Risk of cyber security attacks on smart grid

Smart grids have been developing for the past decades as an important part of the energy ecosystem. From smart meters, smart appliances to renewable energy resources; energy has been provided through innovative technologies leading to a better control of consumption, use of data in real time and adjustments of energy flows for the main objective of an efficient management of the electrical network.

However, this quick development of smart grids coupled with IoT devices have brought the issue of cyber-attacks. From small viruses built by isolated groups to massive and complex cyber-attacks done by states and bigger entities; electrical power stations and nuclear facilities have shown breaches that governments must deal with.

This article gives an overview of smart grids in the Energy Sector, cyber-attacks that happened the past decade and finally the solutions set up by governments and companies to secure the electrical grid.

Smart grids have been an important part of electricity networks; including different tools such as computer science technologies and connected devices. It has helped optimize production, distribution, consumption and storage of energy.

The introduction of computers and complex devices to modernize the electric grids has opened breaches of security leading to cyber-attacks that use computers vulnerabilities to penetrate networks.

In 2007, the spectacular attack of the Iran nuclear power station has slowed down the main development of nuclear energy in the country. Developed by a hostile state, Stuxnet was a powerful and structured virus that was able to infiltrate industrial programmable automatons which control electrically the centrifuges in the Natanz uranium complex[i]. It was able to slow down and even block completely the activity of a large part of the uranium enrichment process.

December 25, 2015, in a civil war context, an electrical power station in Ivano-Frankivsk In Ukraine suffered from a cyber-attack that put 80 000 persons in the dark[ii]. This attack was done using spearphishing and a Trojan horse called BlackEnergy which was able to delete data, destroy hard drives and take control of infected computers. It went further after attacking utilities equipment as it launched a coordinated Denial-of-service attack on the support phone number of companies who manage the power station. Consequently, users couldn’t reach the support to warn about the breakdown[iii].

2017 have known an increase of cyber-attacks which grew even more in 2018 as described by the United States Department of Homeland Security; from Russian infiltration into American Electrical network to more than 4300 cyber-attacks of the French network (Electricity Transmission Network known as RTE).

This has opened an era of intense cyber-attacks which were beyond isolated viruses and extremists’ hacker groups. States and organized entities are behind attacks against electrical networks which can lead to blackouts and even the destruction of facilities.   

The more smart grid networks have become connected though connected devices, the more breaches were opened for potential attacks. SCADA (Supervisory Control and Data Acquisition) which are automated systems that control and monitor a site equipment in a centralized way were used for example during the Stuxnet attack.

Mainly, there a different type of attacks which result in consequences that can harm from a single smart meter to a large perimeter in a smart grid or even theoretically a whole country. Complex viruses can attack at different levels:

• Sensitive data theft (such as nuclear plant architecture) to be sold in the black market or to enemy countries.
• A deep setup in systems to control or monitor them.
• Disruption of Energy availability (interruption or electricity black outs).
• Destructive attacks such as viruses that can lead a generator to destroy itself (which happened in Kiev in Ukraine and Tasnee in Saudi Arabia).

Even though the probability of a blackout affecting a whole city or country is low, the consequences of a smaller scale cyberattack could affect a country financially and impact its stability. The situation wouldn’t be then controllable.

Governments must then anticipate by implementing measures to face these threats.

To overcome the increase of cyber-attacks, the European Network and Information Security Agency (ENISA) has included in their scope of security in 2016 the IoT devices. Despite their limited budget, the risk is taken seriously as a hacking and cyberattacks could cost between 243 billion euros up to more than 640 billion euros in case of massive blackout.

Governments are now seeking solutions to face this threats for European Utilities. As mentioned by Massimo Rocca, head of information security at Enel Italy, IT security infrastructures identified more than 100 000 events a day[iv]. It is then a complex issue to understand if an event is a common incident or a serious security attack.

A first step was to implement new technical standards such as IEC 62351 (which include the authentication of data transfer through digital signature) but the limited budget and a lack of expert in cyber-security require a larger cooperation between governments and between the private and the public energy sector. In a larger scale, there should be a common work with peers and European agencies to have a better response to cyber threats which have become more complex and harmful to utilities.

In the other side of the Atlantic, The US electric grid is also facing serious cyber-attacks as it has become more and more dependent on internet operations. The Federal Energy Regulatory Commission manages the cybersecurity, standards and controls systems for the interconnected grid but it doesn’t include in its scope all the investor-owned utilities. There is then no global common security rules for all utilities stakeholders.

However, many states and private companies have taken the lead in cyber protection. For example, Baltimore Gas and Electric shares regularly data related to cyber-attacks with industry and government partners. Duke Energy works closely with local and national institution for law enforcement concerning cyber threats[v]. Other examples include the state of New Jersey where utilities are required to identify cyber risks and report incidents.

Similarly to Europe, the US government lacks on cybersecurity standards. However, the National Institute of Standards and Technology’s Cybersecurity framework and reports serve nowadays as a helpful ground for improvement. Companies Raytheon and Utilidata which provide power utilities are now adding layers of security to protect customers’ data and the network and also block unacceptable sites.

The rise of internet connected devices in smart grids has brought great improvement in many levels from better control of consumption to optimization of production, it has allowed Utilities partners to provide electricity with better control and lower prices. However, Internet have brought with it viruses thus cyberattacks which can penetrate smart grids. From small viruses with no direct impact to bigger and complex attack that can lead to the destruction of complex, the threat has become serious and a complex issue for the Energy sector.

A global cooperation must be setup, weather thought Federal agencies in the United States or a pan-European commitment in existing agencies, this will allow to secure electricity accessibility and not be compromised and threaten for a whole country.

Authors : 
- Patrice Mallet, Manager
- Hicham Kadiri, Consultant