to data and information technology (IT) systems that an asset relies upon to operate safely, for example the engineering drawings, maintenance schedules or permit-to-work system. Without these systems, the asset must be shut down. Alternatively, an attack that exploits vulnerabilities in operational technology (OT) – the physical automation and control systems of the asset – can, in the worst case, lead to a major accident.

But who are the attackers and what havoc can they wreak? What does the regulator have to say about the threat? And what can an organisation do to mitigate the cyber risk?

This article is the first of a three-part series that aims to address these questions and more and set out an approach to help ensure energy transition assets are “secure-by-design”.

WHO ARE THE ATTACKERS?

There are three main groups of cyber hackers, each increasingly well resourced. At the lower end there are the individual perpetrators like the rebellious teenager operating from their bedroom or the more experienced hacker. They are not targeting any specific organisation, rather they are seeking an open IP address. This can be exploited by simply sending a credibly formatted and worded “phishing” email that an inattentive employee clicks on. Now the organisation has “malware” to deal with, whether a disruptive virus or even “ransomware” demand. In the summer of 2017, the devastating NotPetya virus exploited vulnerabilities in a Windows server of the Danish logistics giant Maersk (Ref. 1). The virus attacked and encrypted the organisation’s global management systems, including its container booking program. Unable to operate safely or commercially, the resulting downtime forced a 20% drop in shipping volume over ten days. Eventually, data and systems were recovered via a server in Ghana which fortuitously had been disconnected at the time of the attack due to a local power outage.

The other type of individual perpetrator is the malicious insider – the employee or sub-contractor who, whether for personal benefit or to act on a personal grievance, uses their authorised access to IT and OT systems to cause harm to the company. It is this privileged access that can sometimes pose the biggest threat to a company.

The second group comprises the organised, criminal gangs – the “hacktivists”. DarkSide is believed to have been the perpetrator of the cyber attack on the Colonial Pipeline Company in the USA in May 2021 (Ref. 2). The company halted all gasoline and jet fuel pipeline operations due to ransomware that impacted the computerised billing system. Unable to bill customers, the company shut down the pipeline and paid the 75 bitcoin ($4.4 million USD) demanded by the hacker group. Operations did not return to normal for nine days. Fuel prices surged to their highest in seven years.

Whilst oil and gas operators are prime targets for hacktivists, renewable energy companies are also fair game. For instance, Hep Global, a German renewable energy company that manufactures and operates solar power parks worldwide, was targeted by the Darkrace ransomware group in June 2023 (Ref. 3). All potentially affected systems were immediately taken offline by the company to limit any impact on customers.

The third and best resourced group comprises the nation state “actors”, for example, China, Russia, North Korea, and Iran. Their goal may be espionage or political messaging, or to disrupt and damage critical infrastructure. As Russia invaded the Ukraine in 2022, as well as taking down more than a dozen government websites, there were attacks on the power grid infrastructure, including attempts to shutdown electrical substations. The “denial-of-service” attack would have used ransomware, “wipers”, and other malware. Some attacks were thwarted (Ref. 4), though their scope and severity are believed to have been more sophisticated and widespread than publicly reported (Ref. 5). It is conceivable that some online systems that the assets depended upon ceased to respond, and certain industrial control systems were unable to retrieve sensor data, or control critical processes.

An energy transition organisation is in business and hence a potential source of income for cyber hackers – whether that’s the lone hacker on a phishing trip, or a hacktivist group on a well-resourced, targeted campaign. Some assets may even attract the bad intentions of nation states, for example, offshore wind farms were mandated by the UK government to be recognised as critical national infrastructure in 2023.

WHAT HARM CAN A CYBER ATTACK INFLICT?

A typical cyber attack is more likely to target the software and data on the IT network of an organisation than the OT systems. The billing system of Colonial Pipeline in the USA is just one example of an operator having to shut down its asset. A more sophisticated, knowledgeable approach is required to attack an asset’s control systems and connected devices. The IT software is the first step onto a network. The hacker’s “surveillance” then moves across the network to identify the software of the control systems – firstly the SCADA system and then, by exploiting vulnerabilities, reaching the devices controlling the plant.

A well-resourced group does not have to do the initial work to get onto a network – there is a black economy in vulnerabilities. A “zero-day hack” committed by an individual hacker for instance, is where the attack is not detected by the organisation. Whereas a “good” hacker will inform the company to help them become more secure, a “bad” hacker can sell the vulnerability to the highest bidder on the dark web.

Once a bad actor has gained access to the control devices of an asset and is determined to inflict maximum damage rather than seek a monetary reward, then starting a fire would be possible. For example, by creating a fault at a HV transformer of a solar farm, wind farm or battery energy storage system. Furthermore, the attacker could, for example, conceivably take over a wind turbine generator’s controller and induce an overspeed of the blades that is great enough to create an excessive load on the tower structure and lead to the collapse of the turbine. Such incidents have occurred due to control system defects (for instance, Ref. 6), and therefore similar failures could be inflicted by a bad actor, although it is not clear if such incidents have occurred due to cyber attack. Globally, many cyber incidents are not reported because publicly admitting the organisation has known vulnerabilities could encourage further attacks.

An even more insidious hack is the “man-in-the-middle” attack. The attacker sits between the SCADA system and the OT devices and displays back to the control room what the operator would expect to be seeing, but it is a fake master of what is happening on the plant. Meanwhile the attacker can corrupt data, for example electricity export meter readings, or inflict other damage and the operator would be blissfully unaware. Such attacks are technically feasible and anecdotally believed to have taken place.

WHAT DOES THE REGULATOR HAVE TO SAY?

The regulatory framework

An operating company might take a view that if it was subjected to a cyber attack, the most likely outcome would be a financial loss, whether from paying a ransom or loss of sales due to interruption of the business, and that its insurance may cover most of the direct loss. The UK’s safety regulator, the Health and Safety Executive (HSE), however, regulates cyber risks under existing safety regulations, primarily the Health and Safety at Work Act 1974. Therefore, if it is reasonably foreseeable that a cyber threat can cause harm, then the risk must be reduced to a level that is as low as reasonably practicable (ALARP). A sophisticated cyber attack clearly has the potential to exploit vulnerabilities and take over control systems and devices. The cyber risk for energy transition assets must therefore be reduced ALARP.

In the UK, the energy infrastructure is regulated by The Office of Gas and Electricity Markets (Ofgem) as the competent authority. Ofgem regulates cyber risks through The Network and Information Systems Regulations 2018 (NIS). The regulations apply to operators of essential services that are critical to the economy and wider society and exceed the thresholds of 250,000 final customers or 2 GW generating capacity. NIS requires these operators to take appropriate security measures and report incidents that significantly impact the continuity of the services they provide. Subtly, NIS regulation 8(3) gives Ofgem the authority to designate an operator as providing an essential service even if it does not exceed the thresholds but believes an incident could have significant disruptive effects on the provision of the essential service.

Good practice

An ALARP approach to managing cyber risks must first comply with legislative requirements, approved codes of practice (ACOPs) and recognised standards and guidance, before moving on to considering additional risk reduction options that could further reduce the risk. Whilst there is no single, recognised good practice for cyber security, there are some very useful starting points:

  • The HSE’s Operational Guidance 86 was designed for COMAH sites and operators of essential services and written as guidance for HSE inspectors (Ref. 7).
  • Ofgem’s RIIO Cyber Resilience Guidelines were designed for the electrical generation and transmission sectors (Ref. 8).

Both focus on outcomes and are not prescriptive in how the outcomes are achieved – a single approach can satisfy both. Further afield, the U.S. National Institute of Standards and Technology (NIST) has been at the forefront of developing comprehensive cyber security risk management frameworks, and these include the well-regarded Cyber Security Framework (NIST CSF). Internationally, the ISA/IEC 62443 series of standards define practices for cyber security. The approach is a holistic one, bridging the gap between OT and IT, as well as between process safety and cyber security. The IEC standards are currently, in early 2024, only part published, not fully complete and several years behind schedule.

WHAT CAN AN ORGANISATION DO TO MITIGATE THE CYBER RISK?

There is excellent guidance available to designers and operators to mitigate cyber risk. The cyber threat is constantly evolving, and it is hard to state with confidence that all attacks will be thwarted before getting onto the network. Ultimately, the goal is to be “secure-by-design”. This means that the design of an asset evolves in such a way that the cyber risks associated with its entire lifecycle are eliminated wherever reasonably practicable through design. Or, where not, are reduced to acceptable levels through the provision of effective mitigations. Secure-by-design increases cyber resilience by taking a consistent approach to building effective and proportionate cyber controls.

CONCLUSION

Energy transition assets are prime targets for cyber threats from individuals, criminal gangs or, in the case of critical national infrastructure, even nation states. There are many cases of operators shutting down their assets due to attacks on their IT systems. Sophisticated attacks can take over OT systems and initiate major accidents such as a fire or structural collapse. The UK regulatory environment requires the cyber risk to be reduced ALARP. There is well-respected, practical guidance available to help achieve this objective. Ultimately, the aim is to ensure the asset is secure-by-design.

The second article in this cyber security series will focus on the steps an organisation can take to create a cyber security programme, establish a cyber security management system, and undertake cyber risk assessments.

The third article will round off the series by addressing key organisational factors such as implementing the cyber security programme throughout the supply chain, addressing cyber security as part of a holistic security approach, and developing a proactive culture dedicated to maintaining cyber security.

References 

  1. The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired, August 2018.
  2. Here’s the hacking group responsible for the Colonial Pipeline shutdown, Eamon Javers, CNBC, May 2021.
  3. H1 2023 – a brief overview of main incidents in industrial cyber security, Kaspersky ICS CERT, October 2023.
  4. Significant Cyber Incidents, Center for Strategic and International Studies (CSIS), April 2022.
  5. Cyber Threat Activity Related to the Russian Invasion of Ukraine, Canadian Centre for Cyber Security, June 2022.
  6. Screggah windfarm turbine collapse cause identified, BBC News, February 2015.
  7. Cyber Security for Industrial Automation and Control Systems (IACS), HSE OG-0086 (Operational Guidance), Edition 2, August 2021.
  8. RIIO-2 Cyber Resilience Guidelines, Ofgem, February 2020

RELATED CAIRN CONTENT

Sustainable-by-Design –Pioneering engineering for a better future
Sustainable-by-Design –Pioneering engineering for a better future

Contact Us

Want to discuss your requirements?
Get in touch

Jump to Top