About a year ago, Colonial Pipeline, a major provider of gasoline and jet fuel that originates in Houston, was hacked by an eastern European group calling itself Darkside. When hearing about companies getting hacked, we usually think about things like the loss of personal information and credit card numbers. While that’s bad enough, in the case of Colonial Pipeline it meant they couldn’t transport up to three million gallons of fuel per day through their dual 5,500 mile-long pipeline network. They later paid a $4.4M ransom to restore services.
The energy sector is particularly vulnerable to cyberattacks. This article will look at the reasons why, and how both standard security practices and increased awareness can help protect against state-sponsored and rogue groups to improve energy sector cybersecurity.
Energy sector vulnerabilities
Unlike banks or large corporations, which tend to have more centralized control over their assets, energy companies can have a much more difficult time hardening their infrastructure. This is mainly due to a mix of geographic locations producing energy, as well as complex relationships with multiple third party providers. Security experts often refer to this as a larger “attack surface” – meaning there are more ways in for hackers to cause disruptions.
While disruptions in other industries can be localized, the energy sector is also particularly vulnerable to attacks because of its close interdependence with other providers. A single attack that causes an outage in one geographic region can, for example, cause a ripple effect as the grid attempts to provide power in other regions. A catastrophic event such a Colonial Pipeline’s can cause not only a shortage of fuel, but a nationwide spike in prices.¹
Unlike other industries, energy company vulnerabilities extend to both digital and physical infrastructure. This means that proper security needs to encompass not only traditional IT infrastructure, but also “operational technology” (OT) infrastructure that can directly impact the delivery of energy to potentially millions of customers. The proliferation of “Internet of Things” (IoT) devices is driven in part by the desire to harvest and harness the data generated by OT infrastructure, which creates a larger attack surface.
As an example, battery integrators, OEMs and operators typically manage a myriad of IoT edge devices. Here, IoT devices include OT systems, such as battery management systems, string, block and site controllers, inverters PLCs, data aggregators, SCADA and other BESS equipment which – given the very distributed remote environments they are deployed in – lack the comprehensive protection offered by a corporate firewall.
Modbus and SNMP protocols are often used to monitor BESS’s, and both can introduce security vulnerabilities. Modbus supports TLS encryption over TCP/IP, but not authentication. A device using SNMP can broadcast its brand name, model and location, potentially allowing a hacker to gain access to reset the device, create account credentials, or lock other users out in a ransomware scenario (image source).
How the energy sector can improve cybersecurity
In another cyberattack on the energy sector, Ukraine’s power grid was targeted following Russia’s annexation of Crimea² in 2015. The Ukrainians learned from this event, and in subsequent years put in place robust systems built to withstand such assaults. There have been few reported successful cyberattacks on Ukrainian infrastructure since February 24th, when Russia’s invasion began. One outage reported in late March impacted tens of thousands satellite internet and communication subscribers.³ Overall, however, Ukrainian infrastructure has remained resilient to further attack.
What lessons can we learn from the Ukrainians? What best practices can we put in place to harden our own energy grid components? There are three attack vectors worth highlighting: inside jobs, social engineering, and Denial of Service attacks.
Inside jobs: In the 2015 Ukraine attack, systems were compromised by individuals with intimate knowledge of those systems. Backdoors, default passwords, and obsolete user accounts that system administrators fail to terminate can be used by former colleagues, contractors, and consultants to attack the systems of their former partners.
A battery farm operator may have a deep understanding of the grid and power demands, and substantial expertise in chemistry, meteorology, and physics, but they may not necessarily have those same competencies in data access and security. This becomes an issue when ad hoc applications are built in-house that lack basic security features. While it may seem to be the most expedient business solution at the time, particularly in the early stages of a company, these in-house applications later become a major source of risk months or even years later.
Implementing full end-to-end production solutions often requires the assistance of technology partners. It’s important for every company, but especially those involved in providing critical infrastructure, to know how third parties and supply chain partners treat access credentials and data security. In 2019, the Wall Street Journal published a detailed account of how Russian hackers exploited contractors to gain access into the American electricity grid. The report was called, “America’s Electric Grid Has a Vulnerable Back Door–and Russia Walked Through It.” 4
When hiring consultants, how rigorous is the screening process? Are they evaluated only on their technical ability or are their data management workflows also verified? Ask the consulting company for their NIST System Security Plan (SSP)5. If they don’t have one or if they tell you it’ll take a month to deliver it, then you know you’re not dealing with a company that has had their security policies audited recently or to any great degree.
A rigorous off-boarding procedure for personnel is another common “red flag” issue for battery integrators, OEMs and operators. System administrators need to be extremely vigilant in their security routines. It pays to perform external security audits, up to and including network penetration attempts (pen tests) by “white hat” hackers who will find the weaknesses before attackers do.
Social engineering: Ukraine’s systems were compromised in part by malware that destroyed files and erased hard drives on workstations and servers.
The typical route for inserting such malware on a network is through social engineering. Emails that appear innocuous, or seem to come from trusted sources, may contain links where users are tricked into revealing their username or password, or other sensitive information. Emails may also contain attachments that look to be standard Word documents or Excel spreadsheets but are actually viruses that can infect the computer system. Networks can become contaminated when infected laptops connect, or when infected USB sticks are inserted into company systems.
Combating such phishing attempts is among the toughest challenges in increasing cyberattack resilience. It only takes one weak link – one distracted or gullible employee among thousands – for attackers to establish a digital beachhead inside the organization.
Three remedies that build resilience against social-engineered attacks are as follows:
Enforce multi-factor authentication on all company user accounts. If passwords are reused, guessed or given, the attacker will still face a much higher hurdle for success since a validated mobile device or authenticator app is required to complete a login. For battery operators, give special consideration to code repositories (GitHub), and craft interfaces used to directly access block controllers, inverters, and at-site data aggregators. Applications and laptops used by field services teams should feature two-factor authentication (2FA). Shop floor applications should feature 2FA for shop floor, formation testing and data aggregation devices.
Employ the “principle of least privilege,” meaning users only get those access privileges needed to complete the task. That means challenging your IT and software teams about Role-Based Access Controls (RBAC)6, a common software feature to enforce the principle of least privilege.
Ultimately, the best defense against social engineering is security protocols education and training. Not only should security protocols be in place, but people must also be regularly trained to follow them. For battery integrators, OEMs and operators, third party sub-suppliers and field service providers that enjoy certain privileges on your systems present a particular education challenge.
Denial of service attacks: Ukraine’s systems were also made unavailable through denial-of-service (DoS) attacks. While such attacks are impossible to prevent, redundant systems should be put into place and tested periodically to ensure services don’t completely stop when primary systems are under attack.
Battery integrators, OEMs and operators are particularly vulnerable if they do not manage these edge/IoT devices properly and with rigor. Edge devices typically contain a credential that allows them to authenticate over the Internet with cloud systems. Having a compromised edge device means potentially compromising that communication channel. Hardening the operating system and using technologies such as secure boot and on-disk encryption are vital steps to ensure the safety and integrity of these devices.
Energy sector cyberattacks increased from 101 in July 2019 to 874 in July 20207.
Our journey with energy sector cybersecurity
To support data analytics for energy storage, we collect telemetry data from energy storage systems around the world, and have developed expertise in deploying IoT edge devices that are robust and secure.
Our customers in the Department of Defense and Department of Energy have extremely demanding cybersecurity requirements. Our engineering team receives dedicated training to ensure their development environment and process is secure, and that we work on secure machines configured for maximum protection. All data is kept on FIPS 140-2 certified self-encrypted drives.
Securing the infrastructure that keeps the energy sector moving has never been more important. While companies that handle our power and water needs have been subject to hacking over decades, energy storage companies are relatively new to the scene and their systems may not be battle-hardened. Given the lessons learned from previous attacks, the worsening situation in Ukraine, and the very real prospect of stepped-up cyberattacks on our energy infrastructure, battery integrators, OEMs and operators need to take steps to make their facilities and systems more resilient. There’s never been a better time to partner with a security-focused company like Peaxy to give you the confidence and peace of mind that your systems are safe.