Alan Binning, regional sales manager at energy software supplier COPA-DATA UK, examines the potential disruption of attacks on energy generation facilities and explains why adherence to security standards is essential.
Protocols for cyber security in the energy industry are often limited to the prevention of data breaches. However, by infiltrating energy generation sites, hackers have the potential to cause much more damage than simply accessing confidential data.
According to predictions by security experts, British cities would be uninhabitable in a matter of days, should the National Grid ever be brought down by a cyber-attack.
In fact, experts named cyber-attacks as one of few ‘black sky hazards’ that have the potential to destroy the grid for a prolonged period of time.
Other hazards include naturally occurring threats such as earthquakes, solar storms and extreme terrestrial weather.
Another study, undertaken by the UK’s security services, predicted that the country would be just “four meals away from anarchy”, in the case of a blackout situation. Clearly, we are a nation reliant on the grid.
As the country embarks on energy transformation projects, investing in renewables, microgeneration sites and smart grids, some networks are increasingly vulnerable to attack. How can the energy industry protect its changing infrastructure?
Site responsibility
Britain’s energy grid has transformed. The integration of renewable energy means the country’s infrastructure must manage energy from various resources, creating a need for industrial automation and control systems to monitor the flow of energy.
Connecting substations, control panels and generation assets, like individual turbines and solar panels, control systems act as the central nervous system of the grid. However, this surge of connectivity leaves the grid vulnerable.
Back in 2015, Ukraine experienced blackouts linked to control systems of offshore wind farms.
Due to the isolation of these facilities, hackers were able to disrupt power by gaining access through Supervisory Control and Data Acquisition (SCADA) software.
The attack affected 225,000 homes and the grid took months to recover. So, who is accountable for security of these sites?
Arguably, operators should take responsibility. However, these operatives are already responsible for energy generation, control and monitoring of notoriously volatile sites.
Cybersecurity cannot be properly established without specialists in IT and automation and importantly, software that supports these security efforts.
Security by compliance
When choosing a vendor for grid or plant software, security should be a priority. However, operators can overlook the importance of ongoing security features — ensuring the software can protect from all threats, both today and in the future.
Consider the Ukraine cyber-attack as an example. The system was relatively secure. Control systems were well-segmented from business networks and were said to have robust firewalls.
However, the SCADA network that controlled the grid didn’t require two-factor authentication. This allowed hackers to gain access to credentials and infiltrate the system.
Due to the high-profile nature of the attack, two-factor authentication is now considered a standard requirement. However, as security measures continue to heighten, the sophistication of hackers will too.
Security features for energy grids cannot be static. Software should provide ongoing security updates throughout its entire lifespan.
Otherwise, it could be unable to protect against new, emerging or unfamiliar threats. For this reason, the energy industry should select vendors with IEC 62443 certification.
IEC 62443 provides a framework for closing security loopholes in industrial automation and control systems.
It is awarded to vendors that demonstrate comprehensive security management. However, as it requires reverification each year, the process holds vendors accountable for protecting against new and emerging threats.
The connectivity of today’s energy grids can create areas of vulnerability. To protect against attacks, energy providers and facilities managers at renewable sites must select software that has been developed with security in mind — and deploy their systems in accordance to the relevant security standards.
As Ukraine’s incident demonstrates, cyber-attacks in energy can be incredibly damaging. Considering Britain’s reliance on the grid, security cannot be an afterthought.